Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Linux Software

Security in UPS Software? 42

Posted by Cliff from the keeps-you-up-thru-a-blackout-leaving-crackers-an-open-door dept.
Anonymous Coward asks: "Does anyone have experience with UPS software that has an eye towards security? i want an alternative to APC's 'Powerchute for Linux'. I've just discovered that Powerchute opens multiple ports and there are no options to turn this 'feature' off. What is even worse is that APC Support has announced no plans to address the issue. This means that if your firewall is running Powerchute, you might have security issues. Another example of the lax security: Powerchute requests root priveliges on install and has a certain 3-letter default password that anyone could guess within 5 minutes! Can anyone help with suggestions for alternative software?" Hmmm... I wonder if I accidentally put the default password in the text of this story.
This discussion has been archived. No new comments can be posted.

Security in UPS Software? More

Security in UPS Software?

Comments Filter:
  • I dealt with them years ago, when I discovered that their Powerchute software was vulnerable to DoS. I discovered it like a lot of people - saw port 6667 bound, thought "What the hell is this server doing listening on an IRC port?", fired up mIRC, and watched Powerchute die silently. Their response at the time was that they expected it to be behind a firewall, and didn't really consider network security to be their problem. I'd love to find the email, but it's been years and I don't know where I'd have put it. I guess they've changed their tune now, but I still haven't seen their products improve much.
    • Even more stupidity from APC:


      Do not hook up the 'smart' serial cable to the UPS before installing Windows or the client software. Why? During boot, Windows probes the serial ports for serial mice. When the APC UPS sees this probing, it goes into shutdown mode - you have only so long until the UPS shuts down power.

      I've also had cases where the APC client did not shutdown SQL or Exchange before pulling the power - and it had enough battery juice to keep going for another 20-30 minutes.

      Another case where the so called Engineers of these products need to be strung up. Wankers.

      • I LOVE that feature. Especially when you've got a new guy rebooting stuff... it's great to watch them scrable around to find the beeping UPS. Apparently it interprets the mouse probing as a 'simulate power failure' command. Wonderful....
  • I thought the ports you are complaining about are for remotely administering several servers with UPS on them? Maybe you do not need that portion of the software running to still have it do a clean shutdown when you run out of power?

    Someone should set up a test box with this software and then sue APC once they get hacked....

  • NUT! (Score:5, Informative)

    by zulux ( 112259 ) on Wednesday April 03, 2002 @02:56PM (#3278469) Homepage Journal

    NUT talkes with APC and friends. It's GPL'ed and works.

    http://www.exploits.org/nut/ [exploits.org]

  • firewall the ports (Score:1, Insightful)

    by Spacelord ( 27899 )
    ipchains/iptables/ ... are your friend!

    Every server should have it's own firewall script anyway that only allows incoming traffic on a limited set of ports.
  • The solution is simple: Filter the ports, chmod -s some stuff, and call it a day.
  • In the course of writing a review for 8wire [8wire.com] about the Belkin Sentry UPS, I discovered that in the UPS software, Belkin Sentry Bulldog that was originally shipped with the machine, the Web control/monitoring interface which was advertised as allowing control from anywhere did not mention it could be controlled by anybody, and the Web control software installed by default.

    The default password access page could easily be bypassed by anyone who knew the directory tree and the IP address of the workstation / UPS.

    This was fixed a few weeks after the article came out for some reason.

    Take a careful look at the software for ANY Web-controlled devices (including routers and toasters) for ugly surprises before running it on your network.

  • It's worse (Score:3, Interesting)

    by sllort ( 442574 ) on Wednesday April 03, 2002 @04:59PM (#3279377) Homepage Journal
    Large UPS's are almost always SNMP Rev1 Managed [sercomm.com.tw]. No security. Add that plus the recent spate of attacks on high-level security providers who use unsecured SNMP [info-sec.com]...

    Yes, it really is just a f%*kup waiting to happen.

  • apcupsd (Score:4, Informative)

    by josepha48 ( 13953 ) on Wednesday April 03, 2002 @05:47PM (#3279738) Journal
    Since you already have an apc, try apcupsd.

    There is an optional cgi monitoring program that by default will listen on port 7000 I believe.

    www.apcupsd.org

    I use it and I do not think it opens any other ports except that one and as I said you don't need to have the cgi on. There is a powerchute clone. It is open source so if it does open a port up you can close this.

    Oh the only other reason you may have ports is if you have slave machines and a master on one ups and you want the master to shut the slaves down. The slaves and masters all have to open communications so that they can be told to shutdown. I think in apcupsd if you have no slaves then this is not an issue.

  • I've written APC monitoring software. Just contact them for the communication protocol for the model you're using. When I was writing it, it was as simple as opening a com port and reading and writing characters. It was a bit screwy though because you'd query for a long string of info and if there was an alert during the response you'd get the alert interspersed with query data. But overall it's not hard.
  • Debian has both "powstatd" and "powstatd-crypt" packages. It's also one of the easiest UPS monitors I ever tried to set up (a nice test script can show how your cable responds to various events on the UPS, so no more guessing). The powstatd-crypt version allows a master (with the cable plugged in) to notify slaves via an encrypted channel. That is, of course, optional.

    Best of all, it's Free Software.
  • Change the default password. It's easy and fun.

    Firewall the ports you don't want it to use. If your firewall runs upsd, you're a moron, but you can still firewall those ports on whichever interface you want -- that's what a firewall does.

    Now, let's ask ourselves: why would a program which can shut down your computer in the event of a power failure, and which listens on a serial port need root permissions to install???

    Christ!

    - A.P.
  • I started to read this, because I thought the article was about the software that UPS the shipping company gives large customers to allow entry directly into their systems.
    Not some lame battery pack.

Slashdot Top Deals

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (5) All right, who's the wiseguy who stuck this trigraph stuff in here?

Close