NFS安全设置

NFS服务器漏扫:目标主机showmount -e信息泄露(CVE-1999-0554)

解决方法:

1.NFS Server服务器/etc/hosts.allow中添加如下内容:

[root@zyfw ~]# more /etc/hosts.allow
#
# hosts.allow    This file describes the names of the hosts which are
#        allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#

mountd:10.10.10.100:allow   //允许100这个地址使用mount

rpcbind:10.10.10.100:allow  //允许100这个地址使用rpcbind

 

2..NFS Server服务器/etc/hosts.deny中添加如下内容:

[root@zyfw ~]# more /etc/hosts.deny
#
# hosts.deny    This file describes the names of the hosts which are
#        *not* allowed to use the local INET services, as decided
#        by the '/usr/sbin/tcpd' server.
#
# The portmap line is redundant, but it is left to remind you that
# the new secure portmap uses hosts.deny and hosts.allow.  In particular
# you should know that NFS uses portmap!


mountd:ALL
rpcbind:ALL
[root@zyfw ~]#

3、保存完成后,不用重启nfs相关服务,在其他未授权的服务器上执行showmount -s IP(NFS服务器的IP地址),会提示如下:

[root@web ~]# showmount -e 10.10.10.100
rpc mount export: RPC: Authentication error; why = Failed (unspecified error)
[root@web ~]#

未保存之前的效果:

[root@web ~]# showmount -e 10.10.10.100
Export list for 10.10.10.100:
/war/rua/webapps   10.10.10.*
/war/sptwl/webapps 10.10.10.*
[root@web ~]#

 

posted @ 2022-08-05 22:37  花之旭  阅读(353)  评论(0编辑  收藏  举报