http://times.usefulinc.com/ 2006-09-29T13:08:15Z Edd Dumbill edd-web@usefulinc.com http://times.usefulinc.com/public/read/867 2006-09-29T13:08:15Z 2006-09-29T12:53:10Z

Sharing the benefit of my recent system administration adventures.

<p>Most sensible people are very wary of NFS and its potential for security holes. If you can at all help it, it's a good idea not to run NFS and portmap on a network interface with direct internet connectivity. However, this isn't always convenient. </p> <p> As I needed to have NFS sharing on a host exposed to the internet, I set about finding the various places I needed to firewall. The tools I typically use to verify I've done the right things are <code>netstat -nap</code> on the machine concerned, to check for listening processes, and <code>nmap</code> from remote hosts to sniff for open ports. </p> <p> Portmap and its associated programs mostly use 'tcpwrappers' for controlling access. The first step you ought to take in securing portmap is to ensure that your <em>hosts.allow</em> and <em>hosts.deny</em> files are set up to control access properly. </p> <p> In <em>/etc/hosts.deny</em>, deny access to allcomers: </p> <pre> mountd: ALL statd: ALL portmap: ALL rquotad: ALL </pre> <p> Then in <em>/etc/hosts.allow</em>, let the good guys through (adjust for your network): </p> <pre> mountd: 192.168.0. statd: 192.168.0. portmap: 192.168.0. rquotad: 192.168.0. </pre> <p> On top of this, however, you should firewall off the ports that these programs use. As I found out, this is not as easy as it sounds. Portmap assigns random ports for some of the services it starts. </p> <p> You can run <code>rpcinfo -p</code> to see the ports in use. An example run on one of my machines looks like this: </p> <pre> program vers proto port 100000 2 tcp 111 portmapper 100000 2 udp 111 portmapper 100003 2 udp 2049 nfs 100003 3 udp 2049 nfs 100003 4 udp 2049 nfs 100003 2 tcp 2049 nfs 100003 3 tcp 2049 nfs 100003 4 tcp 2049 nfs 100021 1 udp 32770 nlockmgr 100021 3 udp 32770 nlockmgr 100021 4 udp 32770 nlockmgr 100021 1 tcp 32788 nlockmgr 100021 3 tcp 32788 nlockmgr 100021 4 tcp 32788 nlockmgr 100005 1 udp 1005 mountd 100005 1 tcp 1008 mountd 100005 2 udp 1005 mountd 100005 2 tcp 1008 mountd 100005 3 udp 1005 mountd 100005 3 tcp 1008 mountd 100024 1 udp 863 status 100024 1 tcp 866 status </pre> <p> Of these, <em>nfs</em> and <em>portmapper</em> always use the same ports, 2049 and 111, so ensure you block off these. </p> <p> What about the rest? Happily, there's a way to configure them to use constant ports so we can reliably firewall them. Life would be too easy if all this configuration was in the one place, so here's how to find the different places you need to change. </p> <ul> <li><p><b>nlockmgr</b>: you're probably using the kernel NFS server, which means the port needs passing at module load time for the lockd module. Add this line into a new file, <em>/etc/modutils/local-lockd</em> </p> <pre>options lockd nlm_udpport=32768 nlm_tcpport=32768</pre> <p>Then run <code>update-modules</code> to recreate your <em>/etc/modules.conf</em>. The next time you boot these ports will be used for <em>nlockmgr</em>. If you've got the <em>lockd</em> statically compiled into your kernel, you'll need to pass these options as <code>lockd.mnlm_udpport</code> and <code>lockd.nlm_tcpport</code> to the kernel on boot. </p></li> <li><p><b>status</b>: this is the port used by <em>statd</em>. There's also an outgoing port, on which <em>statd</em> sends outgoing status requests. You can configure them by altering <code>STATDOPTS</code> in <em>/etc/default/nfs-common</em>, e.g.</p> <pre>STATDOPTS="--port 699 --outgoing-port 700"</pre> </li> <li><p><b>mountd</b>: you can control the port used for <em>mountd</em> by editing <em>/etc/default/nfs-kernel-server</em> and altering <code>RPCMOUNDOPTS</code>, e.g.</p> <pre>RPCMOUNTDOPTS="--port 962"</pre> </li> </ul> <p>Finally, if you're running quotas, be sure to do something similar with <code>RPCRQUOTADOPTS</code> in <em>/etc/default/quota</em>.</p> <p>See also:</p> <ul> <li><a href="http://wiki.debian.org/SecuringNFS">SecuringNFS</a> on the Debian Wiki</li> <li><a href="http://www.tldp.org/HOWTO/NFS-HOWTO/security.html">Linux NFS HOWTO</a> security chapter</li> </ul> <p>Finally, I ought to note that I've written this up in case it helps anybody else. As with everything I write here, I make no warranty about its accuracy. Security is hard and obscure (but that's no reason not make our best efforts!)</p><p><a href="http://times.usefulinc.com/2006/09/29-portmap-security#disqus_thread">Join the conversation about this post</a></p> http://times.usefulinc.com/public/read/863 2006-09-30T15:59:25Z 2006-09-15T22:26:07Z

A little Capistrano rule that helps keep all your configuration in one place when using Rails with Apache and Ubuntu or Debian.

<p>I deploy my Rails applications with Capistrano to an Ubuntu machine, which uses the excellent Debian style layout of Apache 2 configuration files.</p> <p>To keep things tidy, I like to place the Apache configuration file inside the <i>config</i> directory of the Rails project, along with the rest of the configuration for the Rails application and Mongrel.</p> <p>With the help of a couple of Capistrano rules I can then ensure that, on deployment, the latest Apache configuration file is also sent to the server:</p> <pre> # after setup, do a one-time link in task :after_setup do sudo "ln -nfs #{current_path}/config/#{application} /etc/apache2/sites-available/" end # cause apache2 to re-read. you probably have this rule anyway task :restart do # if you're running mongrel_cluster, uncomment the following line # restart_mongrel_cluster sudo "/usr/sbin/apache2ctl graceful" end </pre> <p>The first time round you'll probably want to do <tt>a2ensite <i>yourapp</i></tt> manually, but this could easily be added into the <tt>after_setup</tt> rule.</p> <p>Not rocket science, but a pleasing bit of configuration that keeps things tidy.</p><p><a href="http://times.usefulinc.com/2006/09/15-rails-debian-apache#disqus_thread">Join the conversation about this post</a></p>