NFS安全设置

NFS服务器漏扫：目标主机showmount -e信息泄露(CVE-1999-0554)

解决方法：

1.NFS Server服务器/etc/hosts.allow中添加如下内容：

[root@zyfw ~]# more /etc/hosts.allow
#
# hosts.allow    This file describes the names of the hosts which are
#        allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#

mountd:10.10.10.100:allow   //允许100这个地址使用mount

rpcbind:10.10.10.100:allow  //允许100这个地址使用rpcbind

 

2..NFS Server服务器/etc/hosts.deny中添加如下内容：

[root@zyfw ~]# more /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#        *not* allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!


mountd:ALL
rpcbind:ALL
[root@zyfw ~]#

3、保存完成后，不用重启nfs相关服务，在其他未授权的服务器上执行showmount -s IP(NFS服务器的IP地址),会提示如下：

[root@web ~]# showmount -e 10.10.10.100
rpc mount export: RPC: Authentication error; why = Failed (unspecified error)
[root@web ~]#

未保存之前的效果：

[root@web ~]# showmount -e 10.10.10.100
Export list for 10.10.10.100:
/war/rua/webapps   10.10.10.*
/war/sptwl/webapps 10.10.10.*
[root@web ~]#