NFS, NTP and NetApp Mode 7
2019-01-02 02:02 PM
Greetings all and Happy New Year,
I currently have an issue with the NFS settings on three of my four filers. I have compared them to the filer which is not on the ACAS report, and the settings are a mirror of each other. The problems are as follows:
- NFS Exported Share Information Disclosure (It is possible to access NFS shares on the remote host) Solution: Configure NFS on the remote host so that only authorized hosts can mount its remote shares.
- NFS Shares World Readable (The remote NFS server exports world-readable shares) Solution: Place the appropriate restrictions on all NFS shares.
I have done a search on the Internet and the NetApp site and I cannot find any solution to these. The solution presented is from the ACAS scan.
The other problem is with the NTP. The problem is:
- Network Time Protocol (NTP) Mode 6 Scanner (The remote NTP server responds to mode 6 queries) Solution: Restrict NTP mode 6 queries.
I am still doing a bunch of reading on this but if you assist, great.
As always any and all help is greatly appreciated. Have a happy and safe new year.
3 REPLIES 3
Re: NFS, NTP and NetApp Mode 7
2019-01-02 09:36 PM
Hi there! Looks like you have some/all volumes exported to a wider group of hosts than is necessary. The command to manage that is exportfs - this document - https://library.netapp.com/ecmdocs/ECMP1511537/html/man1/na_exportfs.1.html - explains the options available, but exact options depend on which volumes have the problem, and what the design on your network is. If properly setup, you can use OnCommand System Manager to manage this through a GUI.
Regarding NTP.. NetApp systems don't run NTP servers, they act as NTP clients, however the mode 6 vulnerabilities look like they are related to this issue - https://security.netapp.com/advisory/ntap-20171004-0001/ - you should be running the most recent version of ONTAP for your platform - in most cases 8.2.5P2 - and utilize defence in depth to protect your systems.
Hope this helps!
You should not disable NTP - It will break SMB as the clock drifts and make analysing system incidents more difficult