[Nut-upsuser] RFC: Use tcp-wrapper for all connections to upsd
Arjen de Korte
nut+users at de-korte.org
Thu Feb 26 19:41:57 UTC 2009
Citeren Joerg Pulz <Joerg.Pulz op frm2.tum.de>:
> after some experimenting and digging through the code i found no solution
> how to completely disable access to upsd from specific hosts.
On multi-homed servers the LISTEN directive will deal with this, by
only listening on interfaces from which clients are allowed to
connect. If this isn't fine grained enough, your firewall will keep
out unwanted connections much more efficiently than tcp-wrappers (or
the now obsolete ACL mechanism) ever will.
> In previous versions (before r1233) it was possible to allow or deny
> access to upsd completely by using ACL, ACCEPT and REJECT entries in
> upsd.conf. As this functionality was removed and tcp-wrappers support was
> introduced i thought it would be possible to use some rules in hosts.allow
> to get the same functionality as before. Unfortunately, thats not the
This is by design.
> Only authenticated commands like SET or INSTCMD are protected by
> tcp-wrappers, all other commands like GET or LIST can be used from
> everywhere by everyone which is IMO a regression.
> For me, the right solution would be to protect all incoming connections by
Using tcp-wrappers for source address access control alone is a *huge*
waste of effort, therefor NUT no longer supports this.
> What do others think about this?
The tcp-wrappers support in NUT is only meant to deal with the case
where you want to allow access for certain users from a specific set
of machines (for instance, administrative access). This means we
require the username and password, hence this only works for commands
that require to be logged into the server.
The previous ACL mechanism was too inefficient (in terms of resources)
to be really useful in countering attacks on the server. By the time
the decision to allow or deny a client access was made, most of the
effort that was needed to process the incoming connection would
already have been spent, so there really wasn't that much to gain
anymore (other than restrict clients to see what is going on on the
server). This is the reason we dropped the ACL mechanism.
Best regards, Arjen
Please keep list traffic on the list
More information about the Nut-upsuser