version 2, including all changes.
.
Rev |
Author |
# |
Line |
1 |
perry |
1 |
UPSSET.CONF |
|
|
2 |
!!!UPSSET.CONF |
|
|
3 |
NAME |
|
|
4 |
DESCRIPTION |
|
|
5 |
SECURITY REQUIREMENTS |
|
|
6 |
SEE ALSO |
|
|
7 |
---- |
|
|
8 |
!!NAME |
|
|
9 |
|
|
|
10 |
|
|
|
11 |
upsset.conf - Configuration for Network UPS Tools upsset.cgi |
|
|
12 |
!!DESCRIPTION |
|
|
13 |
|
|
|
14 |
|
|
|
15 |
This file only does one job - it lets you convince |
2 |
perry |
16 |
upsset.cgi(8) that your system's CGI directory is |
1 |
perry |
17 |
secure. The program will not run until this file has been |
|
|
18 |
properly defined. |
|
|
19 |
!!SECURITY REQUIREMENTS |
|
|
20 |
|
|
|
21 |
|
2 |
perry |
22 |
upsset.cgi(8) allows you to try login name and |
1 |
perry |
23 |
password combinations. There is no rate limiting, as the |
|
|
24 |
program shuts down between every request. Such is the nature |
|
|
25 |
of CGI programs. |
|
|
26 |
|
|
|
27 |
|
|
|
28 |
Normally, attackers would not be able to access your |
|
|
29 |
upsd(8) server directly as it would be protected by |
2 |
perry |
30 |
the ACCESS/ACL directives in your upsd.conf(5) file |
1 |
perry |
31 |
and hopefully local firewall settings in your |
|
|
32 |
OS. |
|
|
33 |
|
|
|
34 |
|
|
|
35 |
Since upsset runs on your web server, it could provide a |
|
|
36 |
passage from the outside to the inside, bypassing any |
|
|
37 |
firewall rules or upsd access control limitations, since it |
|
|
38 |
appears to be coming from the web server. This is why you |
|
|
39 |
just secure it first. |
|
|
40 |
|
|
|
41 |
|
|
|
42 |
On Apache, you can use the .htaccess file or put the |
|
|
43 |
directives in your httpd.conf. It looks something like this, |
|
|
44 |
assuming the .htaccess method: |
|
|
45 |
|
|
|
46 |
|
|
|
47 |
|
|
|
48 |
|
|
|
49 |
|
|
|
50 |
You will probably have to set |
|
|
51 |
|
|
|
52 |
|
|
|
53 |
If this doesn't make sense, then stop reading and leave this |
|
|
54 |
program alone. It's not something you absolutely need to |
|
|
55 |
have anyway. |
|
|
56 |
|
|
|
57 |
|
|
|
58 |
Assuming you have all this done, and it actually works (test |
|
|
59 |
it!), then you may add the following directive to this |
|
|
60 |
file: |
|
|
61 |
|
|
|
62 |
|
|
|
63 |
I_HAVE_SECURED_MY_CGI_DIRECTORY |
|
|
64 |
|
|
|
65 |
|
|
|
66 |
If you lie to the program and someone beats on your upsd |
|
|
67 |
through your web server, don't blame me. |
|
|
68 |
!!SEE ALSO |
|
|
69 |
|
|
|
70 |
|
2 |
perry |
71 |
upsset.cgi(8) |
1 |
perry |
72 |
|
|
|
73 |
|
|
|
74 |
__Internet resources:__ |
|
|
75 |
|
|
|
76 |
|
|
|
77 |
The NUT (Network UPS Tools) home page: |
|
|
78 |
http://www.exploits.org/nut/ |
|
|
79 |
|
|
|
80 |
|
|
|
81 |
NUT mailing list archives and information: |
|
|
82 |
http://lists.exploits.org/ |
|
|
83 |
---- |