Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security in UPS Software?

Posted by Cliff on from the keeps-you-up-thru-a-blackout-leaving-crackers-an-open-door dept.

Anonymous Coward asks: "Does anyone have experience with UPS software that has an eye towards security? i want an alternative to APC's 'Powerchute for Linux'. I've just discovered that Powerchute opens multiple ports and there are no options to turn this 'feature' off. What is even worse is that APC Support has announced no plans to address the issue. This means that if your firewall is running Powerchute, you might have security issues. Another example of the lax security: Powerchute requests root priveliges on install and has a certain 3-letter default password that anyone could guess within 5 minutes! Can anyone help with suggestions for alternative software?" Hmmm... I wonder if I accidentally put the default password in the text of this story.

42 comments

  1. oo ooo me me me me!! by Anonymous Coward · · Score: 0

    APC??

    1. Re:oo ooo me me me me!! by GTRacer · · Score: 0
      Aha! That's the one! I was about to throw in the towel after trying SUX, OWN, POS, ASS, WEK, and RST...

      Sorry about your power!

      GTRacer
      - My root password is 1-2-3-4-5.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    2. Re:oo ooo me me me me!! by pete-classic · · Score: 2

      My root password is 1-2-3-4-5.

      That sound like a combination that an idiot would have on his luggage.

      -Peter

    3. Re:oo ooo me me me me!! by Anonymous Coward · · Score: 0

      WEK = weak ?

      (Just a guess...)

    4. Re:oo ooo me me me me!! by GTRacer · · Score: 0, Offtopic
      WEK = Weak (Congrats to AC below...)
      RST = Reset

      GTRacer
      - My *REAL* root password is $password

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    5. Re:oo ooo me me me me!! by Anonymous Coward · · Score: 0

      Hey, I have the same combination on my luggage!

    6. Re:oo ooo me me me me!! by inKubus · · Score: 1

      Hey wait.. That's the combination on MY luggage.

      --
      Cool! Amazing Toys.
    7. Re:oo ooo me me me me!! by docbrown42 · · Score: 1

      GTRacer
      - My root password is 1-2-3-4-5.
      **********

      Isn't that the kind of password an idiot would have on his luggage?

      -Ed

      --
      Ed Wedig
      Graphic design services
      docbrown.net
    8. Re:oo ooo me me me me!! by GTRacer · · Score: 2
      Ummm, you're about a week late, Doc!

      GTRacer
      - I've changed the password

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
  2. What do you suggest, Einstein? by PhysicsGenius · · Score: 0, Troll

    The purpose of a UPS is to store power for later use. Supporting high-entropy ("random") strings of arbitrary length is going to consume a lot of energy. If you want your UPS to spend all its time being secure and none of its time being useful, go right ahead. Personally I think I'll just risk some hackers seeming I'm down to 90% battery levels...

    1. Re:What do you suggest, Einstein? by Anonymous Coward · · Score: 0

      you missed the point. the ups software leaves the door open regardless of power status.

    2. Re:What do you suggest, Einstein? by nochops · · Score: 1

      "Personally I think I'll just risk some hackers seeming I'm down to 90% battery levels..."

      Perhaps you also wouldn't mind some silly hackers shutting down the UPS completely, or performing self-tests, or putting it in maintenance bypass, etc., either. All of this can be done from powerchute.

      --
      "A terrorist is someone who has a bomb but doesn't have an air force." -William Blum
    3. Re:What do you suggest, Einstein? by Anonymous Coward · · Score: 0

      IMHO, this is the kind of thinking that leads to vulnerability prone systems in the first place.

    4. Re:What do you suggest, Einstein? by Anonymous Coward · · Score: 0

      I can't believe that some moron moderator +1 interesting'd this bullshit.

      The energy consumed in erasing bits is NOTHING compared to the energy lost to heat. If PhysicsGenius was right, Reversible Computing would have taken over the embedded systems world years ago, instead of simply being a labratory curiosity.

  3. SNMP by Anonymous Coward · · Score: 0

    Most of the UPS hardware I've worked with talks SNMP. Why not for go the install of the software all together and use some simple SNMP commands to do what you need to do?

    1. Re:SNMP by Pauly · · Score: 3, Insightful
      You do know you're not likely to get to use anything better than SNMP v1. That's at least as big a security issue. SNMP v1 is rightly derided as Security is Not My Problem.

      My advice is to carefully firewall that machine with iptables. Block any network activity on the port that doesn't originate from the localhost. Also, be sure to filter spoofed packets.

      Or simply write your own damn software. How hard can it be to snoop the traffic on the serial line that connects to the UPS and reverse engineer the protocol?

    2. Re:SNMP by Anonymous Coward · · Score: 0
      How hard can it be to snoop the traffic on the serial line that connects to the UPS and reverse engineer the protocol?
      Very hard, if you've never done it. This is something I wish to do (I have a non-APC UPS and need to roll my own) but I don't know where to begin. Care to offer any pointers?
    3. Re:SNMP by Anonymous Coward · · Score: 0

      Done this to write my own software for
      SCO OpenServer, it is piss easy.
      I used a WINSH*T 95 box with the win powerchute
      and serial monitoring

  4. A comment about APC... by Rorschach1 · · Score: 2

    I dealt with them years ago, when I discovered that their Powerchute software was vulnerable to DoS. I discovered it like a lot of people - saw port 6667 bound, thought "What the hell is this server doing listening on an IRC port?", fired up mIRC, and watched Powerchute die silently. Their response at the time was that they expected it to be behind a firewall, and didn't really consider network security to be their problem. I'd love to find the email, but it's been years and I don't know where I'd have put it. I guess they've changed their tune now, but I still haven't seen their products improve much.

    1. Re:A comment about APC... by jo42 · · Score: 1
      Even more stupidity from APC:


      Do not hook up the 'smart' serial cable to the UPS before installing Windows or the client software. Why? During boot, Windows probes the serial ports for serial mice. When the APC UPS sees this probing, it goes into shutdown mode - you have only so long until the UPS shuts down power.

      I've also had cases where the APC client did not shutdown SQL or Exchange before pulling the power - and it had enough battery juice to keep going for another 20-30 minutes.

      Another case where the so called Engineers of these products need to be strung up. Wankers.

    2. Re:A comment about APC... by Rorschach1 · · Score: 2

      I LOVE that feature. Especially when you've got a new guy rebooting stuff... it's great to watch them scrable around to find the beeping UPS. Apparently it interprets the mouse probing as a 'simulate power failure' command. Wonderful....

  5. Ports are for remote admin? by argel · · Score: 1
    I thought the ports you are complaining about are for remotely administering several servers with UPS on them? Maybe you do not need that portion of the software running to still have it do a clean shutdown when you run out of power?

    Someone should set up a test box with this software and then sue APC once they get hacked....

    --

    -- Argel
  6. NUT! by zulux · · Score: 5, Informative


    NUT talkes with APC and friends. It's GPL'ed and works.

    http://www.exploits.org/nut/

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  7. firewall the ports by Spacelord · · Score: 1, Insightful

    ipchains/iptables/ ... are your friend!

    Every server should have it's own firewall script anyway that only allows incoming traffic on a limited set of ports.

  8. Use different software by Pauly · · Score: 2, Informative
    Freshmeat has alternatives to this crufty software.

  9. Well duh.. by MadCamel · · Score: 1

    The solution is simple: Filter the ports, chmod -s some stuff, and call it a day.

  10. Belkin UPS boxes *had* a similar problem by alizard · · Score: 2, Interesting
    In the course of writing a review for 8wire about the Belkin Sentry UPS, I discovered that in the UPS software, Belkin Sentry Bulldog that was originally shipped with the machine, the Web control/monitoring interface which was advertised as allowing control from anywhere did not mention it could be controlled by anybody, and the Web control software installed by default.

    The default password access page could easily be bypassed by anyone who knew the directory tree and the IP address of the workstation / UPS.

    This was fixed a few weeks after the article came out for some reason.

    Take a careful look at the software for ANY Web-controlled devices (including routers and toasters) for ugly surprises before running it on your network.

    --
    Tech Public Policy stuff
  11. It's worse by sllort · · Score: 3, Interesting

    Large UPS's are almost always SNMP Rev1 Managed. No security. Add that plus the recent spate of attacks on high-level security providers who use unsecured SNMP...

    Yes, it really is just a f%*kup waiting to happen.

  12. sounds familiar by Anonymous Coward · · Score: 0

    Didn't we have a story about easy to guess passwords? When will people learn?

  13. apcupsd by josepha48 · · Score: 4, Informative
    Since you already have an apc, try apcupsd.

    There is an optional cgi monitoring program that by default will listen on port 7000 I believe.

    www.apcupsd.org

    I use it and I do not think it opens any other ports except that one and as I said you don't need to have the cgi on. There is a powerchute clone. It is open source so if it does open a port up you can close this.

    Oh the only other reason you may have ports is if you have slave machines and a master on one ups and you want the master to shut the slaves down. The slaves and masters all have to open communications so that they can be told to shutdown. I think in apcupsd if you have no slaves then this is not an issue.

    --

    Only 'flamers' flame!

  14. It's not a standard serial cable by Anonymous Coward · · Score: 0

    At my old job, we decided to save a few bucks, and not use the APC serial cables connected to our servers. Plug the serial cable in, and WHOOM, the server powers down suddenly.

    Swap that cable out for the APC one, and it behaves normally. I think they intentionally wired it so that you'd have to buy their cable.

    1. Re:It's not a standard serial cable by Sabriel · · Score: 3, Interesting
      I think they intentionally wired it so that you'd have to buy their cable.
      Correct. While externally identical, APC's cables are proprietary with their own internal wiring and resistance scheme. They are also, of course, hellaciously more expensive than a standard RS232C serial cable.

      It is possible to wire your own cable; depending on your model of UPS and whether your computer asserts DTR on powerup you may not be able to achieve full functionality. Eg, http://www.eng.auburn.edu/users/doug/ups.html

      You may also like to google for "APC" "wiring scheme", as quite a few people have tackled rolling their own cables and code for this problem.

  15. Write it yourself by pkesel · · Score: 1

    I've written APC monitoring software. Just contact them for the communication protocol for the model you're using. When I was writing it, it was as simple as opening a com port and reading and writing characters. It was a bit screwy though because you'd query for a long string of info and if there was an alert during the response you'd get the alert interspersed with query data. But overall it's not hard.

    --
    - Sig this!
  16. powstatd[-crypt] by Col.+Klink+(retired) · · Score: 2

    Debian has both "powstatd" and "powstatd-crypt" packages. It's also one of the easiest UPS monitors I ever tried to set up (a nice test script can show how your cable responds to various events on the UPS, so no more guessing). The powstatd-crypt version allows a master (with the cable plugged in) to notify slaves via an encrypted channel. That is, of course, optional.

    Best of all, it's Free Software.

    --

    -- Don't Tase me, bro!

  17. Re:Non-APC UPSes by theOnlyTPC · · Score: 1

    If you haven't already, you probably want to check out NUT, as mentioned above. I've never used it with a non-APC UPS, but according to NUT's compatibility list, it has support for quite a variety of UPS hardware.

    If NUT doesn't support your hardware, you may find others there interested in developing a driver. You also may find it easier to get your UPS manufacturer to contribute a copy of its protocol docs to the project than to you individually.

  18. What kind of fucking retard are you? by Wakko+Warner · · Score: 2

    Change the default password. It's easy and fun.

    Firewall the ports you don't want it to use. If your firewall runs upsd, you're a moron, but you can still firewall those ports on whichever interface you want -- that's what a firewall does.

    Now, let's ask ourselves: why would a program which can shut down your computer in the event of a power failure, and which listens on a serial port need root permissions to install???

    Christ!

    - A.P.

    --
    "Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
    1. Re:What kind of fucking retard are you? by Anonymous Coward · · Score: 0

      I wholeheartedly agree.

      If you have a UPS daemon on your firewall and you aren't able to filter the UPS connections then I suggest the issue is with the firewall and not the UPS daemon. Any decent firewall (Firewall-1, PIX and even crufty linux iptables/ipchains) can filter traffic to the host itself.

      Run it as a non-priveleged use and then make your shutdown binary setuid - I dare you.

      It seems to me that the motto for slashdot's forums should be changed to 'A little knowledge is dangerous'.

  19. Non-root nstall by Anonymous Coward · · Score: 0
    If you want, it's possible to setup your machine to allow the shutdown from a non-root UID.

    Here's what to do:
    chmod 4755 /sbin/shutdwon

    Now 'nobody' can shut down your machine! very convenient!

  20. Get it off your server by Micky+the+knife · · Score: 0

    We took an old server and stuck a bunch of multi-port serial cards in it. We used it as a gateway between the servers and the different UPS. Wrote some PERL scrips to handle it all. We had some other requirements such as a "panic button that killed power and shutdown the ups to totally shut off all systems.

    --
    Go ahead and mod me up. I dare you!
  21. UPS software? by whoda · · Score: 1

    I started to read this, because I thought the article was about the software that UPS the shipping company gives large customers to allow entry directly into their systems.
    Not some lame battery pack.