HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

UNIX NFS discussion

 
SOLVED
Go to solution
DharmaRao G
Advisor

UNIX NFS discussion

Solutions on securing the UNIX Insecure NFS server configuration details.
12 REPLIES
Sajjad Sahir
Honored Contributor
Solution

Re: UNIX NFS discussion

Dear DharmaRao

Please check the link

http://www.windowsecurity.com/whitepapers/HP_Unix_Security_Handbook.html#3.1

thanks and regards

Sajjad Sahir
OldSchool
Honored Contributor

Re: UNIX NFS discussion

you've had 2 threads on this topic. Perhaps you would be better served by specifying what you mean by "insecure ... details".

in the post above, refer to the section 5.4 "Services", specifically "Objective 4.4.12" where it talks about configuring /etc/exports, permissions and priviledges.
Dave Olker
HPE Pro

Re: UNIX NFS discussion

HP-UX 11i v3 introduced Secure NFS where you can configure different levels of security on a per-filesystem basis. You can require Kerberos authentication before accessing data, checksum the data on both ends of the connection to ensure the data has not been tampered with, or completely encrypt the data on the wire so anyone sniffing packets cannot see any data.

The NFS Admin guide for 11i v3 describes how to configure this. I'm also going to be posting a white paper on Secure NFS in the next week or so to docs.hp.com.

Regards,

Dave
DharmaRao G
Advisor

Re: UNIX NFS discussion

Hi

Is it possible to share it now? because needed urgently.

Dharma
OldSchool
Honored Contributor

Re: UNIX NFS discussion

"Is it possible to share it now? because needed urgently."

does it even apply to your situation, as you have yet to mention OS version and Secure NFS applies to 11iv3 only?

Did you look at the referenced Admin Guide? If not, its here:

http://docs.hp.com/en/B1031-90064/index.html

Or the previously noted sites / docs? Does any of the above meet your (as yet undefined) requests? If not, then (again) what "insecure....details" are you attempting to "secure"?
Michael Steele_2
Honored Contributor

Re: UNIX NFS discussion

Sharing? What exactly is your question because this is all over the place. By definition, NFS is shared to any server or limited servers.

(* Wild Guess to what you want *) Can NFS it be used in a DMZ or go through a firewall? No. NFS uses different ports dynamically. For a DMZ or Firewall the assignments would have to be static.

Support Fatherhood - Stop Family Law
OldSchool
Honored Contributor

Re: UNIX NFS discussion

Michael, I believe he's asking David Olker to make his "whitepaper" available.

I can't tell if he want's Secure NFS (vs NFS) or if he's looking at what permissions should be on files (like /etc/exports) or ?? and he doesn't seem to want to explain WHAT it is he wants to do. He just keeps asking questions w/o answering any
Dave Olker
HPE Pro

Re: UNIX NFS discussion

> (* Wild Guess to what you want *) Can NFS
> it be used in a DMZ or go through a
> firewall? No. NFS uses different ports
> dynamically. For a DMZ or Firewall the
> assignments would have to be static.

I have many customers using NFS through a firewall. When you say NFS uses different ports dynamically I assume you're referring to the server side daemons like rpc.lockd, rpc.statd, rpc.mountd. Portmapper has always used port 111 and NFS always uses port 2049. So it's these other services that use dynamic ports.

We introduced the ability to assign static port numbers to these daemons a few years ago. This feature is available for HP-UX 11i v1/v2/v3. It allows you to force rpc.lockd to always use port 4045 (for example) rpc.statd to always use 4046 and rpc.mountd to always use 4047 - or whatever port numbers you choose. It's then pretty straight forward to configure the firewall to allow connections to these daemons.

Also, 11i v3 introduced NFS v4. There is no longer a separate MOUNT or LOCK protocol for NFS v4, so all requests go to port 2049. That makes configuring an NFS v4 server behind a firewall pretty easy.

As most people here have said, I don't know if this is what DharmaRao is asking about, but I hope this information helps others.

Regards,

Dave
Michael Steele_2
Honored Contributor

Re: UNIX NFS discussion

LOL - Your guess is as good as mine OldSchool. This is all a stab in the dark.
Support Fatherhood - Stop Family Law
Michael Steele_2
Honored Contributor

Re: UNIX NFS discussion

Thank you Dave. Always good to have the latest information. Really appreciate it.
Support Fatherhood - Stop Family Law
DharmaRao G
Advisor

Re: UNIX NFS discussion

unix best practices to secure the NFS configuration.
OldSchool
Honored Contributor

Re: UNIX NFS discussion

Previously posted from Sajjad Sahir:
"Please check the link:

http://www.windowsecurity.com/whitepapers/HP_Unix_Security_Handbook.html#3.1
"

From me:
"in the post above, refer to the section 5.4 "Services", specifically "Objective 4.4.12" where it talks about configuring /etc/exports, permissions and priviledges. "

Which deals with securing the exports file on the Server side. I'd think similar would apply to mnttab / checklist on the client side as well.

You: "unix best practices to secure the NFS configuration." yet again, not very descriptive.... what are you looking to "secure" that isn't covered by the above.