edit-icon download-icon

How to prevent NFS 4.0 from being mistaken for a Trojan attack?

Last Updated: Mar 07, 2018

Symptom

After NFS 4.0 is mounted to a NAS, NFS 4.0 listens to a random 0.0.0.0 port. Netstat is unable to identify the process that listens to this port.

The changing listened port and the unidentified listening program make NFS 4.0 may be mistaken for a Trojan attack.

mount_nfs4_random_port_blurred

Cause

NFS 4.0 listens to this random port to support callback. Because the default value of the fs.nfs.nfs_callback_tcpport kernel parameter is 0, the NFS 4.0 client randomly chooses a port to listen. This random port does not constitute a security risk.

To facilitate port management, see Solution to fix the callback port.

Solution

Before mounting the file system, set the parameter fs.nfs.nfs_callback_tcpport to a non-zero value.

  1. sudo sysctl fs.nfs.nfs_callback_tcpport=<port>

In the following example, the fs.nfs.nfs_callback_tcpport parameter is manually set to port 45450, and then NFS 4.0 is mounted. Netstat shows that the listened port is 45450.

(The following commands are run as user root, so running the sysctl command in sudo is unnecessary.)

mount_nfs4_assigned_port_blurred

Thank you! We've received your feedback.