Skip to main content
Start a Conversation

Unsolved

dirkuos

1 Rookie

 • 

32 Posts

1609

March 18th, 2022 02:00

Prevent NFS mount over unprivileged ports

Hi,

OneFS 9.2.1

We just discovered that the Isilon allows mount requests from NFS clients over unprivileged ports. This is a big security hole. A user, who has restricted access to a NFS mount, can create a SSH port forwarding to the NFS client from a machine where he has root access. Then he gains full access to the mounted export.

You can see on the Isilon with "netstat", that the original mount comes from a privileged port (917):

tcp4 0 0 isilon.node.2049 nfs.client.917 ESTABLISHED

Over the SSH forwarded connection, the client comes from an unprivileged port (37660):

tcp4 0 0 isilon.node.2049 nfs.client.37660 ESTABLISHED

This has to be prohibited. Our IBM fileserver, for example, has the export option "PrivilegedPort" that prevents such connections. Does something like this exist in OneFS? For example in the file /etc/defaults/rc.conf is the option:

nfs_reserved_port_only="NO" # Provide NFS only on secure port (or NO).

But this file seems not to be used by likewise NFS, right?

Regards,

Dirk

DELL-Sam L

Moderator

 • 

7.7K Posts

March 18th, 2022 10:00

Hello Dirk,

Have you followed the OneFS Security Configuration Guide for securing your system? Here is the link to that guide as well as the Administrator guide which has some things as well.

https://dell.to/3ik25FE

https://dell.to/36zyCoI

dirkuos

1 Rookie

 • 

32 Posts

March 21st, 2022 02:00

Hi Sam,

thanks for your reply. The first link can not be opened.

Of course, I read the manuals. The gconfig variable NFSPrivPort is set, but this only applies to NFSv3:

# isi_gconfig registry.Services.lwio.Parameters.Drivers.nfs.NFSPrivPort
registry.Services.lwio.Parameters.Drivers.nfs.NFSPrivPort (uint32) = 1

 With NFSv4 a client can still connect over an unprivileged port:

Regards,

Dirk

dirkuos

1 Rookie

 • 

32 Posts

March 21st, 2022 06:00

Hi,

we have H500 nodes running OneFS 9.2.1.3. Of cours, I can contact the support team.

Thanks,

Dirk

The_Storage_Panda

4 Posts

March 21st, 2022 06:00

Hi @dirkuos  Can you please share the Hardware model of your Isilons and the NFS version that you have in your infra? If you have an active support, I would suggest to engage Tech support.

Was this post helpful?

View All

Top