BladeSystem Forums have moved here
To make BladeSystem information easier to find, we have moved the BladeSystem forums here, to Servers and Operating Systems.
Security
Showing results for 
Search instead for 
Do you mean 

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

Advisor

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

3 REPLIES
Advisor

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

Please assist me experts on this..

Acclaimed Contributor

Re: How to secure rpc and nlockmgr RPC Service for HP-UX NFS sharing?

Are you looking for which ports to unblock in your firewall?

Highlighted
Honored Contributor

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

First, you'll need to configure fixed port numbers for the NFS-related services. You should do this on both on your NFS server and on all your NFS clients.

Depending on your HP-UX version, you may need to ensure that you have a specific patch installed:

11.31 - no patch required
11.23 - PHNE_34550 or superseding patch
11.11 - PHNE_34662 or superseding patch

 

Then you can add some lines to /etc/rc.config.d/nfsconf to specify fixed port numbers for the NFS-related services.

For example, these lines would fix lockd (nlockmgr) to port 4045, rpc.statd (status) to 4046 and rpc.mountd (mountd) to 4047:

STATD_PORT=4046
MOUNTD_PORT=4047

# in 11.31, lockd is always fixed to UDP port 4045 so this is not needed
LOCKD_PORT=4045 

 

After doing this and restarting your NFS services, they should be in fixed ports. Use "rpcinfo -p" to verify.

 

Once the services are bound to fixed ports, you can use external firewalls or the optional HP-UX IPFilter to restrict the connections to these ports to between your NFS server and legitimate NFS clients only. You'll also need to allow the portmapper/rpcinfo service (port 111, both TCP and UDP), since it is used to find the other NFS-related services (because the client will not know that you've specified fixed port numbers on the server, and vice versa).

MK