NFS was developed to allow machines to mount a disk partition on a remote machines as if it were on a local hard drive.
---> This allows for fast seamless sharing of files across a network.
---> Main config files to edit to setup an nfs server are:
1. /etc/exports
2. /etc/hosts.allow
3. /etc/hosts.deny
/etc/exports file
exports file contains a list of entries, each entry indicates a volume that is shared and how its shared.
EX:-
directory machine1(option11,option12) machine2(option21,option22)
Where
Directory: The directory that want to share. It may be an entire volume though it need no be. If you share a directory then all directories under it within the same file system will be shared as well.
machine1 and machine2: client machines that will have access to the directory. The machines may be listed by their DNS address or their IP address (machine.company.com or 192.168.0.25) Using Ip address is more reliable and more secure.
Option XX: The option listing for each machine will describe what kind of access that machine will have. Imp options are,
A.ro: The directory is shared read only; the client machine will
not be able to write to it. This is the default.
B.rw: The client machine will have read and write access to the
directory.
C.no_root_squash: By default, any file request made by user root on the client machine is treated as if it is made by user nobody on the server.If no_root_squash is selected, then root on the client machine will have the same level of access to the files on the system as root on the server. This can have serious security implications, although it may be necessary if you want to perform any administrative work on the client machine that involves the exported directories. You should not specify this option without a good reason.
D.no_subtree_check: if only part of a volume is exported, a routine called subtree checking verifies that a file that is requested from the client is in the appropriate part of the volume: if the entire volume is exported disabling this check will speed up transfers.
E.sync: By deault, all but the most recent version of the exportfs command will use async behavior, telling a client machine that a file write is complete.
ie, it has been written to stable storage - when NFS has finished handing the write over to the file system. This behavior may cause data corruption if the server reboots, and sync option prevents this.
EG: /var/tmp 192.168.0.25(async,rw)
/etc/hosts.allow and /etc/hosts.deny
Those two files specify which computers on the network can use services on your machine. Each line of the file contains a single entry listing a service and a set of machines.
When a server gets a request from a machine, it does the following,
----> It first checks the hosts.allow file to see if the machine matches a description listed in there. If it does then the machnie is allowed access.
----> if the machine does not matches an entiry in hosts.allow, the server then checks hosts.deny to see if the client matches a listing in there.if it does then the machine is denied access.
----> if the client matches no listings in either file, then it is allowed access.
Configuring /etc/hosts.allow and /etc/hosts.deny for NFS security
----> In addition to controlling access to services handled by inetd, this file can also control access to NFS by restricting connections to the daemons that provide NFS services. Restrictions are done on a pre-services basic.
----> The first daemon to restrict access to is the portmapper. This daemon essentialy just tells requesting clients how to find all the NFS services on the system.
----> Restricting access to the portmapper is the best defense against someone braking into your system through NFS because completely unauthorized clients won't know where to find the NFS daemons.
----> However there are two things to watch out for, First restricting portmapper isn't enough if the intruder already knows for some reason how to find those daemons. And second, if you are running NIS, restricting portmapper will also restrict request to NIS. In general it is a good idea with NFS to explicitly deny access to IP address that you don't need to allow access to.
----> The first step in doing this is to add the following entry to /etc/hosts.deny
portmap:ALL
----> If you have a newer version of nfs-utils, add entires for each of the NFS daemons in hosts.deny
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
----> If we choose ALL:ALL in the file /etc/hosts.deny, which causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed.
----> In hosts.allow use the following format
service: host [or network/netmask], host [or network/netmask]
here host is IP address of a potential client. If we want to allow access to 192.168.0.1 and 192.168.0.2, we could add the following entry to /etc/hosts.allow
portmap: 192.168.0.1 , 192.168.0.2
For recent nfs-utils versions, we would also add the following
[these entries are harmless even if they are not supported]
lockd: 192.168.0.1 , 192.168.0.2
mountd: 192.168.0.1 , 192.168.0.2
rquotad: 192.168.0.1 , 192.168.0.2
statd: 192.168.0.1 , 192.168.0.2
---- If you ntend to run NFS on a large number of machines in a local network, /etc/hosts.allow also allow for network/netmask style entries in the same manner as /etc/exports above.
---> This allows for fast seamless sharing of files across a network.
---> Main config files to edit to setup an nfs server are:
1. /etc/exports
2. /etc/hosts.allow
3. /etc/hosts.deny
/etc/exports file
exports file contains a list of entries, each entry indicates a volume that is shared and how its shared.
EX:-
directory machine1(option11,option12) machine2(option21,option22)
Where
Directory: The directory that want to share. It may be an entire volume though it need no be. If you share a directory then all directories under it within the same file system will be shared as well.
machine1 and machine2: client machines that will have access to the directory. The machines may be listed by their DNS address or their IP address (machine.company.com or 192.168.0.25) Using Ip address is more reliable and more secure.
Option XX: The option listing for each machine will describe what kind of access that machine will have. Imp options are,
A.ro: The directory is shared read only; the client machine will
not be able to write to it. This is the default.
B.rw: The client machine will have read and write access to the
directory.
C.no_root_squash: By default, any file request made by user root on the client machine is treated as if it is made by user nobody on the server.If no_root_squash is selected, then root on the client machine will have the same level of access to the files on the system as root on the server. This can have serious security implications, although it may be necessary if you want to perform any administrative work on the client machine that involves the exported directories. You should not specify this option without a good reason.
D.no_subtree_check: if only part of a volume is exported, a routine called subtree checking verifies that a file that is requested from the client is in the appropriate part of the volume: if the entire volume is exported disabling this check will speed up transfers.
E.sync: By deault, all but the most recent version of the exportfs command will use async behavior, telling a client machine that a file write is complete.
ie, it has been written to stable storage - when NFS has finished handing the write over to the file system. This behavior may cause data corruption if the server reboots, and sync option prevents this.
EG: /var/tmp 192.168.0.25(async,rw)
/etc/hosts.allow and /etc/hosts.deny
Those two files specify which computers on the network can use services on your machine. Each line of the file contains a single entry listing a service and a set of machines.
When a server gets a request from a machine, it does the following,
----> It first checks the hosts.allow file to see if the machine matches a description listed in there. If it does then the machnie is allowed access.
----> if the machine does not matches an entiry in hosts.allow, the server then checks hosts.deny to see if the client matches a listing in there.if it does then the machine is denied access.
----> if the client matches no listings in either file, then it is allowed access.
Configuring /etc/hosts.allow and /etc/hosts.deny for NFS security
----> In addition to controlling access to services handled by inetd, this file can also control access to NFS by restricting connections to the daemons that provide NFS services. Restrictions are done on a pre-services basic.
----> The first daemon to restrict access to is the portmapper. This daemon essentialy just tells requesting clients how to find all the NFS services on the system.
----> Restricting access to the portmapper is the best defense against someone braking into your system through NFS because completely unauthorized clients won't know where to find the NFS daemons.
----> However there are two things to watch out for, First restricting portmapper isn't enough if the intruder already knows for some reason how to find those daemons. And second, if you are running NIS, restricting portmapper will also restrict request to NIS. In general it is a good idea with NFS to explicitly deny access to IP address that you don't need to allow access to.
----> The first step in doing this is to add the following entry to /etc/hosts.deny
portmap:ALL
----> If you have a newer version of nfs-utils, add entires for each of the NFS daemons in hosts.deny
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
----> If we choose ALL:ALL in the file /etc/hosts.deny, which causes any service that looks at these files to deny access to all hosts unless it is explicitly allowed.
----> In hosts.allow use the following format
service: host [or network/netmask], host [or network/netmask]
here host is IP address of a potential client. If we want to allow access to 192.168.0.1 and 192.168.0.2, we could add the following entry to /etc/hosts.allow
portmap: 192.168.0.1 , 192.168.0.2
For recent nfs-utils versions, we would also add the following
[these entries are harmless even if they are not supported]
lockd: 192.168.0.1 , 192.168.0.2
mountd: 192.168.0.1 , 192.168.0.2
rquotad: 192.168.0.1 , 192.168.0.2
statd: 192.168.0.1 , 192.168.0.2
---- If you ntend to run NFS on a large number of machines in a local network, /etc/hosts.allow also allow for network/netmask style entries in the same manner as /etc/exports above.
No comments:
Post a Comment