System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

stopping nfs over untrusted port?

SOLVED
Go to solution
Doug O'Leary
Honored Contributor

stopping nfs over untrusted port?

Hey;

I had a system go through a security scan with the result that the security people want me to turn off nfs listening on port 2049 in favor of a port number below 1024.

Is that even possible? I know I've had these systems scanned any number of times and this is the first time I've seen this.

I've checked a couple of different systems and they're all using port 2049 as well.

Has anyone else run into this, know how to correct it, or otherwise answer something like this?

Thanks for any info.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html
2 REPLIES
Dave Olker
HPE Pro
Solution

Re: stopping nfs over untrusted port?

Oh brother... Does this really give you any more protection? What is the difference between 2049 and 1024 aside from the old "you must be root to get a port in the reserved range" stuff? If this were really a security hole would the entire world have standardized on 2049 for the port number for nfsd?

In any case, if you really feel like trying this and you're using 11i v3 you could modify the nfsd entries in the /etc/services file and then stop/start /sbin/init.d/nfs.server and it will start nfsd on the new port number.

However, many NFS clients expect nfsd to be running on port 2049 - especially NFS v4 clients - so all bets are off if you suddenly have NFS clients that cannot communicate with the server.

I tried this same technique on my 11.23 system and it did register the new port number for TCP but not UDP. Strange, but again, I've never known anyone to do this so not really a surprise that some things might work and others might not.

Regards,

Dave
Doug O'Leary
Honored Contributor

Re: stopping nfs over untrusted port?

Hey;

Yea, didn't make a lot of sense to me either. I'm not going to be doing that... thanks for the feedback.

Doug O'Leary

------
Senior UNIX Admin
O'Leary Computers Inc
linkedin: http://www.linkedin.com/dkoleary
Resume: http://www.olearycomputers.com/resume.html