UPSSET.CONF(5) Network UPS Tools (NUT) UPSSET.CONF(5)NAMEupsset.conf - Configuration for Network UPS Tools ups-
set.cgi
DESCRIPTION
This file only does one job - it lets you convince ups-
set.cgi(8) that your system's CGI directory is secure.
The program will not run until this file has been properly
defined.
SECURITY REQUIREMENTSupsset.cgi(8) allows you to try login name and password
combinations. There is no rate limiting, as the program
shuts down between every request. Such is the nature of
CGI programs.
Normally, attackers would not be able to access your
upsd(8) server directly as it would be protected by the
ACCESS/ACL directives in your upsd.conf(5) file and hope-
fully local firewall settings in your OS.
Since upsset runs on your web server, it could provide a
passage from the outside to the inside, bypassing any
firewall rules or upsd access control limitations, since
it appears to be coming from the web server. This is why
you must secure it first.
On Apache, you can use the .htaccess file or put the
directives in your httpd.conf. It looks something like
this, assuming the .htaccess method:
<Files upsset.cgi>
deny from all
allow from your.network.addresses
</Files>
You will probably have to set "AllowOverride Limit" for
this directory in your server-level configuration file as
well.
If this doesn't make sense, then stop reading and leave
this program alone. It's not something you absolutely
need to have anyway.
Assuming you have all this done, and it actually works
(test it!), then you may add the following directive to
this file:
I_HAVE_SECURED_MY_CGI_DIRECTORY
If you lie to the program and someone beats on your upsd
through your web server, don't blame me.
SEE ALSOupsset.cgi(8)
Internet resources:
The NUT (Network UPS Tools) home page:
http://www.exploits.org/nut/
NUT mailing list archives and information:
http://lists.exploits.org/
Tue Jul 30 2002 UPSSET.CONF(5)