- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: inetd.sec and NFS servcies
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 11:09 AM
тАО02-11-2007 11:09 AM
I would have to also disclose that we do not run any rpc services from /etc/inetd.conf.
For test purposes, I tried following in /var/adm/inetd.sec:
rpcbind deny
mountd deny
I would expect every host to be denied access to NFS services(no mount allowed or showmount for that matter). It does not seem the case. I can do all of the above.
Have I missed something or misinterpreted how inetd.sec is supposed to work for me?
Thanks.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 11:39 AM
тАО02-11-2007 11:39 AM
Re: inetd.sec and NFS servcies
Here the entries made in the file are of daemons, however service name should have been entered. So try using the following
rpc deny
I think it should work (don't forget inetd -c)
another way to stop NFS is to put # in the line which is not required in inetd.conf file..
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 12:02 PM
тАО02-11-2007 12:02 PM
Re: inetd.sec and NFS servcies
In the /var/adm/inetd.sec file, create a line with the following syntax for each service to which you want to restrict access:
service {allow} host_or_network [host_or_network...] {deny}
If the /var/adm/inetd.sec file does not exist, you will have to create it.
service must match one of the service names in the /etc/rpc file.
Specify either allow or deny but not both. Enter only one line per service.
host_or_network can be either an official host name or network name or an IP address. Any of the four numbers in an IP address can be specified as a range (for example, 1-28) or the wildcard character (*).
The inetd.sec file is checked only when the service is started. If a service remains active and accepts more requests without being restarted, the inetd.sec file is not checked again.
You can use SAM to modify the /var/adm/inetd.sec file.
e.g rwalld deny cauliflower
Regards,
Reshma
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 12:41 PM
тАО02-11-2007 12:41 PM
Re: inetd.sec and NFS servcies
To limit NFS mounts you need to set the appropriate access controls in the /etc/exports file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 12:44 PM
тАО02-11-2007 12:44 PM
Re: inetd.sec and NFS servcies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 01:34 PM
тАО02-11-2007 01:34 PM
SolutionThough inetd.conf starts the rpc services and , rpc.mountd can start from a startup script, it is a good practice to limit the NFS mount using the /etc/exports .
/etc/exports contains a list of file systems and the access_lists or
machine names allowed to remotely mount each file system. The file
system names are left-justified and followed by a list of names
separated by white space. A file system name with no accompanying
name list means the file system is available to everyone.
A # anywhere in the file indicates a comment extending to the end of
that line.
EXAMPLES
/usr/games cocoa fudge # export to only these machines
/usr -access=clients # export to my clients
/usr/local # export to the world
/usr2 -access=bison:deer:pup # export to only these machines
/var/adm -root=bison:deer # give root access only to these
/usr/new -anon=0 # give all machines root access
/usr/temp -rw=ram:alligator # export read-write only to these
/usr/bin -ro # export read-only to everyone
/usr/stuff -access=bear,anon=-2,ro # several options on one line
/usr/subnet -access=@mysubnet #use mysubent in /etc/networks
/usr/subnet1 -access=@192.5 #clients must be in the 192.5.0.0 subnet
/usr/domain -access=.myd.myc.com #clients must be in .myd.myc.com
/usr/restrict -access=-host1.myd.myc.com:sales # disallow -host1 in the sales netgroup.
--------------------------------------
Check this:
http://docs.hp.com/en/B2355-90131/exports.4.html
----
inetd.sec :
You can have entries in /var/adm/inetd.sec like this:
You can enable the server to deny rpc service with this example:
Ex:
rpc deny 10.2.42.7
Cheers,
Raj.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-11-2007 02:18 PM
тАО02-11-2007 02:18 PM
Re: inetd.sec and NFS servcies
"service name is the name (not alias) of a valid service in file /etc/services. The service name for RPC-based services (NFS) is the name (not alias) of a valid service in file /etc/rpc. A service name in /etc/rpc corresponds to a unique RPC program number."
Here is an example from the same man page:
"On a system running NFS, deny host 192.54.24.5 access to sprayd, an RPC-based server:
sprayd deny 192.54.24.5
"
Of course, I tried 'mountd, nfs, and rpcbind' but with no success.
This is from inetd.sec man pager on HP-UX 11.11.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2007 04:12 AM
тАО02-12-2007 04:12 AM
Re: inetd.sec and NFS servcies
HP-UX 10.30 and 11.00 release note (http://docs.hp.com/en/B3782-90716/ch07s23.html) show that -e option can be used with inetd.sec. But it is no longer supported since HP-UX 10.30.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2007 12:52 PM
тАО02-12-2007 12:52 PM
Re: inetd.sec and NFS servcies
NFS is not managed by the inetd daemon, so the inetd.sec would have no real bearing on NFS.
If you really don't want to allow any clients to mount filesystems from the server then the best thing to do would be to disable NFS services from ever starting in the first place. If you don't want this system to allow any NFS mounts then do this:
# /sbin/init.d/nfs.server stop
This will stop any existing NFS server daemons. Then modify the /etc/rc.config.d/nfsconf file and set the NFS_SERVER variable to 0. That will stop the NFS server daemons (rpc.mountd, nfsd) from starting at boot time.
If this isn't what you're looking for then please be very specific about exactly what you're trying to do.
Regards,
Dave
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-12-2007 01:18 PM
тАО02-12-2007 01:18 PM
Re: inetd.sec and NFS servcies
The purpose is very simple: I want to limit what networks can access my NFS server. That was the whole purpose of posting here. If I did not want to use NFS, this thread would not exist. inetd.sec seemed like a good choice after reading the man page on it. That's how this thread started. Yes, I know inetd.sec controls inetd behaviour but if you read inetd.sec closer on HP-UX 11.11, it also refers to rpc services (/etc/rpc) that can be limited using inetd.sec.
/etc/exports has its own share of, shall we say, oddities so I wanted to say away from it as much as possible. However, it seems to me that I will have no choice but to use it.