[TriLUG] Question About NFS Client Access Config
Joseph Mack NA3T via TriLUG
trilug at trilug.org
Wed Apr 10 09:46:06 EDT 2019
On Wed, 10 Apr 2019, Scott Chilcote via TriLUG wrote:
> The scan result is very specific that "At least one of the NFS shares
> exported by the remote server could be mounted by the scanning host."
the operative word here is COULD
the fact that that they didn't shows that it can't.
> That's a serious WTF finding, no?
that's serious scare mongering to show their client that they are doing a super
job of finding things that COULD go wrong.
Can you put an NFS client on the network somewhere equivalent to the scanner and
show that you can't mount a disk?
Then call the bluff on the scanners and ask them to mount a disk.
At that stage $MGMT will probably freak out. They have the choice of
o accepting that the scanners they're paying good $ to, to protect their asses,
are speaking BS
or
o being super cautious (we definitely shouldn't get out of bed in the mornings).
Be prepared to move the NFS to machines on the lan.
> We will likely get Redhat support involved.
They will have run into this before.
Even if you can't mount a disk from outside, you still aren't secure. nfsd is
still accepting packets on 2049/udp. Presumably someone will get in eventually.
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant
map generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list