NUT disable anonymous access?
-
Hi,
I have an APC UPS connected via USB to my pfSense firewall. The UPS is detected properly. I'm attempting to set usernames and passwords for remote devices to connect to NUT (eg, WinNUT-Client). No matter what I set in the "Additional configuration lines for upsd.users" in the NUT config in pfSense, it allows WinNUT to connect to the UPS without a username and password. Is this expected? I have the following set under "upsd.users":
[upsmaster]
password = XXX
allowfrom = localhost
upsmon master
[upsslave]
password = XXX
upsmon slave
[upsadmin]
password = XXX
allowfrom = localhost
actions = SET
instcmds = ALL -
@zoltrix
I haven't tested extensively, but I think mine is working with only the following additional config:
-upsd.conf
LISTEN 192.168.1.1
(subsitute your LAN ip)
-upsd.users
[client1]
password = firstpassword
upsmon slave
[client2]
pasword = password4secondpc
uspmon slaveOn the client, you use the defined username and password (eg client1/firstpassword)
-
@dotdash thanks for the tips.
I guess what I am wondering, is it possible to secure NUT further? Eg, from any machine on the network it seems I can do a "upsc myups@myserver:3493" and pull all the current stats from the UPS. There doesn't seem to be a way to remove that anonymous access?
-
@zoltrix
It seems you are correct, if I load nut on a workstation, I can poll statistics if I know the configured name and address without any configuration on the client side. You could make this harder by choosing a unique name instead of the default 'ups'. I don't see this as a security risk, but the nut manual has a section 'Notes on securing NUT' which may be of use. An easy fix on pfsense would be to block LAN access to the NUT port for all but trusted workstations.
