Mailinglist Archive: opensuse-security (343 mails)

< Previous Next >
RE: [suse-security] scans to port 111
  • From: John Bland <shrike@xxxxxxxxxxxxx>
  • Date: Fri, 13 Jul 2001 11:09:14 +0100 (BST)
  • Message-id: <Pine.LNX.4.31.0107131104510.16254-100000@xxxxxxxxxxxxxxxxxxx>

> > Let's say I have a home network of 3 computers, which share disks with
> > NFS. What's the risk if all NFS-related ports are blocked on the firewall
> > to the outside?
>
> Assume some local configuration errors on your firewall and/or buggy system
> demons which may be used to gain r00t on it, and a local network behind this
> faulty machine where anything goes NFSwise because of the assumption that,
> because the number of nodes in your LAN is very small, you trust your users
> more than you would if you'd run a net of 100+ nodes. So there we have all
> these NFS shares, lingering around w/o protection in the internal LAN, and a
> cracker who just entered your vulnerable firewall...

So presumably you ensure general NFS access is root_squashed and that any
NFS mounts are explicitely noaccessed from the firewall. Is there anything
else you could do to reduce the risk? Apart from not running any services
on the firewall and setting it up right ;0).

JB

--
John Bland M.Phys (Hons) AMInstP / \ PhD Student & Sys Admin
Email: j.bland at cmp.liv.ac.uk / \ Condensed Matter Group
http://ringtail.cmp.liv.ac.uk/ / \ Liverpool University
"Hey, I wonder how much meat you get on a womble?" -- Eddie


< Previous Next >
References