Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: NFS/ security questions

  1. #1
    Join Date
    Mar 2008
    Beans
    114

    NFS/ security questions

    Hi there
    I've just set up NFS and i exported my home directory.In /etc/exports(on the server of course) i used this config
    Code:
    /home/me  192.168.1.0/24(rw)
    Note that i used a range of I.P addresses because when i tried to set up a static I.P on the client it didn't work!
    Could this be a security hole?.I mean could someone somehow find out my router's config and spoof that there packets came from an address in this range?.Is this possible?.If not are there any other security risks with my configuration of NFS?.Would it be safer with a static I.P address for the client?.Thankyou for your time

  2. #2
    Join Date
    Jul 2006
    Beans
    287
    Distro
    Kubuntu

    Re: NFS/ security questions

    192.168.x.y addresses are not routable on the Internet. So no one can spoof such an address to gain access to your LAN.

  3. #3
    Join Date
    Mar 2008
    Beans
    114

    Re: NFS/ security questions

    So how do people gain access to a LAN with no open ports on the router and no sniffer with buffer overflow vulnerabilities?.Sorry for the dumb questions I'm a security n00b who got hacked recently!

  4. #4
    Join Date
    Mar 2008
    Beans
    114

    Re: NFS/ security questions

    Also i thought that they would just have to make the router think that the malicious packets were coming from an internal machine. Thus routable packets could seem like they were coming from another machine inside the LAN

  5. #5
    Join Date
    Jul 2006
    Beans
    287
    Distro
    Kubuntu

    Re: NFS/ security questions

    Quote Originally Posted by methodtwo View Post
    So how do people gain access to a LAN with no open ports on the router and no sniffer with buffer overflow vulnerabilities?.Sorry for the dumb questions I'm a security n00b who got hacked recently!
    A buffer overflow vulnerability is a different animal. It's an attack in which someone is able to run malicious code on your computer by exploiting a bug in a program you're using such as a web browser or PDF reader. Usually it involves you downloading some specially-crafted data from the Internet, which then gets processed by the vulnerable application. But if you are diligent about applying security updates when they're made available and you stick to visiting reputable web sites, you generally don't need to worry about these kinds of attacks.

    If your computer is compromised through a buffer overflow attack, the attacker can then gain access to the LAN, naturally. But the success or failure of the attack has nothing to do with how your network is configured. The main problem is that your computer gets taken over.

  6. #6
    Join Date
    Jul 2006
    Beans
    287
    Distro
    Kubuntu

    Re: NFS/ security questions

    Quote Originally Posted by methodtwo View Post
    Also i thought that they would just have to make the router think that the malicious packets were coming from an internal machine. Thus routable packets could seem like they were coming from another machine inside the LAN
    No, it doesn't work that way. Most consumer routers have an external (WAN) port and several internal (LAN) ports. Since the router also acts as a firewall, unsolicited traffic from the WAN side gets blocked no matter what IP address it's coming from (spoofed or not). But even if the spoofed traffic were to somehow make it onto your LAN, a two-way connection would not be established because the target machine on your LAN would try to send a packet back to the spoofed address, but your router would see that it's destined for an internal address and wouldn't route it to the Internet.
    Last edited by Rob_H; August 24th, 2009 at 12:11 AM.

  7. #7
    Join Date
    May 2006
    Beans
    65

    Re: NFS/ security questions

    I like to provide free Internet service to my neighbors via WIFI but don't want them to be able to mount my nfs shares. What's the easiest security setup?

  8. #8
    Join Date
    Mar 2006
    Location
    Williams Lake
    Beans
    Hidden!
    Distro
    Ubuntu Development Release

    Re: NFS/ security questions

    Only allow specific ip addresses to connect, it probably means you need to setup static ip address for your internal network, and only allow those address to mount your nfs shares.

  9. #9
    Join Date
    May 2006
    Beans
    65

    Re: NFS/ security questions

    But I want the router to serve DHCP for the neighbors. Can a typical router do that and still reserve certain numbers for my computers?

  10. #10
    Join Date
    Nov 2007
    Location
    London, England
    Beans
    5,520
    Distro
    Xubuntu 14.04 Trusty Tahr

    Re: NFS/ security questions

    Most DHCP routers allow you to specify a fixed reservation for a given MAC (hardware) address. I use this to fix the IP addresses of some of our computers.

    Even if not, you can (for instance) tell the DHCP server to issue numbers in the range 192.168.1.1-192.168.1.99 and then assign static IPs outside that range to your own computers.

Page 1 of 2 12 LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •