Re: NFS Over Private Network
From: John Kinsella (jlk_at_thrashyour.com)
Date: Thu, 25 Mar 2004 21:38:40 -0800 To: Randy Williams <firstname.lastname@example.org>
On Thu, Mar 25, 2004 at 11:31:20AM -0500, Randy Williams wrote:
> I may be off the mark here, but if your NFS configuration isolates the NFS
> shares to a significant degree (hosts, users, etc) then only the NFS daemon
> would be the weak spot (within the scope of NFS of course, if the host NFS
> server is compromised via a security weakness, then this goes out the
I think that's what they were talking about, the protocol being the
weakness. Firewall the hell out of on the front, either on the box or
next hop. Remember people, security is a multi layer thing - gotta
> Or, thinking out loud, would the "mount" command betray you, as it would
> publish all directories/mount points being published on the target machine.
> Is there any way to prevent mount, iostat, netstat or any other I/O
> measurement from giving the mount away?
Think: "chmod go-rwx" (usually works, not always)
But a little more general - you're thinking local to the box. If
somebody gets on your box, they got alot better odds at getting root
than somebody attempting a remote compromise (usually).