[TriLUG] Question About NFS Client Access Config
Scott Chilcote via TriLUG
trilug at trilug.org
Wed Apr 10 09:16:33 EDT 2019
Hi All,
Thanks for the great help and ideas on this!
We did think of the iptables solution, and patched that in last night.
But as Joe Mack pointed out that's considered cheating, and our host
does not generally condone filtering inside the VLAN. We'll see whether
that holds.
The scan result is very specific that "At least one of the NFS shares
exported by the remote server could be mounted by the scanning host."
That's a serious WTF finding, no? We will likely get Redhat support
involved.
Much appreciation!
Scott C.
On 4/9/19 5:43 PM, Scott Chilcote via TriLUG wrote:
> Hi LUGgers,
>
> An outside firm scans the servers at the hosting service where a couple
> of my employer's RHEL 6.9 virtual servers are housed.
>
> We were recently given a scan result that said that our NFS server did
> not prevent access by a remote client on the network, and we really need
> to fix that.
>
> We use this NFS share a lot, and it was configured for single client
> access in /etc/exports.
>
> The content of that file looks like this:
>
> /home/shareme 192.168.0.193(rw)
>
> /shareme2 192.168.0.193(ro)
>
>
> Based on what we know of NFS, this ought to be enough to prevent any
> server not having the local IPv4 address of 192.168.0.193 from access to
> our exports. But the scan result says otherwise, and $MGMT wants this
> fixed.
>
> I spent a couple of hours rummaging the Redhat knowledge base for RHEL 6
> NFS issues, and came up with diddly squat. If anyone else ever had this
> problem, my fu is lacking. We already know about not allowing any
> spaces to get between the server string and the options that follow it,
> but that appears to be one of the few major bugaboos about configuring
> an NFS share.
>
> If anyone has an idea what to investigate here, I would love to know.
> It seems unlikely that Metasploit's NFS plugin got confused, but we
> aren't ready to rule that out. Or anything, really.
>
> Much thanks for any pointers!
>
> Scott C.
>
--
Scott Chilcote
scottchilcote at ncrrbiz.com
Cary, NC USA
More information about the TriLUG
mailing list