access security to services NFS

vivaviva · 12-06-2009, 03:20 AM

Hi,

For reason of access security, to authorize only one machine customer chosen to reach services NFS by using the files hosts.deny and hosts.allow.

I do not find which line to be added in the file hosts.deny and/or hosts.allow?

Thinks.

camorri · 12-06-2009, 06:40 AM

To deny everything, add these lines to /etc/hosts.deny

Quote:

cat /etc/hosts.deny
portmap:ALL
lockd:ALL
mountd:ALL
rquotad:ALL
statd:ALL
ALL:ALL

This blocks all access, including services like ssh. Now to allow what you want through, edit /etc/hosts.allow, and add the things you want through. It will look like this:

Quote:

portmap: 192.168.1.20 , 192.168.1.21 ,

lockd: 192.168.1.20 , 192.168.1.21 ,
rquotad: 192.168.1.20 , 192.168.1.21 ,
mountd: 192.168.1.20 , 192.168.1.21 ,
statd: 192.168.1.20 , 192.168.1.21 ,
sshd sshd1 sshd2 : 192.168.1.20 , 192.168.1.21 ,

The allow file is a comma separated list of IP's to allow. I believe the allow file rules are applied first, first match stops processing, and then the deny rules are applied if there are no matches. See the man page for hosts.allow. There are several different ways of specifying IP addresses. I just use a simple list for a small network. I had to add ssh to this file, without it ssh was blocked. Ssh is not required for NFS.

vivaviva · 12-06-2009, 01:23 PM

$ rpcinfo -p

The result of this command is :

Quote:

program no_version protocole no_port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 46082 status
100024 1 tcp 55450 status
100003 2 udp 2049 nfs
100003 3 udp 2049 nfs
100003 4 udp 2049 nfs
100021 1 udp 48126 nlockmgr
100021 3 udp 48126 nlockmgr
100021 4 udp 48126 nlockmgr
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
100021 1 tcp 59252 nlockmgr
100021 3 tcp 59252 nlockmgr
100021 4 tcp 59252 nlockmgr
100005 1 udp 52960 mountd
100005 1 tcp 49589 mountd
100005 2 udp 52960 mountd
100005 2 tcp 49589 mountd
100005 3 udp 52960 mountd
100005 3 tcp 49589 mountd

Is it correct to make this :

/etc/hosts.deny:

Quote:

portmapper:ALL
status:ALL
nlockmgr:ALL
mountd:ALL

/etc/hosts.allow:

Quote:

portmapper:192.168.0.2
status:192.168.0.2
nlockmgr:192.168.0.2
mountd:192.168.0.2

camorri · 12-06-2009, 02:47 PM

As far as I know that is O.K. You may want to do some more testing, and checking. Here is the best reference I have come across.

-->http://www.linuxselfhelp.com/HOWTO/N.../security.html

chrism01 · 12-06-2009, 10:26 PM

The /etc/hosts.allow file is read first, then /etc/hosts.deny.
Generally, you just want ALL:ALL in hosts.deny for the above.
http://linux.die.net/man/5/hosts.allow

camorri · 12-07-2009, 09:23 AM

Chris, thank-you for the correction. I updated my comment on allow deny.

vivaviva · 12-08-2009, 12:46 AM

Please, what is the new correction to put in 'hosts.deny' and 'hosts.allow'?

Is my answer above true ?

Thanks.

linuxlover.chaitanya · 12-08-2009, 01:35 AM

As Chris said, hosts.allow file is read first, so you should be fine with putting ALL:ALL in hosts.deny and then put the services and hosts that you want to allow in hosts.allow.

vivaviva · 12-08-2009, 01:44 AM

/etc/hosts.deny:

Quote:

ALL:ALL

/etc/hosts.allow:

Quote:

portmapper:192.168.0.2
status:192.168.0.2
nlockmgr:192.168.0.2
mountd:192.168.0.2

It is that ?

linuxlover.chaitanya · 12-08-2009, 02:47 AM

Yes. That looks absolutely fine to me.