IT Tips and Tricks

Introduction:

I often use NFS files system between servers of the same internal network. But because having rpcbind open to Internet is considered insecure, I needed to protect it. I could have done this with the firewall, but since the only service I wanted to protect from Internet access I didn’t want to bother with the firewall for this task and I decided to use the good old system TCP Wrappers instead: hosts.allow and hosts.deny files.

Method:

– Deny access to rpcbind to all (done in /etc/hosts.deny)
– Allow 2 exceptions: hosts on my local network (done in /etc/hosts.allow)

Assumptions:

The NFS server is connected to Internet and to our internal LAN(192.168.100.0/24) and has the IP: 12.34.56.78(just an example) and 192.168.100.1.
The 2 hosts which I want to allow to connect to the NFS server are 192.168.100.2 and 192.168.100.3
I have one more server(192.168.100.4) in this private LAN which should not be allowed to connect to the NFS server.

Steps:

Edit (or create if not existing) the file /etc/default/rpcbind and add the following line:
OPTIONS="-w -l -h 192.168.100.1"
Edit the file /etc/hosts.allow and add the following line:
rpcbind: 192.168.100.2 192.168.100.3
Edit the file /etc/hosts.deny and add the following line:
rpcbind: ALL

Verifying the configuration:

Login into any other server on the same local LAN network (none of the ones above allowed servers) lets say from 192.168.100.4 and issue the following command:
rpcinfo -p 192.168.100.1
Output:
rpcinfo: can't contact portmapper: rpcinfo: RPC: Authentication error; why = Client credential too weak
Then login into any Internet server(eg. to 45.67.78.89) and try the command:
rpcinfo -p 12.34.56.78
Output:
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
Now login in one of the 2 allowed servers(eg. 192.168.100.3) and issue the command:
rpcinfo -p 192.168.100.1
Output:
rpcinfo -p 192.168.100.1
program vers proto port service
100000 4 tcp 111 portmapper
100000 3 tcp 111 portmapper
100000 2 tcp 111 portmapper
100000 4 udp 111 portmapper
100000 3 udp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 49123 status
100024 1 tcp 55198 status
100003 2 tcp 2049 nfs
100003 3 tcp 2049 nfs
100003 4 tcp 2049 nfs
....... and so on

Good news: We can see that 192.168.100.4 and any Internet server are not allowed to connect to rpcbind but 192.168.100.3 is allowed.

Extra info:

Just for fun, let’s check the logs:
grep rpcbind /var/log/auth.log
Output:
Oct 7 20:51:30 nfsserver rpcbind: connect from 192.168.100.4 to dump(): request from unauthorized host
Oct 7 20:51:56 nfsserver rpcbind: connect from 45.67.78.89 to dump(): request from unauthorized host
Oct 7 20:53:24 nfsserver rpcbind: connect from 192.168.100.3 to dump()
Now let’s check the TCP Wrappers configuration for the host 192.168.100.2
tcpdmatch rpcbind 192.168.100.2
Output:
client: address 192.168.100.2
server: process rpcbind
access: granted

Result:
rpcbind service is now protected and only accessible from the 2 servers connected to our internal LAN.