edit-icon download-icon

How to prevent NFS 4.0 from being mistaken for a Trojan attack?

Last Updated: Mar 07, 2018


After NFS 4.0 is mounted to a NAS, NFS 4.0 listens to a random port. Netstat is unable to identify the process that listens to this port.

The changing listened port and the unidentified listening program make NFS 4.0 may be mistaken for a Trojan attack.



NFS 4.0 listens to this random port to support callback. Because the default value of the fs.nfs.nfs_callback_tcpport kernel parameter is 0, the NFS 4.0 client randomly chooses a port to listen. This random port does not constitute a security risk.

To facilitate port management, see Solution to fix the callback port.


Before mounting the file system, set the parameter fs.nfs.nfs_callback_tcpport to a non-zero value.

  1. sudo sysctl fs.nfs.nfs_callback_tcpport=<port>

In the following example, the fs.nfs.nfs_callback_tcpport parameter is manually set to port 45450, and then NFS 4.0 is mounted. Netstat shows that the listened port is 45450.

(The following commands are run as user root, so running the sysctl command in sudo is unnecessary.)


Thank you! We've received your feedback.