HPE Community
Operating System - HP-UX
1752401 Members
5701 Online
108788 Solutions
New Discussion юеВ

stopping nfs over untrusted port?

 
SOLVED
Go to solution
Doug O'Leary
Honored Contributor

тАО02-05-2009 02:39 PM

тАО02-05-2009 02:39 PM

stopping nfs over untrusted port?

Hey;

I had a system go through a security scan with the result that the security people want me to turn off nfs listening on port 2049 in favor of a port number below 1024.

Is that even possible? I know I've had these systems scanned any number of times and this is the first time I've seen this.

I've checked a couple of different systems and they're all using port 2049 as well.

Has anyone else run into this, know how to correct it, or otherwise answer something like this?

Thanks for any info.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
2 REPLIES 2
Dave Olker
HPE Pro

тАО02-06-2009 04:00 PM

тАО02-06-2009 04:00 PM

Solution

Re: stopping nfs over untrusted port?

Oh brother... Does this really give you any more protection? What is the difference between 2049 and 1024 aside from the old "you must be root to get a port in the reserved range" stuff? If this were really a security hole would the entire world have standardized on 2049 for the port number for nfsd?

In any case, if you really feel like trying this and you're using 11i v3 you could modify the nfsd entries in the /etc/services file and then stop/start /sbin/init.d/nfs.server and it will start nfsd on the new port number.

However, many NFS clients expect nfsd to be running on port 2049 - especially NFS v4 clients - so all bets are off if you suddenly have NFS clients that cannot communicate with the server.

I tried this same technique on my 11.23 system and it did register the new port number for TCP but not UDP. Strange, but again, I've never known anyone to do this so not really a surprise that some things might work and others might not.

Regards,

Dave
I work for HPE

[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Doug O'Leary
Honored Contributor

тАО02-06-2009 04:59 PM

тАО02-06-2009 04:59 PM

Re: stopping nfs over untrusted port?

Hey;

Yea, didn't make a lot of sense to me either. I'm not going to be doing that... thanks for the feedback.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.