HPE Community
Operating System - HP-UX
1832907 Members
3510 Online
110048 Solutions
New Discussion

rpc.mountd in inetd.sec file

 
support_5
Super Advisor

‎10-18-2004 05:32 PM

‎10-18-2004 05:32 PM

rpc.mountd in inetd.sec file

Hi all,

I am trying to use the inetd.sec file to start the rpc.mountd service to help secure NFS on our site. (we have to export a filesystem through a firewall to a box in our DMZ). I was wondering if someone could help me with what are the correct lines I need to use in /etc/services, /etc/inetd.conf, and /var/adm/inetd.sec.

Also, any tips on securing NFS would be appreciated. For example, how much to things like fsirand and portmon (which I don't think is supported in 11.i v1.). Also can someone explain a bit about secure RPC, and how this can be used to help secure NFS a bit?

Any other suggestions?

Thank in advance!

- Andy
0 Kudos
Reply
4 REPLIES 4
Andrew Cowan
Honored Contributor

‎10-19-2004 06:59 PM

‎10-19-2004 06:59 PM

Re: rpc.mountd in inetd.sec file

NFS is by its very nature insecure, and the only way to completely secure it is to use IP-SEC and mount your filesystem with a "tunnel".
If this option is not available to you then you can limit NFS exposure by:
always mounting Read-only where possible
Mount as far down the tree as you can ("/home/andrew" rather than just "/home").
Mount the filesystem with NODEV and NOSUID options.
Use the /etc/hosts file to identify hosts rather than DNS.
Mount filesystems restricted to particular hosts.

Secure-RPC is a Sun product and I don't think it is supported on HP-UX, anyway the aim to encrypt ports so that you can only attach to a service if you have the correct key.
0 Kudos
Reply
support_5
Super Advisor

‎10-19-2004 07:20 PM

‎10-19-2004 07:20 PM

Re: rpc.mountd in inetd.sec file

Hi,

Thanks for the response. Could you give me some information how how to implement NFS over IPSEC? That sounds like a bit of a good option if it can work. More info would be much appreciated. Ta.

- Andy
0 Kudos
Reply
Andrew Cowan
Honored Contributor

‎10-19-2004 08:15 PM

‎10-19-2004 08:15 PM

Re: rpc.mountd in inetd.sec file

There are many HP docs outlining hpw to install IP-Sec, here is a starting oint:
http://www.software.hp.com/portal/swdepot/displayInstallInfo.do?productNumber=J4256AA

Once installed and a tunnel is established, you can send any traffic between hosts and NFS should appear to work exactly as before.

I'm sorry I can't go into the setup of IP-SEC in depth but you could write a whole book on it. The only things normally to decide are whether you want a point-to-point tunnel, or a network of machines (transport mode), and whether you want to use a static shared secret-key, or the more secure rotating type.
0 Kudos
Reply
Dave Olker
Neighborhood Moderator

‎10-20-2004 01:06 AM

‎10-20-2004 01:06 AM

Re: rpc.mountd in inetd.sec file

Hi Andy,

One quick comment - HP no longer supports launching rpc.mountd from inetd. That configuration used to be supported back in the HP-UX 9.X/10.X days, but we've since dropped support for that model.

Regards,

Dave


I work at HPE
HPE Support Center offers support for your HPE services and products when and how you need it. Get started with HPE Support Center today.
[Any personal opinions expressed are mine, and not official statements on behalf of Hewlett Packard Enterprise]
Accept or Kudo
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.