HPE Community
Operating System - HP-UX
1848533 Members
4075 Online
104033 Solutions
New Discussion

Re: NFS Security

 
Alberto Minichiello
New Member

‎06-05-2001 03:06 PM

‎06-05-2001 03:06 PM

NFS Security

Hello all:

I have an HP9000 cluster running MC/ServiceGuard (SAP Edition) and I have to live with NFS, I have a couple of questions in order to see if I can use NFS in a more secure way:

1) Is there any way I can run NFS over TCP, I have read that there are patches that will solve that, but do the patches affect SAP in any way?

2) I have tried to have rpc.mountd go through /var/adm/inetd.sec to discriminate from which hosts it can receive mount requests according to the rpc.mountd man page, however rpc.mountd does not recognize option '-e' (which supposedly is the way to do it) does anybody know if there is any way I can do that?

Any help on the matter would be greatly appreciated.

Regards

Daniel Cristini
Bonum Est
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

‎06-05-2001 06:00 PM

‎06-05-2001 06:00 PM

Re: NFS Security

Using the /etc/exports file to specify which hosts can connect to which exported directories would be the easiest way to accomplish your second question. Look at the man page for exports for more details.

I would give an example, but I am not at work and can't get to any of my machines easily at the moment. :)
0 Kudos
Reply
Shannon Petry
Honored Contributor

‎06-05-2001 06:01 PM

‎06-05-2001 06:01 PM

Re: NFS Security

There are two ways to secure NFS without trying to hack it!

1. In /var/adm/inetd.sec, you can add an entry for who is allowed to mount files via "mountd"
read the man pages for inetd.sec

2. Next you have alot of options for your exports file to control access. If used with /etc/netgroup, you can have very fine tuned access and easy managability, but could also build the ACL's into /etc/exports. I just use netgroups for ease in management, and other secure issues.
Read the man pages for exportfs and netgroup for more information.

This is not an easy task in a large mixed network, and should be planned carefully.

NOTE: some people are not happy with how much digging/debugging they have to do to debug security issues when clients can not connect, or the security does not work. If you have problems you may want to get the O'Reilly book "NFS and NIS Administration"

Regards,
Shannon
Microsoft. When do you want a virus today?
0 Kudos
Reply
Alberto Minichiello
New Member

‎06-06-2001 03:29 AM

‎06-06-2001 03:29 AM

Re: NFS Security

Thank you all for answering, I did discriminate which hosts can mount the exported directories with the -access options in /etc/exports, however when I run a security scanner on my hosts it complains about rpc.mountd disclosing its export lists and about a "superflous" NFS daemon on the standby server in the cluster (which I suppouse it is because it has nothing to export until the main machine goes down). Being NFS the hoplessly insecure protocol it is (after all it was designed to mount remote disks on the days before networks had to be designed like fortresses!!) I thought that maybe I could add an extra layer of security to the point scanners could not detect it if I could discriminate by IP address with rpc.mountd. Indeed I can include the mountd rpc service in /var/adm/inetd.sec, but according to the man page that will only work on UDP NFS, and even then, only if I invoked rpc.mountd with the '-e' option (which is the one that does not work) because it forces it to unload every time a request is fulfilled.

Thanks again

Daniel Cristini
Bonum Est
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.