[ale] [Fwd: NIS / NFS server lockdown]
Jonathan Glass
jonathan.glass at ibb.gatech.edu
Thu Oct 30 18:37:06 EST 2003
Wow! Thanks to Steven Marzec for some awesome pointers! I hope these
will help someone else secure their NFS/NIS servers.
Jonathan Glass
-------- Original Message --------
Trick or Treat:
Here is a great way to really lock down your NFS servers on linux. The
following will pin down the rpc ports so you can target them in your
ipchains/iptables rulesets.
http://www.lowth.com/LinWiz/nfs_help.html
This sets up fixed ports for:
rpc.statd
rpc.lockd
rpc.mountd
rpc.rquotad
To pin down NIS/YP services do the following:
(I chose ports 900-902)
/etc/init.d/ypserv
daemon ypserv $YPSERV_ARGS # Edit this line as:
daemon ypserv $YPSERV_ARGS -p 900
/etc/init.d/yppasswdd
daemon rpc.yppasswdd $YPPASSWDD_ARGS # Edit this line as:
daemon rpc.yppasswdd $YPPASSWDD_ARGS --port 901
/etc/init.d/ypxfrd
daemon rpc.ypxfrd $YPXFRD_ARGS # Edit this line as:
daemon rpc.ypxfrd $YPXFRD_ARGS -p 902
I also added these lines to the /etc/services just for fun:
ypserv 900/tcp
ypserv 900/udp
yppasswdd 901/tcp
yppasswdd 901/udp
fypxfrd 902/tcp
fypxfrd 902/udp
Also tossed these lines in /etc/sysconfig/iptables:
# NFS
# additional info at http://www.lowth.com/LinWiz/nfs_help.html
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 111 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 111 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 2049 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 2049 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 4000 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 4000 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 4001 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 4001 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 4002 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 4002 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 4003 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 4003 -j
ACCEPT
# NIS - ypserv, yppasswdd, fypxfrd (rpcinfo -p)
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 900 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 900 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 901 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 901 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp -s 128.61.134.1/24 --dport 902 -j
ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 128.61.134.1/24 --dport 902 -j
ACCEPT
Here is one other neat trick for to add to all your clients. This will
prevent you from ever having to to open up a client to any server for
services.
-A RH-Lokkit-0-50-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
I have put all these into use and it really simplifies the security end.
Enjoy,
--
Steven Marzec
Operating System Administrator
Department of Biomedical Engineering
Emory University / Georgia Institute of Technology
404-727-5548 (Emory)
404-385-1572 (Ga Tech)
More information about the Ale
mailing list