How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ? (524 Views)
Reply
Advisor
arunaphcl
Posts: 20
Registered: ‎01-28-2013
Message 1 of 4 (524 Views)

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

Please use plain text.
Advisor
arunaphcl
Posts: 20
Registered: ‎01-28-2013
Message 2 of 4 (516 Views)

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

Please assist me experts on this..

Please use plain text.
Acclaimed Contributor
Dennis Handly
Posts: 24,971
Registered: ‎03-06-2006
Message 3 of 4 (510 Views)

Re: How to secure rpc and nlockmgr RPC Service for HP-UX NFS sharing?

Are you looking for which ports to unblock in your firewall?

Please use plain text.
Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 4 (506 Views)

Re: How to secure rpc and nlockmgr RPC Service for hp unix NFS sharing ?

First, you'll need to configure fixed port numbers for the NFS-related services. You should do this on both on your NFS server and on all your NFS clients.

Depending on your HP-UX version, you may need to ensure that you have a specific patch installed:

11.31 - no patch required
11.23 - PHNE_34550 or superseding patch
11.11 - PHNE_34662 or superseding patch

 

Then you can add some lines to /etc/rc.config.d/nfsconf to specify fixed port numbers for the NFS-related services.

For example, these lines would fix lockd (nlockmgr) to port 4045, rpc.statd (status) to 4046 and rpc.mountd (mountd) to 4047:

STATD_PORT=4046
MOUNTD_PORT=4047

# in 11.31, lockd is always fixed to UDP port 4045 so this is not needed
LOCKD_PORT=4045 

 

After doing this and restarting your NFS services, they should be in fixed ports. Use "rpcinfo -p" to verify.

 

Once the services are bound to fixed ports, you can use external firewalls or the optional HP-UX IPFilter to restrict the connections to these ports to between your NFS server and legitimate NFS clients only. You'll also need to allow the portmapper/rpcinfo service (port 111, both TCP and UDP), since it is used to find the other NFS-related services (because the client will not know that you've specified fixed port numbers on the server, and vice versa).

MK
Please use plain text.
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation