Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I think that with this configuration there will be no client host that can mount to my server.However, any of these eight clients hosts can mount to my server (the mount command is always successful).This means that there is no security with the server, and the remote client is still allowed to contact with the mountd daemon while the mountd daemon is denied from ALL in the latter file. I don't know why so.
If anyone knows the reason please answer me.
The problem I can' t understand here is why the mount command from the client to the server is still successful whereas the /etc/hosts.deny file in the server is configured to ban all access to the mountd daemon on the server.
With the configuration of this /etc/hosts.deny file, all I hope is that when the client mount to the server, it will receive an UNsuccessful message from the server.
Now i always receive the successful message from the server when the mount command is done from the client. I don' t know why.
my guess would be because you are allowing "ALL" access to the portmapper, which perhaps is then calling the other daemons. (?)
also, i think i misspoke above. not having clients specified shouldn't allow access if you have the daemons denied in hosts.deny -- i'll edit that out in case it caused any confusion, apologies.
so try that (removing portmap:ALL from hosts.allow), and post back.
p.s. in case it helps clarify, the hosts.allow is read first. if the client is in there, access is allowed. if the client is not in there, hosts.deny is read to see if the client is explicitly blocked. if it's not, it gets access. so that's why i say my guess is that the portmap:ALL in hosts.allow is granting access, and then hosts.deny is not even read.
Last edited by synaptical; 06-30-2005 at 11:16 PM.
I think that portmapper just provides the port number of the mountd daemon on the server to the client, so the client will access the mountd daemon via this port number. At this point, when the client access the mountd daemon via the port number, it will be banned because of /etc/hosts.deny file. But it is still allowed.
I think it may be due to other causes.,
but i don't know which cause?
You do realize that the allowed hosts are specified in the /etc/exports file for NFS so I don't see the need to deny hosts by your /etc/hosts.deny file or allowing them with the allow file as you can do all of this simply with your exports file to determine who can mount what.
I think that portmapper just provides the port number of the mountd daemon on the server to the client, so the client will access the mountd daemon via this port number. At this point, when the client access the mountd daemon via the port number, it will be banned because of /etc/hosts.deny file. But it is still allowed.
I think it may be due to other causes.,
but i don't know which cause?
Thanks for your reply.
i am not sure that is entirely true, as you are missing the point that the mount is being allowed somewhere before the system is even reading your deny file, most likely in the exportfs, as trickykid said.
but if even that isn't case, instead of asking for a theoretical reason, imo you should just start experimenting until you find out the variable that is allowing it.
p.s. in case it helps clarify, the hosts.allow is read first. if the client is in there, access is allowed. if the client is not in there, hosts.deny is read to see if the client is explicitly blocked. if it's not, it gets access. so that's why i say my guess is that the portmap:ALL in hosts.allow is granting access, and then hosts.deny is not even read.
Yes you are right. tcpwrappers first checks the hosts.allow file. If a rule matches, then the service is allowed. So the right thing to do is to remove that ofending line from the hosts.allow file.
You might try this rule in the hosts.allow file:
portmap:ALL EXCEPT .yourdomain.com :deny
where yourdomain.com is the domain/IP address of your internal LAN. If you are using the IP address just the network portion of the address will do with a leading dot (.) .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.