Dear list readers, we have been extensively using NFS to export file systems to other computers. Since we are now in a phase of reauditing our network for security, be are searching for an alternative to that very insecure and part-time even instable protocol. Do you have any advice on which system to use? It should contain at least the same amount of features lacking all the possible security holes. Kind regards, A. Achtzehn
I used to have pretty good luck with AFS but it has been a few years since I have setup an extensive system like that. I know back then they both had security holes, and I am sure that everything out there will have some, but AFS seemed to run more stable on our systems than NFS. I had always heard the oposite, but that is just my experience. Austin On Mon, Oct 29, 2001 at 07:04:32PM +0100, Andreas Achtzehn wrote:
Dear list readers,
we have been extensively using NFS to export file systems to other computers. Since we are now in a phase of reauditing our network for security, be are searching for an alternative to that very insecure and part-time even instable protocol.
Do you have any advice on which system to use? It should contain at least the same amount of features lacking all the possible security holes.
Kind regards, A. Achtzehn
| \/ |/ ___/ ___| Austin Morgan | |\/| | | \___ \ Morgan Computer Services | | | | |___ ___) | 501-857-1189 |_| |_|\____|____/ www.morgancomputers.net
You might want to look at coda filesystem. It's based on afs2, and while I haven't used it myself, I know some people who are very enthusiastic about it. I think this http://www.coda.cs.cmu.edu is the homepage. HTH Stefan ----- Original Message ----- From: "Andreas Achtzehn" <suse-security@achtzehn.2y.net> To: "SuSE Security Mailingliste" <suse-security@suse.com> Sent: Monday, October 29, 2001 19:04 Subject: [suse-security] Alternative to NFS Dear list readers, we have been extensively using NFS to export file systems to other computers. Since we are now in a phase of reauditing our network for security, be are searching for an alternative to that very insecure and part-time even instable protocol. Do you have any advice on which system to use? It should contain at least the same amount of features lacking all the possible security holes. Kind regards, A. Achtzehn -- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, On 30 Oct 2001, at 11:51, Stefan Suurmeijer wrote:
You might want to look at coda filesystem. It's based on afs2, and while I haven't used it myself, I know some people who are very enthusiastic about it.
I installed it once and some time ago. Really nice, but has drawbacks. However I connot say anything about security issues. mike
Oddly enough you may want to consider SMB. Good support by Windows and UNIX, authentication can be done securely if you do not allow unencrypted logins, and you can SSL encrypt the whole shebang if you want to. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
From: Kurt Seifried [mailto:listuser@seifried.org]
Oddly enough you may want to consider SMB. Good support by Windows and UNIX, authentication can be done securely if you do not allow unencrypted logins, and you can SSL encrypt the whole shebang if you want to.
Had that thought too but then it came to my mind that I need user-ids, permissions and timestamp preservation. Doesn't seem as if SMB provides that to me. I'm now back on NFS and pray that no user will use a network scanner at two in the morning. The servers are connected via a Switch, so that gives me at least some security. But, as you can imagine, it's not really what I wanted. I read some on Coda, but 1) it's not yet considered to be used in production environment and 2) I'd have to repartition both server's HDDs (coda uses raw devices). *argh* It's really odd to believe that there is only ONE solution in the whole open-source community.
Andreas Achtzehn:
Had that thought too but then it came to my mind that I need user-ids, permissions and timestamp preservation. Doesn't seem as if SMB provides that to me. I'm now back on NFS and pray that no user will use a network scanner at two in the morning. The servers are connected via a Switch, so that gives me at least some security. But, as you can imagine, it's not really what I wanted.
You want to share data between 2 Servers and don't want that users might intercept those transfers? Why don't you build up a second nfs-only network? Peter (and there is logcheck to be able to sleep at 02:00... )
Had that thought too but then it came to my mind that I need user-ids, permissions and timestamp preservation. Doesn't seem as if SMB provides
user id's as in seperate users? err.. SMB supports that. user ids as in intrusiond etection, then don't encrypt it. I'm really not sure what you are talking about on that one. anyways. permissions, SMB does pemrissions, again perhaps you are confusing windows 95/98 with everything else microsoft makes?
that to me. I'm now back on NFS and pray that no user will use a network scanner at two in the morning. The servers are connected via a Switch, so that gives me at least some security. But, as you can imagine, it's not
No it doesn't. Anyone that scans the network quickly qill notice the nfs servers/clients, anyone can easily attack the switch to force ot to broadcast, unless you have it set to not drop to multicast/etc/etc, right?
really what I wanted. I read some on Coda, but 1) it's not yet considered to be used in production environment and 2) I'd have to repartition both server's HDDs (coda uses raw devices). *argh*
Yup.
It's really odd to believe that there is only ONE solution in the whole open-source community.
Ehhh. well since I'm still not sure what the exact question is it's hard to answer. you want to transfer files. why not use ftp? rsync? nfs? afs? smb? tcfs? etc. What os's is this between? MSDOS boxes? two suse machines? uhhhhh? why not use IPSec for encrypt it? etc. Ask a real question, get a real answer. Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
From: Kurt Seifried [mailto:listuser@seifried.org]
Had that thought too but then it came to my mind that I need user-ids, permissions and timestamp preservation. Doesn't seem as if SMB provides
user id's as in seperate users? err.. SMB supports that. user ids as in intrusiond etection, then don't encrypt it. I'm really not sure what you are talking about on that one. anyways. permissions, SMB does pemrissions, again perhaps you are confusing windows 95/98 with everything else microsoft makes?
I would have wanted to use NFS/SMB/AFS for backup purposes. So how does SMB behave when I try to transfer a Unix file? Does it create the file on the receiving server with the same permissions? What about symlinks?
that to me. I'm now back on NFS and pray that no user will use a network scanner at two in the morning. The servers are connected via a Switch, so that gives me at least some security. But, as you can imagine, it's not
No it doesn't. Anyone that scans the network quickly qill notice the nfs servers/clients, anyone can easily attack the switch to force ot to broadcast, unless you have it set to not drop to multicast/etc/etc, right?
Made some IPTables-rules to block NFS from others. Added arpwatch and set the Switch to deny certain MACs from other ports.
really what I wanted. I read some on Coda, but 1) it's not yet considered to be used in production environment and 2) I'd have to repartition both server's HDDs (coda uses raw devices). *argh*
Yup.
It's really odd to believe that there is only ONE solution in the whole open-source community.
Ehhh. well since I'm still not sure what the exact question is it's hard to answer. you want to transfer files. why not use ftp? rsync? nfs? afs? smb? tcfs? etc. What os's is this between? MSDOS boxes? two suse machines? uhhhhh? why not use IPSec for encrypt it? etc. Ask a real question, get a real answer.
Because it's not just plain files, but files, symlinks, device-files, etc. etc. I don't want to wake up in the morning with a ./init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/ [...] Regards, Andreas
Andreas Achtzehn wrote:
I would have wanted to use NFS/SMB/AFS for backup purposes. So how does SMB behave when I try to transfer a Unix file? Does it create the file on the receiving server with the same permissions? What about symlinks?
Backup? You can completely configure the permissions samba uses to create files. Look at man smb.conf and search for force create mode and create mode. You can also either allow or disallow samba users to follow symlinks. --> SNIP
Ehhh. well since I'm still not sure what the exact question is it's hard to answer. you want to transfer files. why not use ftp? rsync? nfs? afs? smb? tcfs? etc. What os's is this between? MSDOS boxes? two suse machines? uhhhhh? why not use IPSec for encrypt it? etc. Ask a real question, get a real answer.
Because it's not just plain files, but files, symlinks, device-files, etc. etc. I don't want to wake up in the morning with a ./init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/ [...]
Regards, Andreas
Still not clear what exactly you want to do, but as mentioned above, you can disallow the following of symlinks, if that's what your worried about. Next to that you can copy any file you want to with just about exactly the permissions you want to. But if I understand you correctly, you want to copy your entire file-system as a means of backup?? Do you have any compelling reasons for not using normal backup media? If not, go with tapes and save yourself a lot of trouble HTH Stefan
* Andreas Achtzehn wrote on Wed, Oct 31, 2001 at 12:07 +0100:
I would have wanted to use NFS/SMB/AFS for backup purposes.
What does it mean? You want to collect data once a night or so? In that case, I would suggest rsync via SSH or maybe simly a "tar cf - $OPTS $PATHS" in autorized_keys (then you can collect it via "ssh -i keyfile backup@host > remote.tar").
Made some IPTables-rules to block NFS from others. Added arpwatch and set the Switch to deny certain MACs from other ports.
In case you configured anythink correctly, I don't think it's a very bad security hole.
Because it's not just plain files, but files, symlinks, device-files, etc. etc. I don't want to wake up in the morning with a ./init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/init.d/ [...]
rsync handles such thinks correctly (some exceptions, it seems to do not unlink symlinks to directories correctly, since rmdir <link> fails). tar (with the right options), too. cpio, afio and anything which can produce stream outputs to stdout can easyly used by SSH autorized_keys, you can write it to tape directly if desired (bad for verify :)) or whatever. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
On Tuesday 30 October 2001 12:02, Andreas Achtzehn wrote: [snip]
that to me. I'm now back on NFS and pray that no user will use a network scanner at two in the morning. The servers are connected via a Switch, [snip]
Hi, Have you considered an ipsec vpn between nfs servers/clients? (ipsec linux stuff: www.freeswan.org) John
Based on my own experience I can only agree to what Kurt is saying. I have a renderfarm with 10 rendering machines and 1 fileserver, 1 dedicated user which runs the renderings (and therefore produces the image files). Authentication is done via NIS (NIS master is the fileserver). The clients access the fileserver's share (image directory) via smbmount Since postproduction takes place on a seperate fast Windows machine all I have to do is make the image directory available via SMB to them as well and for convenience I use the same user on the windows box. As far as encryption is concerned I don't really need it since everything takes place in a LAN which is protected by a firewall. I have this setup running since 6 month and never experienced any problem. I am able to add more clients at any time without much trouble (actually when adding a client I use Norton Ghost to produce an identical copy of an existing and fully installed (master-)client and only have to change name and IP address after the first boot and viola - all done :-) Hope this waan't too OT ;-) Erwin --- Kurt Seifried wrote:
Oddly enough you may want to consider SMB. Good support by Windows and UNIX, authentication can be done securely if you do not allow unencrypted logins, and you can SSL encrypt the whole shebang if you want to.
Kurt Seifried, kurt@seifried.org A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/security/
participants (9)
-
Andreas Achtzehn -
Austin Morgan -
Erwin Zierler - stubainet.at -
John Pinder -
Kurt Seifried -
Peter Wiersig -
Stefan Suurmeijer -
Steffen Dettmer -
Thomas Michael Wanka