Linux NFS service security hardening example sharing

NFS (Network File System) is a file system supported by FreeBSD, which allows computers in the network to share resources through the TCP/IP network. Improper configuration and use of NFS can cause security issues.

Overview

The insecurity of NFS is mainly reflected in the following four aspects:

• Lack of access control mechanism

• No real user authentication mechanism, only process authentication for RPC/Mount requests

• Older versions of NFS can allow unauthorized users to obtain valid file handles

• In RPC remote calls, the SUID program has super user privileges

Reinforcement scheme

In order to effectively deal with the above security risks, it is recommended You use the following hardening scheme.

Configure the shared directory (/etc/exports)

Use anonuid and anongid to configure the shared directory so that the client mounted to the NFS server has only minimal permissions. Do not use no_root_squash.

Use Network Access Control

Use Security Group Policy or iptable firewall to limit the range of machines that can connect to the NFS server.

iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8 --dport 111 -j ACCEPT

Account verification
Use Kerberos V5 as the login verification system, requiring all visitors to log in with an account to improve security.

Set the number of COPYs for NFSD

In Linux, the number of COPYs for NFSD is defined in the startup file /etc/rc.d/init.d/nfs , the default value is 8.

The optimal number of COPYs generally depends on the number of possible clients. You can test to find a near-optimal value for the number of COPYs and set this parameter manually.

Select transmission protocol

For different network conditions, select UDP or TCP transmission protocol in a targeted manner. The transport protocol can be selected automatically or set manually.

mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR

#UDP protocol transmission speed is fast, non- Connection and transmission are convenient, but its transmission stability is not as good as TCP. When the network is unstable or hacked, it is easy to significantly reduce the performance of NFS and even cause network paralysis. In general, NFS using TCP is more stable, and NFS using UDP is faster.

• When there are few machines and good network conditions, using the UDP protocol can bring better performance.

• When there are many machines and the network situation is complex, it is recommended to use the TCP protocol (V2 only supports UDP protocol).

• It is better to use UDP protocol in LAN, because LAN has a relatively stable network guarantee, and using UDP can bring better performance.

• It is recommended to use the TCP protocol in the WAN. The TCP protocol allows NFS to maintain the best transmission stability in a complex network environment.

Limit the number of clients

Modify /etc/hosts.allow and /etc /hosts. deny to limit the number of clients.

/etc/hosts.allow
portmap: 192.168.0.0/255.255.255.0 : allow
portmap: 140.116.44.125 : allow
/etc/hosts.deny
portmap: ALL : deny

Change the default NFS port
NFS uses port 111 by default. This port value can be changed using the port parameter. Changing the default port value can enhance security to a certain extent.

Configuring nosuid and noexec
SUID (Set User ID) or SGID (Set Group ID) programs can allow ordinary users to execute with permissions exceeding their own. Many SUID/SGID executable programs are necessary, but they may also be used by some malicious local users to obtain permissions that they should not have.

Try to reduce the number of files whose owner is root or in the root group but has SUID/SGID attributes. You can delete such a file or change its attributes, such as:

Use the nosuid option to disable the set-UID program from running on the NFS server. You can add a line to /etc/exports :

/www www.abc.com(rw, root_squash, nosuid)

Use noexec to prohibit direct execution of binary files.

Related recommendations:

What is NFS? Share how to implement NFS sharing on CentOS7

Building ftp, nfs, and ssh servers in Linux

NFS service introduction and usage

The above is the detailed content of Linux NFS service security hardening example sharing. For more information, please follow other related articles on the PHP Chinese website!