Hi,
I've trawled through the forum to see if this topic's been covered but can't find anything.
I'm trying to figure out how you deny particular hosts from mounting NFS mounts. Everything I've read online points to using hosts.deny for this type of security but I can't get it to work.
e.g.
server1 has nfs running with the following configuration, however server2 is still able to mount /data without any issue.
/etc/exports
/data *(ro)
/etc/hosts.deny
ALL:ALL
/etc/hosts.allow is empty
This config of hosts.deny is working for protocols such as ssh but not nfs.
Can anyone advise me why this isn't working or the correct method to restrict servers from access to NFS mounts.
thanks
Gareth
/etc/hosts.deny not blocking hosts from using NFS
Re: /etc/hosts.deny not blocking hosts from using NFS
The /etc/exports file can be used to restrict which hosts have access to which exports. So in your example, you have allowed all hosts to access it because of the "*(ro)". If you want to restrict this to a specific subnet then you'd use
[code]
/data 192.168.6.0/24(ro)
[/code]
You can have more than one host specification on the same line, e.g.
[code]
/data 192.168.6.24(ro) 192.168.6.25(rw) 192.168.7.0/24(ro)
[/code]
[code]
/data 192.168.6.0/24(ro)
[/code]
You can have more than one host specification on the same line, e.g.
[code]
/data 192.168.6.24(ro) 192.168.6.25(rw) 192.168.7.0/24(ro)
[/code]
Re: /etc/hosts.deny not blocking hosts from using NFS
Thanks, so does NFS not use /etc/hosts.deny then, as this is what I'd read online.
-
- Retired Moderator
- Posts: 18276
- Joined: 2006/12/13 20:15:34
- Location: Tidewater, Virginia, North America
- Contact:
/etc/hosts.deny not blocking hosts from using NFS
That depends on if you have tcp_wrappers installed and have properly configured /etc/hosts.allow and /etc/hosts.deny. The configuration and interactions can be quite complex. I find it easier to just explicitly allow hosts and/or subnets in /etc/exports as Trevor outlined.
Re: /etc/hosts.deny not blocking hosts from using NFS
My understanding is that NFS versions 1, 2, and 3, the various daemons associated with NFS, nfsd, lockd,
and of portmapper (rcpbind on CentOS 6) all use wrappers, but nfs version 4 does not, everything is self contained
in the protocol and the exports file is the only place (other than iptables of course or an external firewall) to control
who has access to what.
and of portmapper (rcpbind on CentOS 6) all use wrappers, but nfs version 4 does not, everything is self contained
in the protocol and the exports file is the only place (other than iptables of course or an external firewall) to control
who has access to what.