Re: FC5, Firefox, NFS /home
- From: Ralf Corsepius <rc040203@xxxxxxxxxx>
- Date: Tue, 20 Jun 2006 19:31:40 +0200
On Tue, 2006-06-20 at 17:49 +0100, Keith G. Robertson-Turner wrote:
Ralf Corsepius wrote:That's what firewalls, DMZ and SELinux etc. are for.
> On Tue, 2006-06-20 at 13:20 +0100, Keith G. Robertson-Turner wrote:
>> Garry T. Williams wrote:
>>> On Tuesday 20 June 2006 04:31, Keith G. Robertson-Turner wrote:
>>>> Dan wrote:
>>>>> I have an FC5 server which has exported /home via NFS. Client
>>>>> machines automount /home.
>>>> Using /home as a network share is inherently insecure,
>>> What does that mean?
> Paranoia :)
Paranoia is a word used by people who have not *yet* been hacked. It's
also a word used by people who have not *yet* had their house broken
into. I take it you do lock your door when you leave your house? Does
that make you paranoid?
>> Threats To Server Security
>>
https://www.redhat.com/docs/manuals/linux/RHL-8.0-Manual/security-guide/s1-risk-serv.html
>>
>> ######
>> "Inherently Insecure Services
>>
>> Another example of insecure services are network file systems and
>> information services such as NFS or NIS which are developed
>> explicitly for LAN usage but are, unfortunately, extended to
>> include WANs (for remote users).
> Note: LAN!
Note: WAN!
If your network can see the Internet, then the Internet can see your
network, and potentially everything on it.
A firewall is only oneTrue, nothing is infallible.
barrier to intruders, and is not infallible.
Sharing any data on a LAN is inherently insecure,Well, NFS/NIS with NFS mounted homes are the traditional unix way for
networking for many (I guess for ca. 20 years) - IMO, it's not as risky
as you seem to think it is.
but the risks areExactly.
acceptable if the data being shared is not private and valuable, and
the network is otherwise secured.
The primary risks with NFS/NIS stem from abuse inside of a LAN (spying
on data, passwords, trojans etc.). IMO, the risks of being intruded from
the outside (WAN) are not much higher than on any network being
connected to a WAN.
Sharing your /home directory versusSorry, NFS shared homes doesn't necessarily mean "everybody can access
sharing non-private data, is a bit like the difference between leaving
an old beat up car unlocked, versus leaving a Ferrari unlocked, while
you pop into the store. I'm quite sure there are some people who have
no private data that they wish to protect, either from prying eyes, or
from theft or destruction, but I am not one of them.
everything". There still are file permissions, /etc/export controls,
network segmenting/subnetting, acls and or even encryption.
> IMO, NFS/NIS are perfectly suitable for use inside of a LAN. OfYes, .. and ... firewall denies, drops ...
> cause these services impose a certain level on insecurity, but at a
> certain point paranoia has to stop and trust has to start.
Take a look at your firewall or router logs. See those IPs? See the
ports those IPs are attempting to connect to?
The above example depends on a Windows vulnerability, but do not beOf cause ...
complacent and believe this could never happen to you, just because
you run Linux.
Ralf
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
- References:
- FC5, Firefox, NFS /home
- From: Dan
- Re: FC5, Firefox, NFS /home
- From: Keith G. Robertson-Turner
- Re: FC5, Firefox, NFS /home
- From: Garry T. Williams
- Re: FC5, Firefox, NFS /home
- From: Keith G. Robertson-Turner
- Re: FC5, Firefox, NFS /home
- From: Ralf Corsepius
- Re: FC5, Firefox, NFS /home
- From: Keith G. Robertson-Turner
- FC5, Firefox, NFS /home
- Prev by Date: Re: Camera shake undo?
- Next by Date: Sane doesn't see HP5370C scanner -
- Previous by thread: Re: FC5, Firefox, NFS /home
- Next by thread: Re: FC5, Firefox, NFS /home
- Index(es):
Relevant Pages
|
