Re: Port 135 Probes Continue

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 01/11/04 

Date: Sun, 11 Jan 2004 17:24:05 -0500

"Tim Haynes" <usenet-20031229@stirfried.vegetable.org.uk> wrote in message
news:861xqnw4kj.fsf@potato.vegetable.org.uk...
> David Magda <dmagda+trace031024@ee.ryerson.ca> writes:
>
> >> > People really do that over the Net?
> >>
> >> Sure. What's wrong with it?
> >
> > Besides the complete lack of security? NFS is extremely lacking in
> > sanity checking and is probably no better than telnet. (Unless you
> > use Sun's implementation which can add GSS-API stuff like Kerberos
> > and encryption. (Also NFSv4 adds a lot of this stuff.))
>
> People also run FTP servers. The particular instance of a simtel mirror of
> which I'm thinking was no different to an FTP server.
> FTP continues to be useful, it's just that you don't hear of folks making
> any efforts to chroot NFS, etc.

Sorry for the late response, I've been out of town for a while.

Various folks keep having to prove to Sun that NFS is not securable, that an
exposed server can have its disk scribbled (though not necessarily read)
with a modicum of cracker effort. Also, getting the Kerberos running to
provide even a hint of user authentication is *NOT* a trivial task. For
example: when building Kerberos from scratch, if your fully qualified
hostname (FQHN) is preceded by your local hostname in /etc/hosts (say,
"192.168.1.1 nico-homemachine nico-homemachine.localdomain"), then the
comilation fails 99% of the way through, and you can't re-compile from the
already built source code. You have to find the problem, fix it either in
your /etc/hosts (which is not a requirement of the RFC's on naming your
machine or using hostnames!), or by fixing the damn code, and then rebuild
entirely from scratch because they put in a timestamp in their "make"
process that prevents you from re-using your already built binaries. They're
*nasty* programmers who clearly had all night to let compilations run while
they played posted on zephyr (a talk system similar to IRC, popular at MIT)
instead of actually working on the software. (No, I'm not kidding: they
spent a lot of time in the Student Information Processinb Board offices at
MIT.)

The authors believe that "Well, if you don't have your hostname as your
FQHN, you're just wrong. Fix it yourself and don't bother us." I swear to
ghod, this was their response when I spoke with them about it at MIT.

So building such a complex system up getting it working in a new network is
fairly painful: the basics of its configuration are really oriented around a
large, many-user environment, not a casual home installation.

This is why I heartily recommend starting with AFS instead: it allows more
usable group management and permissions, and is easily integrated into a
standard Linux distribution's file-sharing setup.