[TriLUG] Question About NFS Client Access Config
John Vaughters via TriLUG
trilug at trilug.org
Wed Apr 10 07:48:07 EDT 2019
As a stop gap measure, I would set up the firewall on the server to only allow the ip addresses to the nfs ports you need. In general, I run the internal firewalls on all my servers and use it to address issues found in security scans. If I can solve it with the firewall right away this gives me time to investigate the software and config issues. It at least puts the security folks at ease.
I cannot speak for the nfs config, it is not my strong point.
John Vaughters
On Tuesday, April 9, 2019, 5:43:19 PM EDT, Scott Chilcote via TriLUG <trilug at trilug.org> wrote:
Hi LUGgers,
An outside firm scans the servers at the hosting service where a couple
of my employer's RHEL 6.9 virtual servers are housed.
We were recently given a scan result that said that our NFS server did
not prevent access by a remote client on the network, and we really need
to fix that.
We use this NFS share a lot, and it was configured for single client
access in /etc/exports.
The content of that file looks like this:
/home/shareme 192.168.0.193(rw)
/shareme2 192.168.0.193(ro)
Based on what we know of NFS, this ought to be enough to prevent any
server not having the local IPv4 address of 192.168.0.193 from access to
our exports. But the scan result says otherwise, and $MGMT wants this
fixed.
I spent a couple of hours rummaging the Redhat knowledge base for RHEL 6
NFS issues, and came up with diddly squat. If anyone else ever had this
problem, my fu is lacking. We already know about not allowing any
spaces to get between the server string and the options that follow it,
but that appears to be one of the few major bugaboos about configuring
an NFS share.
If anyone has an idea what to investigate here, I would love to know.
It seems unlikely that Metasploit's NFS plugin got confused, but we
aren't ready to rule that out. Or anything, really.
Much thanks for any pointers!
Scott C.
--
Scott Chilcote
scottchilcote at ncrrbiz.com
Cary, NC USA
--
This message was sent to: John Vaughters <jvaughters04 at yahoo.com>
To unsubscribe, send a blank message to trilug-leave at trilug.org from that address.
TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
Unsubscribe or edit options on the web : https://www.trilug.org/mailman/options/trilug/jvaughters04%40yahoo.com
Welcome to TriLUG: https://trilug.org/welcome
More information about the TriLUG
mailing list