[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-sun
Subject:    Re: There's something about hardening NFS?
From:       Kapetanakis Giannis <bilias () edu ! physics ! uoc ! gr>
Date:       2002-08-19 8:07:20
[Download RAW message or body]


Some basic security for NFS:

-Do not export to the whole world ! but just to your clients.
-Requests accepted only from a privileged port.

/etc/system :
set nfssrv:nfs_portmon = 1
and reboot. (this can also be done on the fly without reboot)
echo "nfs_portmon/W 0x1" | adb -wk /dev/ksyms /dev/mem
plus the entry in the /etc/system for the next time

-Protect your portmaper. You can change the default
rpcbind which ships with Solaris and use a tcp wrapped one
ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz.
-Use firewall on 110, 2049, 4045. RPC can also be blocked
as well in your router.
-Run mountd (/etc/init.d/nfsd.server) with "-v" for
more logging.
-Export filesystems read-only if you don't need to write on them

-For more security you can use dh_auth, gss, or kerberos
but these don't seem to work together with clients
of different unix OS.

-AFS might also be a good idea which supports many flavors
but I 've never tried this. On the other way SUN invented NFS

bilias


[prev in list] [next in list] [prev in thread] [next in thread]