LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   /etc/hosts.deny not blocking hosts from using NFS - Centos (https://www.linuxquestions.org/questions/linux-security-4/etc-hosts-deny-not-blocking-hosts-from-using-nfs-centos-942739/)

m223464 05-01-2012 10:29 AM
/etc/hosts.deny not blocking hosts from using NFS - Centos
 
Hi,

I've trawled through the forum to see if this topic's been covered but can't find anything.

I'm trying to figure out how you deny particular hosts from mounting NFS mounts. Everything I've read online points to using hosts.deny for this type of security but I can't get it to work.

e.g.
server1 has nfs running with the following configuration, however server2 is still able to mount /data without any issue.

/etc/exports
Code:
/data *(ro)
/etc/hosts.deny
Code:
ALL:ALL
/etc/hosts.allow is empty

This config of hosts.deny is working for protocols such as ssh but not nfs.

Can anyone advise me why this isn't working or the correct method to restrict servers from access to NFS mounts.

thanks

Gareth

MensaWater 05-01-2012 01:55 PM
No. You use /etc/exports to say which hosts can mount. The way you have it setup all hosts can currently mount /data as a read only filesystem.

For example you could setup:
/directory 192.168.1.0/22(rw,no_root_squash,insecure) 10.0.4.5(rw,no_root_squash)

That would tell it to allow all hosts in the 192.168.1.0 subnet to mount with the options shown and also allow the host at 10.0.4.5 to mount with the options shown for it. No other host would be able to mount. Usually the list of hosts you want to allow is shorter than the list you don't want.

/etc/hosts.allow and /etc/hosts.deny are used for tcp wrappers and only applications that are tcp wrapper aware can use them.

If you type "man exports" you'll get more information about the structure of /etc/exports.

m223464 05-01-2012 03:34 PM
Thanks for your explanation. I had checked the man page prior to posting but had read in various articles online that hosts.allow/deny and exports were related.

chrism01 05-10-2012 08:54 PM
As per MensaWater, you start by restricting what is exported to whom in the NFS exports file.

You may(!) want to fine tune that by restricting the portmap daemon via tcp wrappers http://www.linuxtopia.org/online_boo...appers-purpose.

Note that NFSv4 does not use portmap, so if using that, check whether it uses tcp wrappers (ie hosts.allow, hosts.deny) using the technique here http://www.linuxtopia.org/online_boo...d-TCP_Wrappers.

Alternately, there's always iptables ...


All times are GMT -5. The time now is 09:51 PM.