Securing NFS
NFS (Network File System) allows servers to share files over a network. But like all network services using NFS involves risks.
If you don’t have shared directories to export, ensure that the NFS service is NOT enabled and running:
rpc.mountd is stopped
nfsd is stopped
rpc.rquotad is stopped
And then check using chkconfig
nfs 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
You probably don’t need the portmap service as well which is used by NFS (the portmap daemon registers rpc-based services for services like NFS, NIS, etc.):
portmap is stopped
Then check status using chkconfig
portmap 0:off 1:off 2:off 3:off 4:off 5:off 6:off
#
NFS should not be enabled if not needed.
If you must use NFS, use TCP wrapper to restrict remote access.
Make sure you export to only those machines that you really need to.
Use fully qualified domain names to diminish spoofing attempts.
Export only directories you need to export.
Export read-only wherever possible.
Use NFS over TCP.
Leave a Reply
You must be logged in to post a comment.
