[TriLUG] Question About NFS Client Access Config

[Scott Chilcote via TriLUG]

On 4/10/19 11:43 PM, Mike Lisanke wrote:
>
> I believe Joe hits the nail on the head... it COULD be the port
> scanner did Not and could Not mount the share because it'd be rejected
> by the IP address rule
> And the Port scan was Only indicating the NFS server was reachable on
> the well-known port. The iptables can solve the problem with Port Scan
> detecting a server which Might be a good thing to do But it appears
> you're safe. If you want to be sure, try it! Try to access the share
> from the Internet, look at the responses, and check the security log
> on the server. See that illegitimate access from IP out of range and
> how it's rejected. 


Hi Mike and everyone else,

As some have guessed, the data center's policy is to correct a security
issue at the source if at all possible, which is why they frown on using
iptables to implement the fix.  Their reasoning (as described to me) is
that the next admin who comes along will not realize why we need that
rule, and may fail to preserve it.  Or if the system is relocated, or
the data center moves, etcetera.  They require a seriously robust
implementation and perform tons of control reviews.

One of the admins on this project said that he recently changed one of
the exports, making a share read-write instead of read-only.  He also
said that he wasn't certain that he had rebooted the server after that. 
The single-client restriction did not change.  However, this gave us the
pretext to ask the contractor that does the scans to try them again, and
(most importantly) give us all of the details of what they did to get
that fail result.

That is very important to us because by the time we hear about a bad
scan result, the info has been forwarded three times (tester->data
center->our customer->us).  Sometimes critical info doesn't get through
intact.

No replies yet.  Thanks again for the help!

    Scott C.

-- 
Scott Chilcote
scottchilcote at ncrrbiz.com
Cary, NC USA