How can I make NFS connection secure? Remote server is on the internet, and not in local network. The server has no firewall and connected to internet directly.
Asked
Active
Viewed 3.7k times
5 Answers
9
The server has no firewall
If the remote system is not secure (and an absence of any firewalling makes that decidedly suspect) then its doesn't matter what you do to your connection - you can't be confident of security. This is particularly true for an NFS server where authentication is not tied into the underlying protocol.
If you're assertions are correct (which I find astonishing) then find out who configured the server this way and block them out before they can do any more harm.
If you need access to NFS across the internet, use a VPN (IPSEC, SSL tunnel, SSH tunnel, even pptp) and BLOCK all direct internet access (other than the secure connection) on the server.
-
Oh I configured my machine myself. I'm newbie on service server, and starting practical service. Please forgive me :) I agree that no firewall is incredibly **BAD** configuration. I couldn't thought about protocol without authentication like NFS will serve anyone who can connect the machine. Thanks. – Eonil Mar 09 '11 at 02:01
-
Sorry, but I disagree about the rant. A linux server without firewall is not automatically insecure. And with a firewall, it is not automatically secure. If one adds a firewall and then opens the NFS ports to the public, data theft is very likely to happen very soon. Furthermore, a VPN doesn't solve the problem of the weak authentication support in NFS, so you should probably suggest to install Kerberos instead of just running a VPN. – Kai Petzke Jan 23 '23 at 08:41
-
Read my comment again - I said that the absence of a firewall IMPLIES security issues. If you have a solution for the OP perhaps you could post the details here. And providing an alternate network path is of no value without closing the public access. – symcbean Jan 23 '23 at 16:54
1
If NFS is used on the system, please proceed via the following measures:
- If possible only allow read-only access to your exported data (-ro)
- Do not export the root folder / or /etc
- Deactivate NFS, if you do not wish to export any file systems.
- Access to NFS exports must be restricted to specified hosts
- If zfs filesystems are present, check also their attributes do not configure them to be shared over NFS.
- Use the -nosuid option for mounting folders, to prevent execution of setuid programs.
- Use the –nodev option for mounting folders, to prevent the sharing of device files.
Xao
- 111
- 1
0
There is a nice article on linuxjournal Encrypting NFSv4 with Stunnel TLS which explains how to use stunnel to protect NFSv4 traffic.
Inspired by this publication the NFS IETF working group on RPC-over-TLS protocol, that aims to add a native TLS support to NFS protocol (and any other protocol based on ONC/Sun RPC).
kofemann
- 4,626
- 1
- 25
- 30
0
It depends on what version of NFS you are using. Some of the above answers are prob. along the lines of some of what you want to do for versions prior to NFSv4.
- NFSv3+ configure ssh connection via TCP wrappers which apparently is full of gotchas
- Harden your network firewall NFSv*
- Open ports for TCP, UDP, and rpcbind. default ports, and rcpbind configuration, may differ based on NFS version
According to Christopher Negus Linux Bible securing NFSv4, along with the above mentioned solutions, is best accomplished using Kerberos integration, which allows for configuration of user based access. This allows for more fine grained controls over which root use
- Configuring ssh via TCP (may work for older versions of NFS. https://web.archive.org/web/20130526012838/http://dag.wieers.com/blog/tunneling-nfs4-over-ssh
