Welcome to Linux Knowledge Base and Tutorial
"The place where you learn linux"
Apress - Books for Professionals by Professionals

 Create an AccountHome | Submit News | Your Account  

Tutorial Menu
Linux Tutorial Home
Table of Contents
Up to --> Security

· What You Can Do About It
· Trusted Hosts
· FTP
· NFS
· Modem Security
· Backups
· The Official Word
· Changing Attitudes
· System Security
· Security and the Law

Glossary
MoreInfo
Man Pages
Linux Topics
Test Your Knowledge

Site Menu
Site Map
FAQ
Copyright Info
Terms of Use
Privacy Info
Disclaimer
WorkBoard
Thanks
Donations
Advertising
Masthead / Impressum
Your Account

Communication
Feedback
Forums
Private Messages
Recommend Us
Surveys

Features
HOWTOs
News
News Archive
Submit News
Topics
User Articles
Web Links

Google
Google


The Web
linux-tutorial.info

Who's Online
There are currently, 165 guest(s) and 4 member(s) that are online.

You are an Anonymous user. You can register for free by clicking here

  
Linux Tutorial - Security - What You Can Do About It - NFS
  FTP ---- Modem Security  


NFS

NFS, by it's very nature is insecure. One of the basic premises is that you are a trusted machine to begin with. A major flaw in NFS security is that it is name based and not based on IP address. Hostnames can be easily changed, which is an even bigger problem when access is granted to machines without domain names.

If it's not properly secured, NFS can be used to gain access to a system. You need to be sure that the filesystems that you are exporting do not allow extra permissions and that you allow access to only those machines that need it. Be specific about who has what access.

I don't recommend that any filesystem be accessible by the world unless it's completely harmless and read-only. Even then, you could still provide the files via anonymous ftp and limit the potential for compromise. An example would be your man-pages and other documentation. It might be a good idea to share this directory to every system in an effort to keep things consistent and to save space.

Even if you do implement such a system, you should not export it to the world. By making the filesystem(s) accessible to only specific machines, you limit the potential for compromise. You know exactly the consequences of what you did. By using wildcards and making the systems available to everyone, you can't be sure of can happen.

Even if you set up your NFS "correctly", you should check the configuration at regular intervals. If your system has been compromised it would be a simple matter for someone to add an entry or change on to give him access. The showmount command will show you a list of machines that are currently mounting your filesystems. You should use this to check to see just who is accessing your system.

Check the /etc/exports file at regular intervals to ensure that you exporting only those directories that you think you are. Although it really is dependant on your company, the safest thin is to only export directories and filesystems to machines within your local domain. If you have machines outside of your domain, implementing a firewall that allows NFS is more difficult. Besides, I have yet to hear a convincing argument as to why it should be done at all.

The showmount command shows machines currently remotely mounting your filesystems. Only local machines should appear here. Monitor this. Only "normal", non-system directories should be mounted and they should be read-only if possible.

You can find details of setting up NFS here.

 Previous Page
FTP
  Back to Top
Table of Contents
Next Page 
Modem Security


MoreInfo

Test Your Knowledge

User Comments:


You can only add comments if you are logged in.

Copyright 2002-2009 by James Mohr. Licensed under modified GNU Free Documentation License (Portions of this material originally published by Prentice Hall, Pearson Education, Inc). See here for details. All rights reserved.
  
Show your Support for the Linux Tutorial

Purchase one of the products from our new online shop. For each product you purchase, the Linux Tutorial gets a portion of the proceeds to help keep us going.


Login
Nickname

Password

Security Code
Security Code
Type Security Code


Don't have an account yet? You can create one. As a registered user you have some advantages like theme manager, comments configuration and post comments with your name.

Help if you can!


Amazon Wish List

Did You Know?
The Linux Tutorial can use your help.


Friends



Tell a Friend About Us

Bookmark and Share



Web site powered by PHP-Nuke

Is this information useful? At the very least you can help by spreading the word to your favorite newsgroups, mailing lists and forums.
All logos and trademarks in this site are property of their respective owner. The comments are property of their posters. Articles are the property of their respective owners. Unless otherwise stated in the body of the article, article content (C) 1994-2013 by James Mohr. All rights reserved. The stylized page/paper, as well as the terms "The Linux Tutorial", "The Linux Server Tutorial", "The Linux Knowledge Base and Tutorial" and "The place where you learn Linux" are service marks of James Mohr. All rights reserved.
The Linux Knowledge Base and Tutorial may contain links to sites on the Internet, which are owned and operated by third parties. The Linux Tutorial is not responsible for the content of any such third-party site. By viewing/utilizing this web site, you have agreed to our disclaimer, terms of use and privacy policy. Use of automated download software ("harvesters") such as wget, httrack, etc. causes the site to quickly exceed its bandwidth limitation and are therefore expressly prohibited. For more details on this, take a look here

PHP-Nuke Copyright © 2004 by Francisco Burzi. This is free software, and you may redistribute it under the GPL. PHP-Nuke comes with absolutely no warranty, for details, see the license.
Page Generation: 0.13 Seconds