To install and secure a remote shutdown daemon on Linux, you use network ups tools (NUT) or a custom SSH-restricted script. NUT is the industry standard for network-triggered shutdowns. Here is how to set up and secure both methods. Method 1: Using Network UPS Tools (NUT)
This method acts as a dedicated server-client daemon system for remote power management. 1. Install the Software
Run the installation command on both the controlling machine (server) and the remote machine (client). Ubuntu/Debian: sudo apt install nut nut-client nut-server RHEL/Rockylinux: sudo dnf install nut nut-client 2. Configure the Server
On the computer sending the shutdown signal, edit /etc/nut/nut.conf: MODE=netserver Use code with caution. Define a listener port and address in /etc/nut/upsd.conf: LISTEN 0.0.0.0 3493 Use code with caution. Create a secure client user account in /etc/nut/upsd.users:
[remote_client] password = YourSuperSecurePassword upsmon slave Use code with caution. 3. Configure the Client
On the remote machine receiving the shutdown signal, edit /etc/nut/nut.conf: MODE=netclient Use code with caution.
Define the server connection details in /etc/nut/upsmon.conf:
MONITOR MyUPS@SERVER_IP 1 remote_client YourSuperSecurePassword slave Use code with caution. 4. Secure the NUT Daemon
Firewall Restrict: Block all traffic to port 3493 except from your client IP. sudo ufw allow from CLIENT_IP to any port 3493 proto tcp Use code with caution.
File Permissions: Restrict read access to configuration files containing passwords.
sudo chmod 640 /etc/nut/upsmon.conf /etc/nut/upsd.users sudo chown root:nut /etc/nut/upsmon.conf /etc/nut/upsd.users Use code with caution. Method 2: Using SSH with Restricted Commands
If you do not want to run a dedicated power daemon, you can use the built-in SSH daemon paired with strict execution restrictions. 1. Create a Dedicated User
Create a user on the remote machine solely for triggering shutdowns. sudo useradd -m -s /bin/bash shutdownuser Use code with caution. 2. Configure Sudo Privileges
Allow this specific user to run the shutdown command without a password prompt. Run sudo visudo and append: shutdownuser ALL=(ALL) NOPASSWD: /sbin/shutdown Use code with caution. 3. Restrict SSH Key Capabilities
Generate an SSH key pair on your controlling machine, then copy the public key to the remote machine’s /home/shutdownuser/.ssh/authorized_keys file.
Prepend the key entry with specific restrictions to block interactive shell access:
command=“/sbin/shutdown -h now”,no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty ssh-rsa AAAAB3NzaC1yc… controlling_machine Use code with caution.
Result: Connecting via this key executes the shutdown immediately and closes the session. 4. Harden SSH Daemon
Edit /etc/ssh/sshd_config to ensure the shutdown user cannot log in using regular passwords.
Match User shutdownuser PasswordAuthentication no AllowAgentForwarding no AllowTcpForwarding no Use code with caution. Restart the service: sudo systemctl restart sshd
To help narrow down the implementation details, let me know: What Linux distribution are you running?
Do you need this automated for a UPS battery event, or triggered manually? Are both machines on the same local network?
I can provide the exact scripts or firewall rules for your specific environment.
Leave a Reply