Re: Port 135 Probes Continue

From: Tim Haynes (usenet-20031229_at_stirfried.vegetable.org.uk)
Date: 12/30/03 

Date: Tue, 30 Dec 2003 00:07:56 +0000

David Magda <dmagda+trace031024@ee.ryerson.ca> writes:

>> > People really do that over the Net?
>>
>> Sure. What's wrong with it?
>
> Besides the complete lack of security? NFS is extremely lacking in
> sanity checking and is probably no better than telnet. (Unless you
> use Sun's implementation which can add GSS-API stuff like Kerberos
> and encryption. (Also NFSv4 adds a lot of this stuff.))

People also run FTP servers. The particular instance of a simtel mirror of
which I'm thinking was no different to an FTP server.
FTP continues to be useful, it's just that you don't hear of folks making
any efforts to chroot NFS, etc.

> It was designed in a complete different era and there's really no
> security mechanism besides hostname / IP restrictions. User
> authentication is also done on the client-side (though at least you can
> map root (uid=0) to something 'safe') so once you have a mount-handle (is
> that the term?) you can access just about everything.

..everything under a give export-point. But that's the aim of the game,
anyway, to make that export *available* to people.

> AFS would be a much saner idea.

Lots of things would be more sane, SFS and (dav-over-)HTTPS and friends,
you name it. Doesn't mean that it's completely impossible to run NFS over
the 'Net, even for security grounds, that's all.

I'm making a more general point here, under the covers, as well. The
non-use of simtel-over-NFS in recent years is symptomatic of a change
towards fewer services being exposed to the outside world. Partly that is
driven by there being exploits for related daemons (portmapper, wu-ftpd),
but also it comes from an attitude "uh-oh, this has had its vulnerabilties,
it can't be any good, we can kludge our way around it, let's avoid
implementing it *altogether*". And so boxes stop presenting lots of ports
to the outside world and people think they're more "secure" for it.. only
to find that functionality requirements push things within the protocols
(witness the amount of gunk going over HTTP nowadays) and so
application-level holes start appearing (just check phpBB's history at the
moment).

Anyway, I digress, and it's getting late. :)

~Tim 

-- 
The blade cuts clean through                |piglet@stirfried.vegetable.org.uk
              the island soil,              |http://spodzone.org.uk/
The years roll back and                     |
        the world grows small               |

Relevant Pages

  • Re: Transport Mode IPSEC
    ... security with environment security. ... NFS server with an arp cache poison, ... If you correct the environment security, ... For example, you put in a decent managed switch, you ...
    (freebsd-questions)
  • Re: Port 135 Probes Continue
    ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ...
    (comp.security.misc)
  • Re: Port 135 Probes Continue
    ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ...
    (comp.os.linux.security)
  • Re: Port 135 Probes Continue
    ... Sun had never fixed this problem. ... >NFS filesystem security is a form of security through obscurity: ... >secured NFS system, you can guess at available filehandles and write to disk ... You need to fake the IP addresses; I assumed you were talking about ...
    (comp.security.misc)
  • Re: Port 135 Probes Continue
    ... Sun had never fixed this problem. ... >NFS filesystem security is a form of security through obscurity: ... >secured NFS system, you can guess at available filehandles and write to disk ... You need to fake the IP addresses; I assumed you were talking about ...
    (comp.os.linux.security)