Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security in UPS Software?

Posted by Cliff on from the keeps-you-up-thru-a-blackout-leaving-crackers-an-open-door dept.

Anonymous Coward asks: "Does anyone have experience with UPS software that has an eye towards security? i want an alternative to APC's 'Powerchute for Linux'. I've just discovered that Powerchute opens multiple ports and there are no options to turn this 'feature' off. What is even worse is that APC Support has announced no plans to address the issue. This means that if your firewall is running Powerchute, you might have security issues. Another example of the lax security: Powerchute requests root priveliges on install and has a certain 3-letter default password that anyone could guess within 5 minutes! Can anyone help with suggestions for alternative software?" Hmmm... I wonder if I accidentally put the default password in the text of this story.

5 of 42 comments (clear)

  1. Re:SNMP by Pauly · · Score: 3, Insightful
    You do know you're not likely to get to use anything better than SNMP v1. That's at least as big a security issue. SNMP v1 is rightly derided as Security is Not My Problem.

    My advice is to carefully firewall that machine with iptables. Block any network activity on the port that doesn't originate from the localhost. Also, be sure to filter spoofed packets.

    Or simply write your own damn software. How hard can it be to snoop the traffic on the serial line that connects to the UPS and reverse engineer the protocol?

  2. NUT! by zulux · · Score: 5, Informative


    NUT talkes with APC and friends. It's GPL'ed and works.

    http://www.exploits.org/nut/

    --

    Moneyed corporations, non-working 'poor' and criminal prisoners are turning productive citizens into tax-slaves.

  3. It's worse by sllort · · Score: 3, Interesting

    Large UPS's are almost always SNMP Rev1 Managed. No security. Add that plus the recent spate of attacks on high-level security providers who use unsecured SNMP...

    Yes, it really is just a f%*kup waiting to happen.

  4. apcupsd by josepha48 · · Score: 4, Informative
    Since you already have an apc, try apcupsd.

    There is an optional cgi monitoring program that by default will listen on port 7000 I believe.

    www.apcupsd.org

    I use it and I do not think it opens any other ports except that one and as I said you don't need to have the cgi on. There is a powerchute clone. It is open source so if it does open a port up you can close this.

    Oh the only other reason you may have ports is if you have slave machines and a master on one ups and you want the master to shut the slaves down. The slaves and masters all have to open communications so that they can be told to shutdown. I think in apcupsd if you have no slaves then this is not an issue.

    --

    Only 'flamers' flame!

  5. Re:It's not a standard serial cable by Sabriel · · Score: 3, Interesting
    I think they intentionally wired it so that you'd have to buy their cable.
    Correct. While externally identical, APC's cables are proprietary with their own internal wiring and resistance scheme. They are also, of course, hellaciously more expensive than a standard RS232C serial cable.

    It is possible to wire your own cable; depending on your model of UPS and whether your computer asserts DTR on powerup you may not be able to achieve full functionality. Eg, http://www.eng.auburn.edu/users/doug/ups.html

    You may also like to google for "APC" "wiring scheme", as quite a few people have tackled rolling their own cables and code for this problem.