NFS (Network File System) is a file system supported by FreeBSD, which allows computers in the network to share resources through the TCP/IP network. Improper configuration and use of NFS can cause security issues.
The insecurity of NFS is mainly reflected in the following four aspects:
Lack of access control mechanism
No real user authentication mechanism, only process authentication for RPC/Mount requests
Older versions of NFS can allow unauthorized users to obtain valid file handles
In RPC remote calls, the SUID program has super user privileges
In order to effectively deal with the above security risks, it is recommended You use the following hardening scheme.
Use anonuid and anongid to configure the shared directory so that the client mounted to the NFS server has only minimal permissions. Do not use no_root_squash.
Use Security Group Policy or iptable firewall to limit the range of machines that can connect to the NFS server.
iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24 --dport 111 -j ACCEPT iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPT iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8 --dport 111 -j ACCEPT iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8 --dport 111 -j ACCEPT
Account verification
Use Kerberos V5 as the login verification system, requiring all visitors to log in with an account to improve security.
Set the number of COPYs for NFSD
In Linux, the number of COPYs for NFSD is defined in the startup file /etc/rc.d/init.d/nfs
, the default value is 8.
The optimal number of COPYs generally depends on the number of possible clients. You can test to find a near-optimal value for the number of COPYs and set this parameter manually.
Select transmission protocol
For different network conditions, select UDP or TCP transmission protocol in a targeted manner. The transport protocol can be selected automatically or set manually.
mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR
#UDP protocol transmission speed is fast, non- Connection and transmission are convenient, but its transmission stability is not as good as TCP. When the network is unstable or hacked, it is easy to significantly reduce the performance of NFS and even cause network paralysis. In general, NFS using TCP is more stable, and NFS using UDP is faster.
When there are few machines and good network conditions, using the UDP protocol can bring better performance.
When there are many machines and the network situation is complex, it is recommended to use the TCP protocol (V2 only supports UDP protocol).
It is better to use UDP protocol in LAN, because LAN has a relatively stable network guarantee, and using UDP can bring better performance.
It is recommended to use the TCP protocol in the WAN. The TCP protocol allows NFS to maintain the best transmission stability in a complex network environment.
Limit the number of clients
Modify /etc/hosts.allow
and /etc /hosts. deny
to limit the number of clients.
/etc/hosts.allow
portmap: 192.168.0.0/255.255.255.0 : allow
portmap: 140.116.44.125 : allow
/etc/hosts.deny
portmap: ALL : deny
Change the default NFS port
NFS uses port 111 by default. This port value can be changed using the port parameter. Changing the default port value can enhance security to a certain extent.
Configuring nosuid and noexec
SUID (Set User ID) or SGID (Set Group ID) programs can allow ordinary users to execute with permissions exceeding their own. Many SUID/SGID executable programs are necessary, but they may also be used by some malicious local users to obtain permissions that they should not have.
Try to reduce the number of files whose owner is root or in the root group but has SUID/SGID attributes. You can delete such a file or change its attributes, such as:
Use the nosuid option to disable the set-UID program from running on the NFS server. You can add a line to /etc/exports
:
/www www.abc.com(rw, root_squash, nosuid)
Use noexec to prohibit direct execution of binary files.
Related recommendations:
What is NFS? Share how to implement NFS sharing on CentOS7
Building ftp, nfs, and ssh servers in Linux
NFS service introduction and usage
The above is the detailed content of Linux NFS service security hardening example sharing. For more information, please follow other related articles on the PHP Chinese website!