/etc/hosts.deny not blocking hosts from using NFS

Support for security such as Firewalls and securing linux
Post Reply
m223464
Posts: 13
Joined: 2012/03/07 16:08:19

/etc/hosts.deny not blocking hosts from using NFS

Post by m223464 » 2012/05/01 15:33:47

Hi,

I've trawled through the forum to see if this topic's been covered but can't find anything.

I'm trying to figure out how you deny particular hosts from mounting NFS mounts. Everything I've read online points to using hosts.deny for this type of security but I can't get it to work.

e.g.
server1 has nfs running with the following configuration, however server2 is still able to mount /data without any issue.

/etc/exports
/data *(ro)

/etc/hosts.deny
ALL:ALL

/etc/hosts.allow is empty

This config of hosts.deny is working for protocols such as ssh but not nfs.

Can anyone advise me why this isn't working or the correct method to restrict servers from access to NFS mounts.

thanks

Gareth

User avatar
TrevorH
Forum Moderator
Posts: 30160
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: /etc/hosts.deny not blocking hosts from using NFS

Post by TrevorH » 2012/05/01 18:09:57

The /etc/exports file can be used to restrict which hosts have access to which exports. So in your example, you have allowed all hosts to access it because of the "*(ro)". If you want to restrict this to a specific subnet then you'd use

[code]
/data 192.168.6.0/24(ro)
[/code]

You can have more than one host specification on the same line, e.g.

[code]
/data 192.168.6.24(ro) 192.168.6.25(rw) 192.168.7.0/24(ro)
[/code]

m223464
Posts: 13
Joined: 2012/03/07 16:08:19

Re: /etc/hosts.deny not blocking hosts from using NFS

Post by m223464 » 2012/05/01 20:27:05

Thanks, so does NFS not use /etc/hosts.deny then, as this is what I'd read online.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

/etc/hosts.deny not blocking hosts from using NFS

Post by pschaff » 2012/05/01 20:51:47

That depends on if you have tcp_wrappers installed and have properly configured /etc/hosts.allow and /etc/hosts.deny. The configuration and interactions can be quite complex. I find it easier to just explicitly allow hosts and/or subnets in /etc/exports as Trevor outlined.

Nanook
Posts: 13
Joined: 2007/08/27 09:48:39
Location: Shoreline, WA
Contact:

Re: /etc/hosts.deny not blocking hosts from using NFS

Post by Nanook » 2012/07/02 04:35:59

My understanding is that NFS versions 1, 2, and 3, the various daemons associated with NFS, nfsd, lockd,
and of portmapper (rcpbind on CentOS 6) all use wrappers, but nfs version 4 does not, everything is self contained
in the protocol and the exports file is the only place (other than iptables of course or an external firewall) to control
who has access to what.

Post Reply

Return to “CentOS 6 - Security Support”