I hope no one can guess the password.



  • My company has been having some issues with our UPS units failing lately.  Since I am often the only one around who can fix the problem, I wanted to set up email notifications of critical events on our UPSs.  Unfortunately, I don't have any of the passwords to any of our servers or other equipment, and getting approval for this sort of thing takes time.

    Out of curiosity, I did a port scan on the main UPS, and discovered that port 80 was open - typing the IP into a browser took me to the admin log-in screen.  Well, at least it was password protected.  But... hmm, I wonder?

    A quick Google search and I found the manufacturer's default user name and password.  Surely the techs who set up this UPS, connected to our most critical servers, changed the log-in credentials?

    Nope.  Username:  admin  Password:  1234.

    I got right into the full admin interface, from which I could shut the UPS off, change the voltages, and play with other fun settings - including deleting the logs, leaving no trace of my  "intrusion".

    After correcting some configuration errors (like the UPS being set to send the emergency shutdown signal, which is sent in the event of a total power failure with only 10 minutes of battery remaining so that power isn't dropped while discs are still spinning, to servers that weren't even plugged into it), and setting up email alerts for critical events, I made a back-up of the config file and logged off.

    I'm still waiting for approval to get the passwords to our server room equipment.

    I somehow don't think that a person wanting to do something malicious is going to wait for approval.



  • Obviously they have to setup the passwords before you can get them, that is probably what's taking the time.



  • @eBusiness said:

    Obviously they have to setup the passwords before you can get them, that is probably what's taking the time.
    Six years and counting since the UPS was installed.  I just might be waiting a while.



  • Great effort, but unfortunately it's probably all wasted. I have a strong suspicion that you'll find the batteries are also six years old. So, come the next power outage, at about the time your carefully crafted shutdown plan thinks there should be about 30 minutes of battery life remaining, the UPS will unceremoniously shut down.

    Picture the techs sitting in the dark unable to comprehend that the UPS died already. "but the datasheet said that this UPS has a 65 minute runtime!" (Then you get to explain to them that yes, 65 minutes is correct. With brand new batteries. And a 25% load. And operating at room temperature. You have batteries that are old enough to go to kindergarten, have been running at 35C or better, and the load is at about 95% of nameplate capacity. Game over.)



  • @RichP said:

    Great effort, but unfortunately it's probably all wasted. I have a strong suspicion that you'll find the batteries are also six years old. So, come the next power outage, at about the time your carefully crafted shutdown plan thinks there should be about 30 minutes of battery life remaining, the UPS will unceremoniously shut down.

    Picture the techs sitting in the dark unable to comprehend that the UPS died already. "but the datasheet said that this UPS has a 65 minute runtime!" (Then you get to explain to them that yes, 65 minutes is correct. With brand new batteries. And a 25% load. And operating at room temperature. You have batteries that are old enough to go to kindergarten, have been running at 35C or better, and the load is at about 95% of nameplate capacity. Game over.)

    You are correct.

    And the actual battery life we got out of the UPS was closer to 15 minutes (the last time the power went down).

    And yes, I did explain that to them.

    And no, we did not get new UPSs.



  • Checkbox security (and ignorance) is a bliss!



  • Ow. I feel your pain.

    Let me guess, though. Your company has a 42-page disaster plan so that the execs can feel good about how prepared the company is.



  • @RichP said:

    Let me guess, though. Your company has a 42-page disaster plan so that the execs can feel good about how prepared the company is.

    Our disaster recovery plan is prayer.  Luckily for my employer, I've got a couple nuns in my family.

    *sigh*



  • @KrakenLover said:

    You are correct.

    And the actual battery life we got out of the UPS was closer to 15 minutes (the last time the power went down).

    And yes, I did explain that to them.

    And no, we did not get new UPSs.


    <gloat>


    I feel special now - My company's getting a generator big enough to power the building and proper inline UPS's as part of the mains supply (although inline UPS's just for the server room's ring mains, the user's desktops can go fish while the genny powers up). Finally I can ditch the myriad of random, 10 year old APC's dotted around!



    Good times! :-)


    </gloat>



  • @KrakenLover said:

    Our disaster recovery plan is prayer.  Luckily for my employer, I've got a couple nuns in my family.

    *sigh*

    I'm kinda hoping for a disaster right now.  I'm being paid roughly 50% more than I'm worth, but the project is almost complete.  However, as a contractor, I'm not allowed access to network drives or servers, so my source control is entirely local on my work machine.  One small disk error, and I'm renewing my contract for another 6 months.

    Did I mention the guy who sits next to me likes to play with magnets?



  • @KrakenLover said:

    @RichP said:

    Let me guess, though. Your company has a 42-page disaster plan so that the execs can feel good about how prepared the company is.

    Our disaster recovery plan is prayer.  Luckily for my employer, I've got a couple nuns in my family.

    sigh

    Doing remote support for a convent once, trying to talk a nun through reconfiguring their router to get them back on line, and she was one of those users who will ignore all instructions whilst telling you all about the settings they're changing 'because they sound like they might do something'. Had to tell her 'look, we're doing this the wrong way around: how about I decide what to change, and you pray?'



  • @MeesterTurner said:

    @KrakenLover said:

    You are correct.

    And the actual battery life we got out of the UPS was closer to 15 minutes (the last time the power went down).

    And yes, I did explain that to them.

    And no, we did not get new UPSs.


    <gloat>


    I feel special now - My company's getting a generator big enough to power the building and proper inline UPS's as part of the mains supply (although inline UPS's just for the server room's ring mains, the user's desktops can go fish while the genny powers up). Finally I can ditch the myriad of random, 10 year old APC's dotted around!



    Good times! :-)


    </gloat>

    My company has a generator and UPSs for every PC in the building. Granted that's only because the power infrastructure in this country is so poor, but still.



  •  Shit, my laptop is 2 years old, and the battery is at 5% of the original capacity. Even if it has been physically abused and taken to work every day, on a bicycle, served as a dining plate, etc. I can't imagine how the 6 year old batteries look like in capacity terms.



  • Your laptop has Li-ion batteries that are probably partially discharged daily. The UPS has lead-acid batteries that are discharged rarely (well, unless the power really sucks). They probably retain way more of their capacity.



  • Our server room UPSes (Astrid and Chloride brands) want their roomfuls of lead-acid batteries to be replaced every five years. I'll tell you if we do that if I'll stay in this place for so long. ;)


Log in to reply