- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Securing NFS beyond /etc/exports
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2004 06:02 AM
тАО01-23-2004 06:02 AM
Securing NFS beyond /etc/exports
1. How can I prevent someone from easily guessing the NFS file handles? ... as fsirand doesn't work on vxfs filesystems.
2. How can I prevent someone from remotely disabling an rpc service?
3. How can I prevent the NFS server from accepting requests coming from an unpriviledged port?
Solaris seems to have tweaks to cover this, but I spend lots of time searching the ITRC and HP does not have many suggestions except putting rpc.mountd in inetd.sec which does not cover the cases above.
Any suggestions?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2004 06:24 AM
тАО01-23-2004 06:24 AM
Re: Securing NFS beyond /etc/exports
You can add some other security to your box via /etc/hosts.allow; /etc/hosts.deny.
Use these files to deny and then grant access for certain daemons which use tcp protocols...
This will help you tighten your security.
Here is a sample of my actual /etc/hosts.allow and deny files. You may want to remove and add items to the hosts.allow if you dont have some of these items like SSH.
BTW, SSH might not be a bad idea either...
----------------------------------------------
# cat /etc/hosts.deny
# Deny all hosts
ALL : ALL
----------------------------------------------
# cat /etc/hosts.allow
#all : all : banners=/usr/localcw/opt/sysguard/banners : allow
ftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
telnetd : all : banners=/usr/localcw/opt/sysguard/banners : allow
tftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
logind : all : banners=/usr/localcw/opt/sysguard/banners : allow
rlogind : all : banners=/usr/localcw/opt/sysguard/banners : allow
remshd: all : banners=/usr/localcw/opt/sysguard/banners : allow
sidftpd : all : banners=/usr/localcw/opt/sysguard/banners : allow
rexecd : all : banners=/usr/localcw/opt/sysguard/banners : allow
sshd : all : banners=/usr/localcw/opt/sysguard/banners : allow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2004 06:49 AM
тАО01-23-2004 06:49 AM
Re: Securing NFS beyond /etc/exports
a) is rpc in jeopardy by other user's with root access killing the rpc daemons or is this a malicious attack?
b) When you say remotely... are you saying they disable the rpcd on the remote box or login remotely to YOUR master and kill rpcdaemons?
NFS by its nature is meant to be used by trusted systems, just my opinion.
IF you have serious security problems, I would suggest not using NFS and only use SSH logins on those boxes and secureFTP to transfer data back and forth.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-23-2004 09:11 PM
тАО01-23-2004 09:11 PM
Re: Securing NFS beyond /etc/exports
If you really want to secure NFS and a lot of other protocols, install IP-SEC, and run tunelled communications between all your most vital hosts.
Another simpler to limit exposure is to setup a switched-network and to install multiple firewalls.
BTW. I think that you'll only have /etc/hosts.allow|deny when you install TCP-Wrappers. The default security file in HP-UX is /etc/inetd.sec, and neither of these will protect the portmapper.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2004 01:20 AM
тАО01-26-2004 01:20 AM
Re: Securing NFS beyond /etc/exports
rpc.mountd can be protected with inetd.sec, but rpcbind is still vulnerable.
NFS is required, I can't just remove (reason #1: 2 terabytes of data).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО01-26-2004 01:27 AM
тАО01-26-2004 01:27 AM
Re: Securing NFS beyond /etc/exports
Portmappers main weakness is that it does not validate connections and will therefore respond to any request.
Here are some docs regarding the Secure version
http://csrc.nist.gov/publications/nistpubs/800-7/node184.html