LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-14-2006, 12:44 AM   #1
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
NFS insecure?


NEVERMIND: Having thought about this more, I don't even need NFS. I can just use SSH to do the remote backups from server A to server B.





------------------------------
I keep reading about how NFS is insecure. Without getting too technical, I was wondering if this is a secure enough measure.

I want to backup files from server A to backup server B using rsync in our network. The problem is that our network is a WAN/LAN. I know that's confusing, but basically all IP addresses are accessible from the outside world, yet all nodes in our network are seen as a LAN locally. This is how our institution sets it up. I can't change that.

My plan: Set up an NFS from server A to server B, specifying the IP address.
Edit the hosts.deny
Code:
#hosts deny on Server B
ALL:ALL.
Edit the hosts.allow
Code:
#hosts.allow on Server B
SSH: server A
NFS: server A
I will then use rsync over SSH to transfer the files through NFS on a nightly basis.

So, having said that, is this secure enough??? Sure, there could be a remote chance that someone could spoof the IP address???

Last edited by Micro420; 12-14-2006 at 01:01 AM.
 
Old 12-14-2006, 06:09 AM   #2
Gethyn
Member
 
Registered: Aug 2003
Location: UK
Distribution: (X)Ubuntu 10.04/10.10, Debian 5, CentOS 5
Posts: 900

Rep: Reputation: 32
You might want to investigate rsync as a method of doing backups. It uses ssh, so it's secure, but it also only does incremental copies, i.e. it only downloads the sections of files that have changed.
 
Old 12-14-2006, 07:08 AM   #3
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
There are steps to take to harden the security of NFS (NFSHowto)
It is a complex thing if you also include portmap.
Also you are right about spoofing risks since its udp based.
 
Old 12-14-2006, 10:30 AM   #4
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Quote:
Originally Posted by nx5000
There are steps to take to harden the security of NFS (NFSHowto)
It is a complex thing if you also include portmap.
Also you are right about spoofing risks since its udp based.
Why is it more of a risk if its UDP? It's the IP address that's going to get spoofed. The IP is present in TCP as well so isnt it an equal risk. Or is there more to IP spoofing than just opening up the file and putting in the "right" IP address?

Cheers
Arvind
 
Old 12-14-2006, 10:53 AM   #5
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by live_dont_exist
Or is there more to IP spoofing than just opening up the file and putting in the "right" IP address?

Cheers
Arvind
Compare the headers of tcp and udp:
http://www.ietf.org/rfc/rfc0768.txt first page
http://www.ietf.org/rfc/rfc0793.txt Chapter 3

For tcp, yes its more that putting the right address!
The "Sequence Number" is not trivial to guess...
 
Old 12-14-2006, 01:22 PM   #6
live_dont_exist
Member
 
Registered: Aug 2004
Location: India
Distribution: Redhat 9.0,FC3,FC5,FC10
Posts: 257

Rep: Reputation: 30
Thnx...I knew there was a difference in the headers though. The sequence number guessing would come into play incase of a TCP connection. I spent 45 minutes going back to the drawing board and reading about Kevin Mitnick .

So correct me if I'm wrong
TCP:
If Server B is the "victim" in this case and trusts ServerA completely Attacker X will 1)First identify how Server A generates its sequence numbers
2)DOS Server A so it cant respond to anything at all
3)Construct a fake packet with Server A's address and send it to B
4)When B sends back the SYN ACK to "A"(something it didnt request) A doesnt respond wwith a RST coz it'ss been DOS'ed by Attacker X
5)Attacker X now sends back the ACK again spoofing A's IP address , he can predict what number he should send because of his earlier analysis.

UDP:
There's no handshake at all so there's no sequence number. All X will have to do is construct a fake packet with A's IP and a known source port(in this case the port A uses to communicate with B for rsync??). So now B thinks a packet is coming from A and grants X control.

The UDP bit is still sounding vague...I think I'm on the right lines but in the case of rsync which is being used for backup what will the Server B throw back to X? Is it a shell? If yes..how?

Do let me know where I'm fumbling.

Thnx
Arvind
 
Old 12-14-2006, 05:06 PM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
NFS uses UDP historically. rsync does not use UDP. The reason why NFS got a reputation for being insecure is because a) primarily uses UDP, which is easily spoofed & forged b) access control based on IP addresses (vulnerable because of a.) c) authorization is based on UIDs, and the system exporting the mount will allow users from remote systems access to files with their UID (so remote user can give themself a UID of a user who's data they want to read).
 
Old 12-14-2006, 06:59 PM   #8
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Original Poster
Rep: Reputation: 45
After reading some details of it all, I am definitely NOT going to use NFS, especially if it is accessible to the outside world. I'll stick with rsync over SSH.
 
Old 12-15-2006, 01:56 AM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 76
BTW NFSv4 has drastically increased security features and is supposedly Internet-safe. I myself have not checked it out yet, though. I'm not even certain what OSs are shipping with NFSv4 support and whether they enable it by default.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
xlock insecure... Synesthesia Linux - General 5 02-05-2006 12:36 AM
is pserver (CVS) insecure? bschiett Linux - Newbie 3 03-29-2005 03:52 AM
Telnet is insecure but ... Q*Bert Linux - Security 2 03-29-2003 01:21 PM
/etc/exports: insecure meshcurrent Linux - Security 2 03-16-2003 04:01 AM
Netscape6.2 insecure? LabRad Linux - General 2 04-15-2002 12:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 05:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration