Securing Nfs - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual
Hide thumbs
Also See for ENTERPRISE LINUX 5 - DEPLOYMENT:
- Manual (402 pages) ,
- Configuration (86 pages) ,
- Overview (68 pages)
Table of Contents
Advertisement
Chapter 43. Securing Your Network
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
The following iptables rules can then be used to enforce which network the server listens to for these
ports:
iptables -A INPUT -p ALL -s! 192.168.0.0/24
iptables -A INPUT -p ALL -s! 192.168.0.0/24
This means that the server only allows connections to ports 834 and 835 if the requests come from the
192.168.0.0/24 network, regardless of the protocol.
Tip
Section 43.8, "Firewalls"
Refer to
iptables commands.
43.2.3.5. Use Kerberos Authentication
One of the issues to consider when NIS is used for authentication is that whenever a user logs into a
machine, a password hash from the /etc/shadow map is sent over the network. If an intruder gains
access to an NIS domain and sniffs network traffic, they can collect usernames and password hashes.
With enough time, a password cracking program can guess weak passwords, and an attacker can
gain access to a valid account on the network.
Since Kerberos uses secret-key cryptography, no password hashes are ever sent over the network,
making the system far more secure. Refer to
Kerberos.
43.2.4. Securing NFS
The Network File System (NFS) is a service that provides network accessible file systems for client
Chapter 19, Network File System (NFS)
machines. Refer to
following subsections assume a basic knowledge of NFS.
Important
The version of NFS included in Red Hat Enterprise Linux, NFSv4, no longer requires
the portmap service as outlined in
utilizes TCP in all versions, rather than UDP, and requires it when using NFSv4. NFSv4
now includes Kerberos user and group authentication, as part of the RPCSEC_GSS kernel
module. Information on portmap is still included, since Red Hat Enterprise Linux supports
NFSv2 and NFSv3, both of which utilize portmap.
43.2.4.1. Carefully Plan the Network
Now that NFSv4 has the ability to pass all information encrypted using Kerberos over a network, it is
important that the service be configured correctly if it is behind a firewall or on a segmented network.
NFSv2 and NFSv3 still pass data insecurely, and this should be taken into consideration. Careful
network design in all of these regards can help prevent security breaches.
628
--dport 834 -j DROP
--dport 835 -j DROP
for more information about implementing firewalls with
Section 43.6, "Kerberos"
for more information about NFS. The
Section 43.2.2, "Securing
for more information about
Portmap". NFS traffic now
Advertisement
Table of Contents
