version 2, including all changes.
.
| Rev |
Author |
# |
Line |
| 1 |
perry |
1 |
UPSSET.CONF |
| |
|
2 |
!!!UPSSET.CONF |
| |
|
3 |
NAME |
| |
|
4 |
DESCRIPTION |
| |
|
5 |
SECURITY REQUIREMENTS |
| |
|
6 |
SEE ALSO |
| |
|
7 |
---- |
| |
|
8 |
!!NAME |
| |
|
9 |
|
| |
|
10 |
|
| |
|
11 |
upsset.conf - Configuration for Network UPS Tools upsset.cgi |
| |
|
12 |
!!DESCRIPTION |
| |
|
13 |
|
| |
|
14 |
|
| |
|
15 |
This file only does one job - it lets you convince |
| 2 |
perry |
16 |
upsset.cgi(8) that your system's CGI directory is |
| 1 |
perry |
17 |
secure. The program will not run until this file has been |
| |
|
18 |
properly defined. |
| |
|
19 |
!!SECURITY REQUIREMENTS |
| |
|
20 |
|
| |
|
21 |
|
| 2 |
perry |
22 |
upsset.cgi(8) allows you to try login name and |
| 1 |
perry |
23 |
password combinations. There is no rate limiting, as the |
| |
|
24 |
program shuts down between every request. Such is the nature |
| |
|
25 |
of CGI programs. |
| |
|
26 |
|
| |
|
27 |
|
| |
|
28 |
Normally, attackers would not be able to access your |
| |
|
29 |
upsd(8) server directly as it would be protected by |
| 2 |
perry |
30 |
the ACCESS/ACL directives in your upsd.conf(5) file |
| 1 |
perry |
31 |
and hopefully local firewall settings in your |
| |
|
32 |
OS. |
| |
|
33 |
|
| |
|
34 |
|
| |
|
35 |
Since upsset runs on your web server, it could provide a |
| |
|
36 |
passage from the outside to the inside, bypassing any |
| |
|
37 |
firewall rules or upsd access control limitations, since it |
| |
|
38 |
appears to be coming from the web server. This is why you |
| |
|
39 |
just secure it first. |
| |
|
40 |
|
| |
|
41 |
|
| |
|
42 |
On Apache, you can use the .htaccess file or put the |
| |
|
43 |
directives in your httpd.conf. It looks something like this, |
| |
|
44 |
assuming the .htaccess method: |
| |
|
45 |
|
| |
|
46 |
|
| |
|
47 |
|
| |
|
48 |
|
| |
|
49 |
|
| |
|
50 |
You will probably have to set |
| |
|
51 |
|
| |
|
52 |
|
| |
|
53 |
If this doesn't make sense, then stop reading and leave this |
| |
|
54 |
program alone. It's not something you absolutely need to |
| |
|
55 |
have anyway. |
| |
|
56 |
|
| |
|
57 |
|
| |
|
58 |
Assuming you have all this done, and it actually works (test |
| |
|
59 |
it!), then you may add the following directive to this |
| |
|
60 |
file: |
| |
|
61 |
|
| |
|
62 |
|
| |
|
63 |
I_HAVE_SECURED_MY_CGI_DIRECTORY |
| |
|
64 |
|
| |
|
65 |
|
| |
|
66 |
If you lie to the program and someone beats on your upsd |
| |
|
67 |
through your web server, don't blame me. |
| |
|
68 |
!!SEE ALSO |
| |
|
69 |
|
| |
|
70 |
|
| 2 |
perry |
71 |
upsset.cgi(8) |
| 1 |
perry |
72 |
|
| |
|
73 |
|
| |
|
74 |
__Internet resources:__ |
| |
|
75 |
|
| |
|
76 |
|
| |
|
77 |
The NUT (Network UPS Tools) home page: |
| |
|
78 |
http://www.exploits.org/nut/ |
| |
|
79 |
|
| |
|
80 |
|
| |
|
81 |
NUT mailing list archives and information: |
| |
|
82 |
http://lists.exploits.org/ |
| |
|
83 |
---- |
