This is a guide to how I securely configure a CyberPower RMCard. By default, many settings are left to be desired.
In this guide I assume the actual power-related settings are based on good engineering principles i.e. Keep it default stupid.
1. Firmware Upgrade
When setting up a new device the first thing we should do is update it.
As of the time of this writing, you can download version 1.4.1 from here: https://www.cyberpowersystems.com/product/software/firmware/rmcard205305-firmware-v141/
After downloading, unzip the file.
Login to your new RMCard and head to System > About.
Place the cpsrm2scfw_141.bin file in the Firmware Upload field.
Place the cpsrm2scdata_141.bin file in the Data Upload field.
Select Submit.
The card will reboot, and take around 5 minutes to reload.
Head back to System > About and verify the Firmware Version matches is 1.4.1.
2. Time
NTP is a must with RMCards otherwise you won’t be able to know when something occured in the logs.
Head over to System > General > Time and set the following values:
- Using NTP Server :
Enabled. - Primary NTP Server :
Your server of choice. - Secondary NTP Server :
Your server of choice. - Update Interval:
1.
Select Apply.
Now head over to System > General > Daylight Savings Time.
I live in the US so let’s enable Traditional US DST time (Second Sunday in March to First Sunday in November).
3. Device Name
Isn’t everything in the server room? Not always, let’s tidy up the name and location of the device. These settings will also be used by SNMP.
Head over to System > General > Identification. Set the following values:
- Name :
CA-UPS-01I use the naming schema:Location-Device Type-Unique Number. - Location :
UpstairsCloset` or whatever you think is most accurate. - Contact :
An E-Mail AddressUsing an email address allows you to use this in conjunction with SNMP Syscontact.
4. Disable Viewer Account
By default, RMCards ship with a Viewer account that can be used to access your system. Since this is likely not needed by most, let’s disable it.
Head over to System > Security > Local Account and uncheck Viewer: Allow Access.
5. Session Control (Logout After)
Head over to System > Security > Session Control and set the timeout to 10 minutes. Otherwise, you will be logged out every 3 minutes. Which is quite a pain.
6. SNMP
SNMP v1
First head over to System > Network Service > SNMPv1 and uncheck allow access. Then click apply.
Next select the private community and set it to forbidden. By default, RMCards come with an unsafe default SNMP config that comes with read/write.
SNMP v3
Now head over to System > Network Service > SNMPv3 and check allow access. Then click apply.
To set up an SNMPv3 community I suggest the following:
- User :
nms - Authentication Protocol :
SHA - Authentication Password : Your choice between 16 and 31 characters.
- Privacy Protocol :
AES - Privacy Password : Your choice between 16 and 31 characters.
- IP Address :
0.0.0.0
Afterwards, select Apply.
7. Secure Protocols
HTTPS
Head on down to System > Network Service > Web Service, select Enable HTTPS and then click Apply.
SSH
Head down to System > Network Service > Console Service, select Enable SSH and then click Apply.
8. E-Mail Notifications
It’s always nice to know the power is out, or that the UPS is having issues.
SMTP Configure
Head on over to System > Notification > SMTP Server and fill out based on your needs.
Recipients
Head next to System > Notification > E-mail Recipients and add your email address. Make sure to test the setup before continuing.
9. Syslog
The final step! Let’s jump to Log > Syslog and check Syslog Enabled then click Apply.
Next, click Add Server` and add the syslog server of your choice.
10. Network Configuration
This is going to be much more dependent on your setup. In my case, I’d suggest a DHCP reservation so it is easier to update or migrate around later on.
With DHCP reservations, the defaults on the RMCard are fine so make your adjustments on your dhcp server.
In any case, place your RMcard on a secured network. Do no place this on your open workstation network if you can.
A Checklist
| Settings | Location | Default Value | Suggested Value | Notes | Completed |
|---|---|---|---|---|---|
| NTP Server | System > General > Time | Not Set | Your NTP Servers | Without it you can’t determine easily what time something happened. | |
| NTP Update Interval | System > General > Time | 8760 | 1 | 8760 Hours is once a year, which is silly. | |
| Timezone | System > General > Time | UTC | Set based on your location | Makes it easier to read logs. | |
| System Name | System > General > Identification | RMCARD205 | |||
| System Location | System > General > Identification | Server Room | |||
| System Contact | System > General > Identification | Administrator | |||
| DST | System > General > Daylight Savings Time | Disabled | Set based on your location | Automatic DST swap if needed. | |
| Login Timeout | System > Security > Session Control | 3 | 10 | Logout is too frequent when using the device. | |
| Viewer Account | System > Security > Local Account | Enabled | Disabled | Security: Default account on all CyberPower Devices. | |
| SNMP V1 Read/Write | System > Network Service > SNMPv1 | Private Read/Write | Private Forbidden | Security: Read/Write SNMP default on all CyberPower. | |
| SNMP V1 Enabled | System > Network Service > SNMPv1 | Allow Access: Enabled | Allow Access: Disabled | Security: SNMP V1 is in plain text. | |
| SNMP V3 Enable | System > Network Service > SNMPv3 | Allow Access: Disabled | Allow Access: Enabled | Security: SNMP v1 Alterntiave. | |
| HTTPS | System > Network Service > Web | Enable HTTP | Enable HTTPS | Security: Password sent in plain text without HTTPS. | |
| SSH | System > Network Service > Console | Enable Telnet | Enable SSH | Security: Telnet is in plain text. | |
| SMTP | System > Notification > SMTP | Disabled | Enable | Notifications | |
| Syslog | Log > Syslog | Disabled | Enable | Log Management |