Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to strengthen the security of NFS services. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

NFS (Network File System) is a file system supported by FreeBSD that allows computers in the network to share resources over the TCP/IP network. Incorrect configuration and use of NFS can cause security problems.

Overview

The insecurity of NFS is mainly reflected in the following four aspects:

Lack of access control mechanism

There is no real user authentication mechanism, only process verification for RPC/Mount requests

Earlier versions of NFS allow unauthorized users to obtain valid file handles

In RPC remote calls, the SUID program has superuser privileges

Configure a shared directory / etc/exports

Use anonuid,anongid to configure the shared directory so that clients mounted to the NFS server have minimal permissions. Do not use no_root_squash.

Use network access control

Use Security Group Policy or iptable Firewall to limit the range of machines that can connect to NFS servers.

Account verification

Using Kerberos V5 as the login verification system, all visitors are required to log in using accounts to improve security.

Select transport protocol

For different network conditions, UDP or TCP transport protocols are selected. The transport protocol can be selected automatically or set manually.

Mount-t nfs-o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR / DIR

UDP protocol is fast and convenient for non-connected transmission, but its transmission stability is not as stable as TCP. When the network is unstable or hackers invade, it is easy to greatly reduce the performance of NFS, or even lead to network paralysis. In general, the NFS using TCP is more stable, and the NFS using UDP is faster.

In the case of fewer machines and better network conditions, the use of UDP protocol can bring better performance.

When there are many machines and the network is complex, it is recommended to use TCP protocol (V2 only supports UDP protocol).

It is better to use UDP protocol in the local area network, because the local area network has a relatively stable network guarantee, and the use of UDP can bring better performance.

TCP protocol is recommended in the wide area network. TCP protocol enables NFS to maintain the best transmission stability in a complex network environment.

Limit the number of clients

Modify / etc/hosts.allow and / etc/ hosts.deny to limit the number of clients.

/ etc/hosts.allowportmap: 192.168.0.0/255.255.255.0: allowportmap: 140.116.44.125: allow/etc/hosts.denyportmap: ALL: deny

Change the default NFS port

NFS uses port 111by default, which can be changed by using the port parameter. Changing the default port value can enhance security to some extent.

Configure nosuid and noexec

SUID (Set User ID) or SGID (Set Group ID) programs allow ordinary users to execute beyond their own privileges. Many SUID/SGID executable programs are necessary, but they can also be exploited by malicious local users to gain permissions that they should not have.

Minimize files that are owned by root or have the SUID/SGID attribute in the root group. You can delete such files or change their properties, such as:

Using the nosuid option to disable set-UID programs from running on the NFS server, you can add a line to / etc/exports:

/ www www.abc.com (rw, root_squash, nosuid)

Use noexec to disable direct execution of the binaries.

The above is the editor for you to share how to strengthen the security of NFS services, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.