Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to strengthen the security of NFS services in Linux". In the actual operation process of the case, many people will encounter such difficulties. Next, let Xiaobian lead you to learn how to deal with these situations! I hope you can read carefully and learn something!

NFS is the abbreviation of Network File System. Its biggest function is to allow different machines and operating systems to share files with each other through the network.

overview

NFS security is mainly reflected in the following four aspects:

Lack of access control No true user authentication, only procedure validation for RPC/Mount requests Older versions of NFS enable unauthorized users to obtain valid file handles In RPC remote calls, SUID programs have superuser hardening schemes

In order to effectively deal with the above safety hazards, it is recommended that you use the following reinforcement scheme.

Configure shared directories (/etc/exports)

Configure shared directories with anonuid, anongid, so that clients mounted to NFS servers have only minimal permissions. Do not use no_root_squash. Use network access control Use security group policies or iptable firewalls to restrict the range of machines that can connect to NFS servers.

iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24--dport 111 -j ACCEPTables-A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPTables-A INPUT -i eth0 -p TCP -s 140.0.0.0/8--dport 111 -j ACCEPTables-A INPUT -i eth0 -p UDP -s 140.0.0/8--dport 111-j ACCEPTables-A INPUT -i eth0 -p UDP -s

Using Kerberos V5 as a login authentication system requires all access personnel to log in using an account to improve security.

Set the number of COPY for NFSD

In Linux, the number of COPY for NFSD is defined in the boot file/etc/rc.d/init.d/nfs, and the default value is 8.

The optimal number of COPY generally depends on the number of possible clients. You can test to find the approximate optimal number of COPY and set this parameter manually.

selective transmission protocol

For different network situations, UDP or TCP transport protocols are selected specifically. Transmission protocols can be selected automatically or manually.

mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR

UDP protocol has fast transmission speed and convenient non-connection transmission, but its transmission stability is not as good as TCP. When the network is unstable or hacked, it is easy to greatly reduce the performance of NFS, and even cause network paralysis. In general, NFS using TCP is more stable, and NFS using UDP is faster.

In the case of fewer machines and better network conditions, the use of UDP protocol can bring better performance. When there are many machines and the network situation is complex, TCP protocol is recommended (V2 only supports UDP protocol). UDP protocol is better used in local area network, because local area network has stable network guarantee, UDP can bring better performance. TCP protocol is recommended in WAN, TCP protocol can make NFS maintain the best transmission stability in complex network environment. Limit the number of clients

Modify/etc/hosts.allow and/etc /hosts.deny to limit the number of clients.

/etc/hosts.allowportmap: 192.168.0.0/255.255.255.0: allowportmap: 140.116.44.125: allow/etc/hosts.denyportmap: ALL : deny Change default NFS port

NFS defaults to port 111, which can be changed using the port parameter. Changing the default port value can enhance security to some extent.

Configure nosuid and noexec

SUID (Set User ID) or SGID (Set Group ID) programs can be executed by ordinary users with privileges beyond their own. Many SUID/SGID executables are required, but can be exploited by malicious local users to gain privileges they do not deserve.

Minimize files that are owned by root or in the root group but have SUID/SGID attributes. You can delete such files or change their properties, such as:

Use the nosuid option to prevent set-UID programs from running on NFS servers by adding a line to/etc/exports:

/www www.abc.com(rw, root_squash, nosuid)

Use noexec to disable direct execution of binaries in it.

"How to strengthen the security of NFS services in Linux" is introduced here. Thank you for reading. If you want to know more about industry-related knowledge, you can pay attention to the website. Xiaobian will output more high-quality practical articles for everyone!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.