On Tue, 2006-06-20 at 17:49 +0100, Keith G. Robertson-Turner wrote: > Ralf Corsepius wrote: > > On Tue, 2006-06-20 at 13:20 +0100, Keith G. Robertson-Turner wrote: > >> Garry T. Williams wrote: > >>> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote: > >>>> Dan wrote: > > >>>>> I have an FC5 server which has exported /home via NFS. Client > >>>>> machines automount /home. > > >>>> Using /home as a network share is inherently insecure, > > >>> What does that mean? > > > Paranoia :) > > Paranoia is a word used by people who have not *yet* been hacked. It's > also a word used by people who have not *yet* had their house broken > into. I take it you do lock your door when you leave your house? Does > that make you paranoid? > > >> Threats To Server Security > >> > https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html > >> > >> ###### > >> "Inherently Insecure Services > >> > >> Another example of insecure services are network file systems and > >> information services such as NFS or NIS which are developed > >> explicitly for LAN usage but are, unfortunately, extended to > >> include WANs (for remote users). > > > Note: LAN! > > Note: WAN! > > If your network can see the Internet, then the Internet can see your > network, and potentially everything on it. That's what firewalls, DMZ and SELinux etc. are for. > A firewall is only one > barrier to intruders, and is not infallible. True, nothing is infallible. > Sharing any data on a LAN is inherently insecure, Well, NFS/NIS with NFS mounted homes are the traditional unix way for networking for many (I guess for ca. 20 years) - IMO, it's not as risky as you seem to think it is. > but the risks are > acceptable if the data being shared is not private and valuable, and > the network is otherwise secured. Exactly. The primary risks with NFS/NIS stem from abuse inside of a LAN (spying on data, passwords, trojans etc.). IMO, the risks of being intruded from the outside (WAN) are not much higher than on any network being connected to a WAN. > Sharing your /home directory versus > sharing non-private data, is a bit like the difference between leaving > an old beat up car unlocked, versus leaving a Ferrari unlocked, while > you pop into the store. I'm quite sure there are some people who have > no private data that they wish to protect, either from prying eyes, or > from theft or destruction, but I am not one of them. Sorry, NFS shared homes doesn't necessarily mean "everybody can access everything". There still are file permissions, /etc/export controls, network segmenting/subnetting, acls and or even encryption. > > IMO, NFS/NIS are perfectly suitable for use inside of a LAN. Of > > cause these services impose a certain level on insecurity, but at a > > certain point paranoia has to stop and trust has to start. > > Take a look at your firewall or router logs. See those IPs? See the > ports those IPs are attempting to connect to? Yes, .. and ... firewall denies, drops ... > The above example depends on a Windows vulnerability, but do not be > complacent and believe this could never happen to you, just because > you run Linux. Of cause ... Ralf
