Monitoring a Belkin 600VA UPS with NUT on Debian/Ubuntu

I recently bought a Belkin 600VA UPS (model F6S600auUSB) and here's what I had to do to setup the monitoring and automatic shutdown on Ubuntu 9.10 (karmic). (This procedure should work on recent versions of Debian as well.)

This UPS comes with a proprietary monitoring tool (written in Java) and you can find instructions to get this working on the Ubuntu forums, but I was looking for a free solution that would integrate well with the rest of the system. So after reading this blog post I decided to go with the Network UPS Tools project:

$ apt-get install nut

Once the nut package is installed, I edited /etc/nut/nut.conf to set:

MODE=standalone

and created the following files:

$ vim /nut/ups.conf  
  
[belkinusb]  
driver = megatec_usb  
port = auto  
desc = "Belkin UPS, USB interface"  
  
$ vim /etc/nut/upsd.conf  
  
# MAXAGE 15  
# LISTEN 127.0.0.1 3493  
# MAXCONN 1024  
  
$ vim /etc/nut/upsd.users  
  
[local_mon]  
password = MYPASSWORD  
upsmon master  
  
$ vim /etc/nut/upsmon.conf  
  
MONITOR belkinusb@localhost 1 local_mon MYPASSWORD master  
POWERDOWNFLAG /etc/killpower  
SHUTDOWNCMD "/sbin/shutdown -h +0"

Then all that was left to do was to restart nut:

$ /etc/init.d/nut restart

and check syslog for any errors:

$ tail /var/log/syslog

While nut is running, it will monitor the UPS and report any power problems to syslog. Once the UPS is running on battery, it will make sure the computer is safely shut down before power runs out.

Hopefully future versions of GNOME Power Manager will be able to integrate with nut directly and display battery information through its notification icon.

Preventing man-in-the-middle attacks on fetchmail and postfix

Recent attacks against the DNS infrastructure have exposed the limitations of relying on TLS/SSL certificates for securing connections on the Internet.

Given that typical mail servers don't rotate their keys very often, it's not too cumbersome to hardcode their fingerprints and prevent your mail software from connecting to them should the certificate change. This is similar to how most people use ssh: assume that the certificate is valid on the first connection, but be careful if the certificate changes afterwards.

Fetchmail

Here's how to specify a certificate for a POP/IMAP server (Gmail in this example).

First of all, you need to download the server certificate:

openssl s_client -connect pop.gmail.com:995 -showcerts  
openssl s_client -connect imap.gmail.com:993 -showcerts

Then copy the output of that command to a file, say gmail.out, and extract its md5 fingerprint:

openssl x509 -fingerprint -md5 -noout -in gmail.out

Once you have the fingerprint, add it to your ~/.fetchmailrc:

poll pop.gmail.com protocol pop3 user "remoteusername" is "localusername" password "mypassword" fetchall ssl sslproto ssl3 sslfingerprint "12:34:AB:CD:56:78:EF:12:34:AB:CD:56:78:EF:12:34"

Postfix

Similarly, to detect changes to the certificate on your outgoing mail server (used as a smarthost on your local postfix instance), extract its sha256 fingerprint:

openssl s_client -connect smtp.gmail.com:587 -starttls smtp -showcerts
openssl x509 -fingerprint -sha256 -noout -in isp.out

Then add the fingerprint to /etc/postfix/main.cf:

relayhost = smtp.gmail.com
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd  
smtp_sasl_auth_enable = yes  
smtp_sasl_security_options = noanonymous  
smtp_tls_security_level = fingerprint  
smtp_tls_mandatory_ciphers = high  
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3  
smtp_tls_fingerprint_digest = sha256
smtp_tls_fingerprint_cert_match =  
   12:34:AB:CD:56:78:EF:90:12:AB:CD:34:56:EF:78:90:AB:CD:12:34:AB:DD:44:66:DA:77:CF:DB:E4:A7:02:E1