[Nut-upsuser] RFC: Use tcp-wrapper for all connections to upsd

Arjen de Korte nut+users at de-korte.org
Thu Feb 26 19:41:57 UTC 2009 

Citeren Joerg Pulz <Joerg.Pulz op frm2.tum.de>:

> after some experimenting and digging through the code i found no solution
> how to completely disable access to upsd from specific hosts.

On multi-homed servers the LISTEN directive will deal with this, by  
only listening on interfaces from which clients are allowed to  
connect. If this isn't fine grained enough, your firewall will keep  
out unwanted connections much more efficiently than tcp-wrappers (or  
the now obsolete ACL mechanism) ever will.

> In previous versions (before r1233) it was possible to allow or deny
> access to upsd completely by using ACL, ACCEPT and REJECT entries in
> upsd.conf. As this functionality was removed and tcp-wrappers support was
> introduced i thought it would be possible to use some rules in hosts.allow
> to get the same functionality as before. Unfortunately, thats not the
> case.

This is by design.

> Only authenticated commands like SET or INSTCMD are protected by
> tcp-wrappers, all other commands like GET or LIST can be used from
> everywhere by everyone which is IMO a regression.
>
> For me, the right solution would be to protect all incoming connections by
> tcp-wrappers.

Using tcp-wrappers for source address access control alone is a *huge*  
waste of effort, therefor NUT no longer supports this.

> What do others think about this?

The tcp-wrappers support in NUT is only meant to deal with the case  
where you want to allow access for certain users from a specific set  
of machines (for instance, administrative access). This means we  
require the username and password, hence this only works for commands  
that require to be logged into the server.

The previous ACL mechanism was too inefficient (in terms of resources)  
to be really useful in countering attacks on the server. By the time  
the decision to allow or deny a client access was made, most of the  
effort that was needed to process the incoming connection would  
already have been spent, so there really wasn't that much to gain  
anymore (other than restrict clients to see what is going on on the  
server). This is the reason we dropped the ACL mechanism.

Best regards, Arjen
-- 
Please keep list traffic on the list

More information about the Nut-upsuser mailing list