1
00:00:00,000 --> 00:00:18,080
Hey everyone and welcome back. In the previous nugget we had talked about the client configuration

2
00:00:18,080 --> 00:00:24,160
for NFS. Now what we're going to do is we're going to look a little bit closer at how we

3
00:00:24,160 --> 00:00:33,679
can lock down access to our NFS shares using TCP wrappers. Now this is actually a concept we have

4
00:00:33,679 --> 00:00:39,920
visited before if you did the L-PIC1 certification and once again that knowledge is going to come

5
00:00:39,920 --> 00:00:47,439
in handy. So what we're going to do is we're going to see how exactly these TCP wrappers are used

6
00:00:47,519 --> 00:00:54,879
within like I say NFS version number three. So check this out then shall we what we'll do here

7
00:00:54,879 --> 00:01:01,280
is what we will do here is we will quickly refresh the process of how these particular TCP

8
00:01:01,280 --> 00:01:08,159
wrapper files are going to be evaluated. Now you may recall that within the Etsy directory we have

9
00:01:08,159 --> 00:01:17,200
this file called host.allow and also within the same directory we have a file called host.deny.

10
00:01:17,439 --> 00:01:23,679
So check it out the way I've written this here is ultimately how things are going to be evaluated

11
00:01:23,679 --> 00:01:30,079
if you happen to put some type of host definition within the allow file then it's going to be evaluated

12
00:01:30,079 --> 00:01:35,840
as something that should be permitted. Conversely if we happen to put some type of definition within

13
00:01:35,840 --> 00:01:42,959
the deny file then the access is going to be disallowed. Now as it transpires if we happen

14
00:01:42,959 --> 00:01:51,679
to have a host let's just maybe say 192 168 1.1 whatever it may be if we happen to specify that

15
00:01:51,679 --> 00:01:58,399
host within the allow file as well as the deny file how on earth would that be resolved it seems

16
00:01:58,399 --> 00:02:04,719
like it would be a conflict but here is the reality the first file that will be evaluated is going to

17
00:02:04,719 --> 00:02:12,479
be this top one right here the host.allow file. Now if we happen to find a match within this file

18
00:02:12,479 --> 00:02:19,679
the connection is going to be allowed now if there is no definition within the host.allow file

19
00:02:19,679 --> 00:02:27,120
we will then go and check hosts.deny and if we find a definition for a particular host or a

20
00:02:27,120 --> 00:02:33,039
particular network within this file then the connection is going to be disallowed this is

21
00:02:33,039 --> 00:02:40,560
the process we check host.allow first then host.deny and if we do not find any type of match for any type

22
00:02:40,640 --> 00:02:48,240
of rule within either of these files the default setting is to just allow that connection so really

23
00:02:48,240 --> 00:02:55,680
like i say if we have a conflict we will allow that will ultimately override deny and if we do not

24
00:02:55,680 --> 00:03:01,840
have any definition the default behavior is to allow that connection now you may recall that at the

25
00:03:01,840 --> 00:03:07,680
beginning of this skill i talked about how we had the xa exports file and within there we could

26
00:03:07,760 --> 00:03:13,760
actually control permissions remember that within the brackets now this is ultimately specified at

27
00:03:13,760 --> 00:03:20,960
the nfs level but you will also recall is that nfs is going to interact with portmapper at least

28
00:03:20,960 --> 00:03:29,280
nfs version 3 or rpc bind and we know that they can use what we're just talking about tcp wrappers

29
00:03:29,280 --> 00:03:37,040
to ultimately control the access remembering that the tcp wrappers can ultimately undo and override

30
00:03:37,039 --> 00:03:44,560
what we specify within that xa exports file with respect to permissions so this is obviously a very

31
00:03:44,560 --> 00:03:50,159
important thing that we want to be understanding if we happen to have a conflict you want to understand

32
00:03:50,159 --> 00:03:57,120
how we can resolve that conflict and what actually takes effect now if we go and we look into one

33
00:03:57,120 --> 00:04:04,719
of these configuration files so if i happen to go in and say sudo nano into xa host.allow

34
00:04:04,719 --> 00:04:11,759
and hit enter i'll type in my password now to specify that i want to create a rule with respect

35
00:04:11,759 --> 00:04:18,000
to portmap which is going to interface with nfs the way i can actually do this is by specifying

36
00:04:18,000 --> 00:04:25,360
the keyword portmap and then a column after which what i can then do is specify maybe say the host

37
00:04:25,360 --> 00:04:31,759
that i want to allow because after all this is the allow file right here so i could say allow 192

38
00:04:31,759 --> 00:04:37,759
1680.68 i can't actually remember what the client ip address was let's just say it was

39
00:04:37,759 --> 00:04:44,319
68 for argument sake so what i am effectively doing here is allowing this connection from this host

40
00:04:44,319 --> 00:04:52,800
similarly what i could do is if i save this and i then go into xa and go into host.deny

41
00:04:52,800 --> 00:05:03,199
similarly i can specify for portmap with a column i could then say 192 1680.0 slash 24 now think

42
00:05:03,199 --> 00:05:10,800
about the action which has just taken place here i have specified that i want to deny absolutely

43
00:05:10,800 --> 00:05:17,840
everyone on this network you see here this is in the deny and at the same time in my allow file i've

44
00:05:17,839 --> 00:05:25,359
said a host within that network is going to be allowed ultimately what i'm saying is that everyone

45
00:05:25,359 --> 00:05:35,839
within the 192 1680.0 slash 24 network is going to be denied access to the nfs share using portmapper

46
00:05:35,839 --> 00:05:42,000
except for this particular host this particular host is going to be an exception so we're going to

47
00:05:42,000 --> 00:05:50,319
have 192 1680.68 that will be allowed but everyone else within the network will be disallowed so this

48
00:05:50,319 --> 00:05:57,519
behavior really is quite useful and it's not only that what i could do alternatively is if i left

49
00:05:57,519 --> 00:06:04,160
this maybe just say at the same configuration and i go into the deny once again what i could do here

50
00:06:04,160 --> 00:06:10,000
is as opposed to specify maybe say this particular network again i could just list particular host

51
00:06:10,000 --> 00:06:16,079
if i so choose i could just be more specific and say 0.13 would not be allowed or i could say

52
00:06:16,079 --> 00:06:23,360
portmap what i want you to do is to deny all so if i save this again think about it we're casting an

53
00:06:23,360 --> 00:06:31,279
even wider net we are saying that for all devices we want to ultimately deny them except for the

54
00:06:31,279 --> 00:06:37,519
exceptions we have written in the allow file because the allow file is going to be evaluated first

55
00:06:37,519 --> 00:06:45,439
that means that every single device that tries to connect except for 192 1680.68 they're all going

56
00:06:45,439 --> 00:06:51,199
to be denied except for this one particular host and it really is important that we understand

57
00:06:51,199 --> 00:06:57,039
that the definitions that we specify here can sometimes run contrary to the permissions that

58
00:06:57,039 --> 00:07:03,839
we have specified directly within our essay exports file right here but ultimately this is a problem

59
00:07:03,839 --> 00:07:10,159
that is effectively antiquated with version 4 like i say we're not going to have such a clash

60
00:07:10,159 --> 00:07:17,279
the control of nfs is going to be handled natively within version 4 by nfs itself but again for the

61
00:07:17,279 --> 00:07:22,559
purposes of the examination we do want to be aware of the different versions and how we can

62
00:07:22,559 --> 00:07:29,199
actually handle and manage nfs depending on the type of version we have within our system.

63
00:07:29,199 --> 00:07:35,039
Okay doctor that is us for our introduction into nfs security one last thing i want to be talking

64
00:07:35,039 --> 00:07:42,079
about and that is all about the mounting of nsf file systems with persistence and well that's

65
00:07:42,079 --> 00:07:46,079
what we're going to be talking about in the very next nuggets i hope it's been informative for you

66
00:07:46,079 --> 00:07:51,680
and i'd like to thank you for viewing