Re: There's something about hardening NFS?From: Kapetanakis Giannis (firstname.lastname@example.org)
- Previous message: Roy S. Rapoport: "Re: Hardening NIS+"
- In reply to: Orlando Diaz,TRI: "There's something about hardening NFS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Aug 2002 11:07:20 +0300 (EEST) From: Kapetanakis Giannis <email@example.com> To: firstname.lastname@example.org
Some basic security for NFS:
-Do not export to the whole world ! but just to your clients.
-Requests accepted only from a privileged port.
set nfssrv:nfs_portmon = 1
and reboot. (this can also be done on the fly without reboot)
echo "nfs_portmon/W 0x1" | adb -wk /dev/ksyms /dev/mem
plus the entry in the /etc/system for the next time
-Protect your portmaper. You can change the default
rpcbind which ships with Solaris and use a tcp wrapped one
-Use firewall on 110, 2049, 4045. RPC can also be blocked
as well in your router.
-Run mountd (/etc/init.d/nfsd.server) with "-v" for
-Export filesystems read-only if you don't need to write on them
-For more security you can use dh_auth, gss, or kerberos
but these don't seem to work together with clients
of different unix OS.
-AFS might also be a good idea which supports many flavors
but I 've never tried this. On the other way SUN invented NFS