[OT-ish] nfs v. samba
Jason Straight
jason at jeetkunedomaster.net
Fri Oct 28 21:23:14 UTC 2005
On Friday 28 October 2005 11:00, David Teague(T-bird acct) wrote:
> I recall being told that NFS is pretty much insecure,
> and should not be used where an arbitrary machine
> from the internet can access an NFS file system?
>
> Is this fact? If so how serious is the insecurity? Have
> there been advances in NFS since such a time?
NFS authenticates by hostname or IP, so considering that if you nfs your / dir
with rw, norootsquash, then someone on your lan could change their IP# to
match one of the allowed NFS shares, and have total reign on your system.
Unless you control the LAN you are on totally then NFS is probably too
insecure.
NFS is one of those services that if I use it I iptables it off to only the
hosts that I authorize to use it for some added protection. Also I suggest
sharing only by IP, if someone poisons your DNS they could assume the
hostname of one of the allowed NFS clients.
Another added protection on a LAN is to use iptables to allow only certain mac
addresses, but of course that's easy enough to change too, it's way less
likely someone will think of that being the reason they can't get to your NFS
server.
--
| Ubuntu Linux
| www.ubuntulinux.org
|
| Kubuntu
| www.kubuntu.org
More information about the ubuntu-users
mailing list