topic Re: rpc.mountd in inetd.sec file in Operating System - HP-UX

rpc.mountd in inetd.sec file

support_5 — Tue, 19 Oct 2004 00:32:04 GMT

Hi all,

I am trying to use the inetd.sec file to start the rpc.mountd service to help secure NFS on our site. (we have to export a filesystem through a firewall to a box in our DMZ). I was wondering if someone could help me with what are the correct lines I need to use in /etc/services, /etc/inetd.conf, and /var/adm/inetd.sec.

Also, any tips on securing NFS would be appreciated. For example, how much to things like fsirand and portmon (which I don't think is supported in 11.i v1.). Also can someone explain a bit about secure RPC, and how this can be used to help secure NFS a bit?

Any other suggestions?

Thank in advance!

- Andy

Re: rpc.mountd in inetd.sec file

Andrew Cowan — Wed, 20 Oct 2004 01:59:54 GMT

NFS is by its very nature insecure, and the only way to completely secure it is to use IP-SEC and mount your filesystem with a "tunnel".
If this option is not available to you then you can limit NFS exposure by:
always mounting Read-only where possible
Mount as far down the tree as you can ("/home/andrew" rather than just "/home").
Mount the filesystem with NODEV and NOSUID options.
Use the /etc/hosts file to identify hosts rather than DNS.
Mount filesystems restricted to particular hosts.

Secure-RPC is a Sun product and I don't think it is supported on HP-UX, anyway the aim to encrypt ports so that you can only attach to a service if you have the correct key.

Re: rpc.mountd in inetd.sec file

support_5 — Wed, 20 Oct 2004 02:20:29 GMT

Hi,

Thanks for the response. Could you give me some information how how to implement NFS over IPSEC? That sounds like a bit of a good option if it can work. More info would be much appreciated. Ta.

- Andy

Re: rpc.mountd in inetd.sec file

Andrew Cowan — Wed, 20 Oct 2004 03:15:26 GMT

There are many HP docs outlining hpw to install IP-Sec, here is a starting oint:
http://www.software.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=J4256AA

Once installed and a tunnel is established, you can send any traffic between hosts and NFS should appear to work exactly as before.

I'm sorry I can't go into the setup of IP-SEC in depth but you could write a whole book on it. The only things normally to decide are whether you want a point-to-point tunnel, or a network of machines (transport mode), and whether you want to use a static shared secret-key, or the more secure rotating type.

Re: rpc.mountd in inetd.sec file

Dave Olker — Wed, 20 Oct 2004 08:06:55 GMT

Hi Andy,

One quick comment - HP no longer supports launching rpc.mountd from inetd. That configuration used to be supported back in the HP-UX 9.X/10.X days, but we've since dropped support for that model.

Regards,

Dave