Re: Port 135 Probes Continue

From: David Magda (dmagda+trace031024_at_ee.ryerson.ca)
Date: 12/30/03

• Next message: Tim Haynes: "Re: Port 135 Probes Continue"
• Previous message: David Magda: "Re: Port 135 Probes Continue"
• In reply to: Tim Haynes: "Re: Port 135 Probes Continue"
• Next in thread: Tim Haynes: "Re: Port 135 Probes Continue"
• Reply: Tim Haynes: "Re: Port 135 Probes Continue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 29 Dec 2003 18:35:49 -0500

Tim Haynes <usenet-20031227@stirfried.vegetable.org.uk> writes:

> Joe <joe@jretrading.com> writes:
>
> > In message <86hdzpygjj.fsf@potato.vegetable.org.uk>, Tim Haynes
> > <usenet-20031224@stirfried.vegetable.org.uk> writes
[...]
> >>Yes, to mount NFS shares.
> >>
> > People really do that over the Net?
>
> Sure. What's wrong with it?

Besides the complete lack of security? NFS is extremely lacking in
sanity checking and is probably no better than telnet. (Unless you
use Sun's implementation which can add GSS-API stuff like Kerberos
and encryption. (Also NFSv4 adds a lot of this stuff.))

It was designed in a complete different era and there's really no
security mechanism besides hostname / IP restrictions. User
authentication is also done on the client-side (though at least you
can map root (uid=0) to something 'safe') so once you have a
mount-handle (is that the term?) you can access just about
everything.

AFS would be a much saner idea.

-- 
David Magda <dmagda at ee.ryerson.ca>, http://www.magda.ca/
Because the innovator has for enemies all those who have done well under
the old conditions, and lukewarm defenders in those who may do well 
under the new. -- Niccolo Machiavelli, _The Prince_, Chapter VI

• Next message: Tim Haynes: "Re: Port 135 Probes Continue"
• Previous message: David Magda: "Re: Port 135 Probes Continue"
• In reply to: Tim Haynes: "Re: Port 135 Probes Continue"
• Next in thread: Tim Haynes: "Re: Port 135 Probes Continue"
• Reply: Tim Haynes: "Re: Port 135 Probes Continue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Transport Mode IPSEC ... security with environment security. ... NFS server with an arp cache poison, ... If you correct the environment security, ... For example, you put in a decent managed switch, you ... (freebsd-questions) Re: Port 135 Probes Continue ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ... (comp.security.misc) Re: Port 135 Probes Continue ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ... (comp.os.linux.security) Re: Port 135 Probes Continue ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ... (comp.security.unix) Re: Port 135 Probes Continue ... Sun had never fixed this problem. ... >NFS filesystem security is a form of security through obscurity: ... >secured NFS system, you can guess at available filehandles and write to disk ... You need to fake the IP addresses; I assumed you were talking about ... (comp.security.misc)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint