Network UPS Tools User Manual

Recommendations

Info

Network UPS Tools User Manual 39 / 84 LISTEN 127.0.0.1 LISTEN 192.168.50.1 LISTEN ::1 LISTEN 2001:0db8:1234:08d3:1319:8a2e:0370:7344 This parameter will only be read at startup. You’ll need to restart (rather than reload) upsd to apply any changes made here. 9.4.2 Firewall NUT has its own official IANA port: 3493/tcp. The upsmon process on slave systems, as well as any other NUT client (such as upsc, upscmd, upsrw, NUT-Monitor, . . . ) connects to the upsd process on the master system via this TCP port. The upsd process does not connect out. You should use this to restrict network access. Uncomplicated Firewall (UFW) support NUT can tightly integrate with Uncomplicated Firewall using the provided profile (nut.ufw.profile). You must first install the profile on your system: $ cp nut.ufw.profile /etc/ufw/applications.d/ To enable outside access to your local upsd, use: $ ufw allow NUT To restrict access to the network 192.168.X.Y, use: $ ufw allow from 192.168.0.0/16 to any app NUT You can also use graphical frontends, such as gui-ufw (gufw), ufw-kde or ufw-frontends. For more information, refer to: • UFW homepage, • UFW project page, • UFW wiki, • UFW manual page, section APPLICATION INTEGRATION 9.4.3 TCP Wrappers If the server is build with tcp-wrappers support enabled, it will check if the NUT username is allowed to connect from the client address through the /etc/hosts.allow and /etc/hosts.deny files. Note this will only be done for commands that require the user to be logged into the server. hosts.allow: ups : admin@127.0.0.1/32 ups : monslave@127.0.0.1/32 monslave@192.168.1.0/24 hosts.deny: upsd : ALL Further details are described in hosts_access(5).
Network UPS Tools User Manual 40 / 84 9.5 Configuring SSL SSL is available as a build option (--with-ssl). It encrypts sessions between upsd and clients, and can also be used to authenticate servers. This means that stealing port 3493 from upsd will no longer net you interesting passwords. Several things must happen before this will work, however. This chapter will present these steps. SSL is available via two back-end libraries : NSS and OpenSSL (historically). You can choose to use one of them by specifying it with a build option (--with-nss or --with-openssl). If neither is specified, the configure script will try to detect one of them, with a precedence for OpenSSL. 9.5.1 OpenSSL backend usage This section describes how to enable NUT SSL support using OpenSSL. Install OpenSSL Install OpenSSL as usual, either from source or binary packages. If using binary packages, be sure to include the developer libraries. Recompile and install NUT Recompile NUT from source, starting with configure --with-openssl. Then install everything as usual. Create a certificate and key for upsd openssl (the program) should be in your PATH, unless you installed it from source yourself, in which case it may be in /usr/local/ssl/bin. Use the following command to create the certificate: openssl req -new -x509 -nodes -out upsd.crt -keyout upsd.key You can also put a -days nnn in there to set the expiration. If you skip this, it may default to 30 days. This is probably not what you want. It will ask several questions. What you put in there doesn’t matter a whole lot, since nobody is going to see it for now. Future versions of the clients may present data from it, so you might use this opportunity to identify each server somehow. Figure out the hash for the key Use the following command to determine the hash of the certificate: openssl x509 -hash -noout -in upsd.crt You’ll get back a single line with 8 hex characters. This is the hash of the certificate, which is used for naming the client-side certificate. For the purposes of this example the hash is 0123abcd.
Page 1 and 2: Network UPS Tools User Manual i Net
Page 3 and 4: Network UPS Tools User Manual iii C
Page 5 and 6: Network UPS Tools User Manual v Ins
Page 7 and 8: Network UPS Tools User Manual vii 9
Page 9 and 10: Network UPS Tools User Manual ix F
Page 11 and 12: Network UPS Tools User Manual xi J.
Page 13 and 14: Network UPS Tools User Manual 2 / 8
Page 21 and 22: Network UPS Tools User Manual 10 /
Page 49: Network UPS Tools User Manual 38 /
Page 95: Network UPS Tools User Manual 84 /

Network UPS Tools User Manual

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?