NFS安全设置
NFS服务器漏扫:目标主机showmount -e信息泄露(CVE-1999-0554)
解决方法:
1.NFS Server服务器/etc/hosts.allow中添加如下内容:
[root@zyfw ~]# more /etc/hosts.allow
#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
mountd:10.10.10.100:allow //允许100这个地址使用mount
rpcbind:10.10.10.100:allow //允许100这个地址使用rpcbind
2..NFS Server服务器/etc/hosts.deny中添加如下内容:
[root@zyfw ~]# more /etc/hosts.deny
#
# hosts.deny This file describes the names of the hosts which are
# *not* allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow. In particular
# you should know that NFS uses portmap!
mountd:ALL
rpcbind:ALL
[root@zyfw ~]#
3、保存完成后,不用重启nfs相关服务,在其他未授权的服务器上执行showmount -s IP(NFS服务器的IP地址),会提示如下:
[root@web ~]# showmount -e 10.10.10.100
rpc mount export: RPC: Authentication error; why = Failed (unspecified error)
[root@web ~]#
未保存之前的效果:
[root@web ~]# showmount -e 10.10.10.100
Export list for 10.10.10.100:
/war/rua/webapps 10.10.10.*
/war/sptwl/webapps 10.10.10.*
[root@web ~]#
本文来自博客园,作者:花之旭,转载请注明原文链接:https://www.cnblogs.com/huazhixu/p/16556102.html