Re: There's something about hardening NFS?
From: Kapetanakis Giannis (bilias@edu.physics.uoc.gr)Date: 08/19/02
- Previous message: Roy S. Rapoport: "Re: Hardening NIS+"
- In reply to: Orlando Diaz,TRI: "There's something about hardening NFS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 19 Aug 2002 11:07:20 +0300 (EEST) From: Kapetanakis Giannis <bilias@edu.physics.uoc.gr> To: focus-sun@securityfocus.com
Some basic security for NFS:
-Do not export to the whole world ! but just to your clients.
-Requests accepted only from a privileged port.
/etc/system :
set nfssrv:nfs_portmon = 1
and reboot. (this can also be done on the fly without reboot)
echo "nfs_portmon/W 0x1" | adb -wk /dev/ksyms /dev/mem
plus the entry in the /etc/system for the next time
-Protect your portmaper. You can change the default
rpcbind which ships with Solaris and use a tcp wrapped one
ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz.
-Use firewall on 110, 2049, 4045. RPC can also be blocked
as well in your router.
-Run mountd (/etc/init.d/nfsd.server) with "-v" for
more logging.
-Export filesystems read-only if you don't need to write on them
-For more security you can use dh_auth, gss, or kerberos
but these don't seem to work together with clients
of different unix OS.
-AFS might also be a good idea which supports many flavors
but I 've never tried this. On the other way SUN invented NFS
bilias
- Previous message: Roy S. Rapoport: "Re: Hardening NIS+"
- In reply to: Orlando Diaz,TRI: "There's something about hardening NFS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
