In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/01 Report--
This article mainly introduces the example analysis of NFS service security reinforcement in linux, which has a certain reference value, and interested friends can refer to it. I hope you will gain a lot after reading this article.
NFS (Network File System) is a file system supported by FreeBSD that allows computers in the network to share resources over the TCP/IP network. Incorrect configuration and use of NFS can cause security problems.
Overview
The insecurity of NFS is mainly reflected in the following four aspects:
Lack of access control mechanism
There is no real user authentication mechanism, only process verification for RPC/Mount requests
Earlier versions of NFS allow unauthorized users to obtain valid file handles
In RPC remote calls, the SUID program has superuser privileges
Reinforcement scheme
In order to effectively deal with the above safety risks, it is recommended that you use the following reinforcement scheme.
Configure a shared directory (/ etc/exports)
Use anonuid,anongid to configure the shared directory so that clients mounted to the NFS server have minimal permissions. Do not use no_root_squash.
Use network access control
Use Security Group Policy or iptable Firewall to limit the range of machines that can connect to NFS servers.
Iptables-An INPUT-I eth0-p TCP-s 192.168.0 INPUT 24-- dport 111j ACCEPTiptables-An INPUT-I eth0-p UDP-s 192.168.0.0Unique 24-- dport 111j ACCEPTiptables-An INPUT-I eth0-p TCP-s 140.0.0.0max 8-- dport 111j ACCEPTiptables-An INPUT-I eth0-p UDP-s 140.0.0.0max 8-- dport 111-j ACCEPT
Account verification
Using Kerberos V5 as the login verification system, all visitors are required to log in using accounts to improve security.
Set the number of COPY for NFSD
In Linux, the number of COPY for NFSD is defined in the startup file / etc/rc.d/init.d/nfs, and the default value is 8.
The optimal number of COPY generally depends on the number of possible clients. You can test to find the approximate optimal value for the number of COPY and set this parameter manually.
Select transport protocol
For different network conditions, UDP or TCP transport protocols are selected. The transport protocol can be selected automatically or set manually.
Mount-t nfs-o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR / DIR
UDP protocol is fast and convenient for non-connected transmission, but its transmission stability is not as stable as TCP. When the network is unstable or hackers invade, it is easy to greatly reduce the performance of NFS, or even lead to network paralysis. In general, the NFS using TCP is more stable, and the NFS using UDP is faster.
In the case of fewer machines and better network conditions, the use of UDP protocol can bring better performance.
When there are many machines and the network is complex, it is recommended to use TCP protocol (V2 only supports UDP protocol).
It is better to use UDP protocol in the local area network, because the local area network has a relatively stable network guarantee, and the use of UDP can bring better performance.
TCP protocol is recommended in the wide area network. TCP protocol enables NFS to maintain the best transmission stability in a complex network environment.
Limit the number of clients
Modify / etc/hosts.allow and / etc/ hosts.deny to limit the number of clients.
/ etc/hosts.allow
Portmap: 192.168.0.0/255.255.255.0: allow
Portmap: 140.116.44.125: allow
/ etc/hosts.deny
Portmap: ALL: deny
Change the default NFS port
NFS uses port 111by default, which can be changed by using the port parameter. Changing the default port value can enhance security to some extent.
Configure nosuid and noexec
SUID (Set User ID) or SGID (Set Group ID) programs allow ordinary users to execute beyond their own privileges. Many SUID/SGID executable programs are necessary, but they can also be exploited by malicious local users to gain permissions that they should not have.
Minimize files that are owned by root or have the SUID/SGID attribute in the root group. You can delete such files or change their properties, such as:
Using the nosuid option to disable set-UID programs from running on the NFS server, you can add a line to / etc/exports:
/ www www.abc.com (rw, root_squash, nosuid)
Thank you for reading this article carefully. I hope the article "sample Analysis of Security reinforcement of NFS Services in linux" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.