rpcbind is new portmap or how to make nfs secure on Linux


I was installing NFS server on otherwise public host recently, and noticed that conventional wisdom about securing NFS server is somewhat dated. My goal was to expose NFS on two internal interfaces without exposing it to whole wide Internet (assumptions about network security changed a lot since NFS was designed, sadly).

For a start, you are probably running rpcbind instead of portmap on recent Debian installations. So you will need to modify flags which are passed to portmap on startup:

root@rsync1:~# cat /etc/default/rpcbind 
OPTIONS="-w -l -h 172.16.10.2 -h 192.168.0.219"

You will also need to add following line:

root@rsync1:~# grep rpcbind /etc/hosts.deny 
rpcbind: ALL

Now you will notice that rpcinfo -p still works OK on localhost. That’s because rpcbind will always add loopback address, so we have to test it from another machine:

root@rsync1-dev:~# rpcinfo -p 192.168.0.219
rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weak

That’s more like it! If we take a look in log…

root@rsync1:~# tail -1 /var/log/auth.log
May  8 20:31:51 rsync1 rpcbind: connect from 192.168.0.21 to dump(): request from unauthorized host

…we don’t even have to guess local system IP adress. We’ll allow this host to connect with…

root@rsync1:~# grep rpcbind /etc/hosts.allow 
rpcbind: 192.168.0.21

We can also check our tcp wrappers configuration with:

root@rsync1:~# tcpdmatch rpcbind 192.168.0.21
client:   address  192.168.0.21
server:   process  rpcbind
access:   granted

Ref : http://blog.rot13.org/2012/05/rpcbind-is-new-portmap-or-how-to-make-nfs-secure.html

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s