edit-icon download-icon

Harden NFS service

Last Updated: Nov 08, 2017

NFS (Network File System) is one of the file systems supported by FreeBSD. NFS allows computers in the network to share resources through the TCP/IP protocol. However, incorrect configuration and usage of NFS may result in security problems.

Summary

Common causes of insecurity in NFS include the following:

  • NFS does not provide access control.
  • NFS does not perform user authentication, but only requires process validation for RPC/Mount requests.
  • Earlier versions of NFS may allow an unauthorized user to get a valid file handle.
  • In an RPC remote call, an SUID program has the superuser privileges.

Solution

Using the following methods can harden your NFS environment.

Configure the shared directory (/etc/exports)

  • Use anonuid and anongid to configure the shared directory. These parameters can allow the least privileges for the client connected to the NFS server through the MOUNT operation.

  • Do not use no_root_squash.

Use network access control

Use the Security group policy or the IPTABLE firewall to limit the range of machines that can connect to the NFS server.

  1. iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24 --dport 111 -j ACCEPT
  2. iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPT
  3. iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8 --dport 111 -j ACCEPT
  4. iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8 --dport 111 -j ACCEPT

Enable account authentication

Use Kerberos V5 as the logon authentication system, and request all visitors must log on with an account.

Set NFSD COPY

In Linux, the number of NFSD COPY is set in the startup file /etc/rc.d/init.d/nfs and the default value is 8.

In general, the optimal value of COPY is determined by the possible number of clients. Similar to WSIZE and RSIZE, you can perform tests to find the nearest value. This value can be set manually or automatically.

Set the transmission protocol

We recommend that you select transmission protocols (NFS or UDP) according to different network situations.

  1. mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR

UDP features fast and non-connected transmission. Convenient as it is, UDP is not as stable as TCP in transmission. When the network is unstable or a hacker intrusion is in progress, NFS performance can easily plummet, which may lead to a paralyzed network. In general, the “NFS over TCP” mode is relatively stable, and the “NFS over UDP” mode is faster.

  • When the machines are not too many and the network is favorable, using UDP can get a better performance. UDP is recommended for LAN, because LAN has a relatively stable network so that UDP can guarantee better performance.

  • When the machines are too many and the network condition is complicated, the TCP (V2 only supports UDP) is preferable. TCP is recommended for WAN, because TCP allows NFS to maintain optimal transmission stability in a complex network environment.

Limit the number of clients

Configure /etc/hosts.allow and /etc/hosts.deny to limit the number of clients.

  1. /etc/hosts.allow
  2. portmap: 192.168.0.0/255.255.255.0 : allow
  3. portmap: 140.116.44.125 : allow
  4. /etc/hosts.deny
  5. portmap: ALL : deny

Change the default NFS port

NFS uses Port 111 by default, but you can change the default port in the port parameter to enhance security to some extent.

Use the nosuid and noexec options

The SUID (Set User ID) or SGID (Set Group ID) programs allow general users to run programs in excess of their own privileges. Many SUID/SGID executables are necessary, but they may be exploited by some malicious local users to get unauthorized permissions.

Minimize the number of files with root as the owner, or with the SUID/SGID attribute and in the root group. Delete them or change their attributes. For example,

  • You can use the nosuid option to disable the set-UID program from running on an NFS server. To do this, you can modify the /etc/exports file and add the following line:

    1. /www www.abc.com(rw, root_squash, nosuid)
  • You can use the noexec option to disable the executable from running directly.

Thank you! We've received your feedback.