Re: Port 135 Probes Continue

From: Nico Kadel-Garcia (nkadel_at_comcast.net)
Date: 01/11/04

  • Next message: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"
    Date: Sun, 11 Jan 2004 17:24:05 -0500
    
    

    "Tim Haynes" <usenet-20031229@stirfried.vegetable.org.uk> wrote in message
    news:861xqnw4kj.fsf@potato.vegetable.org.uk...
    > David Magda <dmagda+trace031024@ee.ryerson.ca> writes:
    >
    > >> > People really do that over the Net?
    > >>
    > >> Sure. What's wrong with it?
    > >
    > > Besides the complete lack of security? NFS is extremely lacking in
    > > sanity checking and is probably no better than telnet. (Unless you
    > > use Sun's implementation which can add GSS-API stuff like Kerberos
    > > and encryption. (Also NFSv4 adds a lot of this stuff.))
    >
    > People also run FTP servers. The particular instance of a simtel mirror of
    > which I'm thinking was no different to an FTP server.
    > FTP continues to be useful, it's just that you don't hear of folks making
    > any efforts to chroot NFS, etc.

    Sorry for the late response, I've been out of town for a while.

    Various folks keep having to prove to Sun that NFS is not securable, that an
    exposed server can have its disk scribbled (though not necessarily read)
    with a modicum of cracker effort. Also, getting the Kerberos running to
    provide even a hint of user authentication is *NOT* a trivial task. For
    example: when building Kerberos from scratch, if your fully qualified
    hostname (FQHN) is preceded by your local hostname in /etc/hosts (say,
    "192.168.1.1 nico-homemachine nico-homemachine.localdomain"), then the
    comilation fails 99% of the way through, and you can't re-compile from the
    already built source code. You have to find the problem, fix it either in
    your /etc/hosts (which is not a requirement of the RFC's on naming your
    machine or using hostnames!), or by fixing the damn code, and then rebuild
    entirely from scratch because they put in a timestamp in their "make"
    process that prevents you from re-using your already built binaries. They're
    *nasty* programmers who clearly had all night to let compilations run while
    they played posted on zephyr (a talk system similar to IRC, popular at MIT)
    instead of actually working on the software. (No, I'm not kidding: they
    spent a lot of time in the Student Information Processinb Board offices at
    MIT.)

    The authors believe that "Well, if you don't have your hostname as your
    FQHN, you're just wrong. Fix it yourself and don't bother us." I swear to
    ghod, this was their response when I spoke with them about it at MIT.

    So building such a complex system up getting it working in a new network is
    fairly painful: the basics of its configuration are really oriented around a
    large, many-user environment, not a casual home installation.

    This is why I heartily recommend starting with AFS instead: it allows more
    usable group management and permissions, and is easily integrated into a
    standard Linux distribution's file-sharing setup.


  • Next message: Nico Kadel-Garcia: "Re: Port 135 Probes Continue"

    Relevant Pages

    • Re: Port 135 Probes Continue
      ... > People also run FTP servers. ... > any efforts to chroot NFS, ... hostname is preceded by your local hostname in /etc/hosts (say, ... they played posted on zephyr (a talk system similar to IRC, popular at MIT) ...
      (comp.security.misc)
    • Re: Port 135 Probes Continue
      ... > People also run FTP servers. ... > any efforts to chroot NFS, ... hostname is preceded by your local hostname in /etc/hosts (say, ... they played posted on zephyr (a talk system similar to IRC, popular at MIT) ...
      (comp.os.linux.security)
    • Re: Desktop Frozen after trying to launch NFS mounted folder from Nautilus
      ... When I added a hostname in the /etc/hosts file, the NFS hostname directory and its sub-directories automatically appeared in the /net directory. ... click the desktop shortcut icon to the NFS mounted folder, Nautilus opens the folder with no contents in it. ... The first sub-directory you write in your ...
      (Fedora)
    • Re: Port 135 Probes Continue
      ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ...
      (comp.security.unix)
    • Re: Port 135 Probes Continue
      ... People also run FTP servers. ... it's just that you don't hear of folks making ... any efforts to chroot NFS, ... > security mechanism besides hostname / IP restrictions. ...
      (comp.security.misc)