漏洞
目标主机showmount -e信息泄露(CVE-1999-0554)
处理
允许某个网段可以访问
echo “mountd:192.168.22.” >> /etc/hosts.allow
echo “rpcbind:192.168.22.:allow” >> /etc/hosts.allow
禁止其他全部访问
echo “mountd:all” >> /etc/hosts.deny
echo “mountd:all” >> /etc/hosts.deny
修改后无需做任何操作,直接用showmount -e 测试即可
测试
测试ip网段限制nfs访问
输入
showmount -e nfs外网IP
提示“clnt_create: RPC: Port mapper failure - Authentication error”
showmount -e nfs内网IP
正常显示目录列表
拓展
限制nfs多个网段配置
echo “mountd:192.168.22.,192.168.11.” >> /etc/hosts.allow
echo “rpcbind:192.168.22.,192.168.11.:allow” >> /etc/hosts.allow
echo “mountd:all” >> /etc/hosts.deny
echo “mountd:all” >> /etc/hosts.deny