在我们的日常工作中,企业和单位一般都会使用NFS网络文件系统,最近在工作中,遇到了"目标主机showmount -e信息泄露(CVE-1999-0554)"的问题,并最终做出如下处置。
问题如下:
我现在手上有三台主机,分别为主机host1,主机host2,主机host3,其中主机host1为服务其,并且部署了NFS,而且只允许主机host2使用,然而呢,主机host3可以通过showmount -e命令来浏览主机host1的目录清单。
#主机a的nfs服务配置文件,其中10.28.7.210是主机host2的IP地址
[root@host1 ~]# cat /etc/exports
/data 10.28.7.210/32(rw,sync)
#主机b使用showmount -e命令可以查看到的信息
[root@host2 ~]# showmount -e 10.28.7.253
Export list for 10.28.7.253:
/data 10.28.7.210/32
[root@host2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.28.7.210 netmask 255.255.255.0 broadcast 10.28.7.255
#主机c也可以使用showmount -e命令查看nfs服务器上共享出来的目录信息
[root@host3 ~]# showmount -e 10.28.7.253
Export list for 10.28.7.253:
/data 10.28.7.210/32
[root@host3 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:62:18:E8
inet addr:10.28.7.252 Bcast:10.28.7.255 Mask:255.255.255.0
解决办法:
在NFS服务器上的/etc/hosts.allow和/etc/hosts.deny文件添加以下内容即可解决该问题。
编辑/etc/hosts.allow文件
[root@host1 ~]# cat /etc/hosts.allow
#
# hosts.allow This file contains access rules which are used to
# allow or deny connections to network services that
# either use the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#
mountd:10.28.7.210 #<==添加客户端IP地址,相当于白名单
编辑/etc/hosts.deny文件
[root@host1 ~]# cat /etc/hosts.deny
#
# hosts.deny This file contains access rules which are used to
# deny connections to network services that either use
# the tcp_wrappers library or that have been
# started through a tcp_wrappers-enabled xinetd.
#
# The rules in this file can also be set up in
# /etc/hosts.allow with a 'deny' option instead.
#
# See 'man 5 hosts_options' and 'man 5 hosts_access'
# for information on rule syntax.
# See 'man tcpd' for information on tcp_wrappers
#
#
mountd:all #<==添加该行,相当于黑名单
在以上两个文件中国添加对应的内容之后,不需要重启NFS服务,就可以生效
测试结果
#主机host3使用showmount -e命令,无法查看相关信息
[root@host3 ~]# showmount -e 10.28.7.253
rpc mount export: RPC: Authentication error; why = Failed (unspecified error)
[root@host3 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:62:18:E8
inet addr:10.28.7.252 Bcast:10.28.7.255 Mask:255.255.255.0
#主机host2使用正常
[root@host2 ~]# showmount -e 10.28.7.253
Export list for 10.28.7.253:
/data 10.28.7.210/32
[root@host2 ~]# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.28.7.210 netmask 255.255.255.0 broadcast 10.28.7.255
当然呢 其它解决方案呢就是
* 限制可以获取NFS输出列表的IP和用户
* 除非绝对必要,请关闭NFS服务、MOUNTD