Citeren Joerg Pulz <[email protected]>: > after some experimenting and digging through the code i found no solution > how to completely disable access to upsd from specific hosts.
On multi-homed servers the LISTEN directive will deal with this, by only listening on interfaces from which clients are allowed to connect. If this isn't fine grained enough, your firewall will keep out unwanted connections much more efficiently than tcp-wrappers (or the now obsolete ACL mechanism) ever will. > In previous versions (before r1233) it was possible to allow or deny > access to upsd completely by using ACL, ACCEPT and REJECT entries in > upsd.conf. As this functionality was removed and tcp-wrappers support was > introduced i thought it would be possible to use some rules in hosts.allow > to get the same functionality as before. Unfortunately, thats not the > case. This is by design. > Only authenticated commands like SET or INSTCMD are protected by > tcp-wrappers, all other commands like GET or LIST can be used from > everywhere by everyone which is IMO a regression. > > For me, the right solution would be to protect all incoming connections by > tcp-wrappers. Using tcp-wrappers for source address access control alone is a *huge* waste of effort, therefor NUT no longer supports this. > What do others think about this? The tcp-wrappers support in NUT is only meant to deal with the case where you want to allow access for certain users from a specific set of machines (for instance, administrative access). This means we require the username and password, hence this only works for commands that require to be logged into the server. The previous ACL mechanism was too inefficient (in terms of resources) to be really useful in countering attacks on the server. By the time the decision to allow or deny a client access was made, most of the effort that was needed to process the incoming connection would already have been spent, so there really wasn't that much to gain anymore (other than restrict clients to see what is going on on the server). This is the reason we dropped the ACL mechanism. Best regards, Arjen -- Please keep list traffic on the list _______________________________________________ Nut-upsuser mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/nut-upsuser
