NFS troubleshooting and security analysis

In the previous article, we introduced the NFS protocol. I am sure you have understood the basic concepts and configurations of this product. Here we will mainly explain how to solve NFS Protocol faults and related security issues.

NFS Protocol troubleshooting

1. NFSD is not started.

First, check whether the NFS output list exists. Otherwise, nfsd will not start. You can use the exportfs command to check whether the exportfs command returns the result or the result is incorrect. Check the/etc/exports file.

2. the mountd process is not started.

The mountd process is a Remote Procedure Call (RPC). Its function is to respond to the application for client-side installation (mount) of the file system. the mountd process finds the/etc/xtab file to find out which file systems can be used by remote clients. in addition, through the mountd process, you can know which file systems have been assembled by remote file systems and the list of remote clients. you can run the rpcinfo command to check whether mountd is properly started. Normally, the output list contains rows like this:

100005 1 udp 1039 mountd

100005 1 tcp 1113 mountd

100005 2 udp 1039 mountd

100005 2 tcp 1113 mountd

100005 3 udp 1039 mountd

100005 3 tcp 1113 mountd

If not, check whether the PORTMAP component is installed.

Rpm-qa | grep portmap

3. fs type nfs no supported by kernel

Kernel does not support the nfs file system. Re-compile the KERNEL to solve the problem.

4. can't contact portmapper: RPC: Remote system error-Connection refused

This error message is displayed because the PORTMAP on the SEVER side is not started.

5. mount clntudp_create: RPC: Program not registered

If the NFS protocol is not started, run the showmout-e host command to check whether the nfs server is started normally.

6. mount: localhost:/home/test failed, reason given by server: Permission denied

This prompt may appear when the client wants to mount the nfs server. It means that the local machine has no permission to mount the directory on the nfs server. The solution is to modify the nfs server.

7. blocked by the firewall

Many people have neglected this reason. in a network environment with strict requirements, we usually close all ports on linux and open them only when any port is needed. NFS uses port 111 by default, so we must first check whether this port is enabled, and also check the TCP_Wrappers settings.

NFS security

NFS security is mainly manifested in the following four aspects:

1. Newbie's access control mechanism for NFS is difficult to implement, and the accuracy of control objectives is difficult to achieve

2. NFS does not have a real user authentication mechanism, but only has a process verification mechanism for RPC/Mount requests.

3. Earlier NFS versions allow unauthorized users to obtain valid file handles.

4. In remote RPC calls, a SUID program has the superuser permission.

How to enhance NFS security:

1. properly set the directory to which/etc/exports ** is shared. It is best to use anonuid and anongid so that the CLIENT mounted to the nfs server has only the minimum permission. It is best not to use root_squash.

2. Use IPTABLE firewall to restrict the range of machines that can connect to the NFS SERVER

Iptables-a input-I eth0-p TCP-s 192.168.0.0/24 -- dport 111-j ACCEPT

Iptables-a input-I eth0-p UDP-s 192.168.0.0/24 -- dport 111-j ACCEPT

Iptables-a input-I eth0-p TCP-s 140.0.0.0/8 -- dport 111-j ACCEPT

Iptables-a input-I eth0-p UDP-s 140.0.0.0/8 -- dport 111-j ACCEPT

3. In order to prevent possible Dos attacks, set the nfsd copy quantity reasonably.

4. Modify/etc/hosts. allow and/etc/hosts. deny to restrict the CLIENT.

/Etc/hosts. allow

Portmap: 192.168.0.0/255.255.255.0: allow

Portmap: 140.116.44.125: allow

/Etc/hosts. deny

Portmap: ALL: deny

5. Change the default NFS port.

NFS uses port 111 by default, but you can also use the port parameter to change the port so that security can be enhanced to a certain extent.

6. use Kerberos V5 as the login verification system

Modify/etc/hosts. allow and/etc/hosts. deny to restrict the CLIENT.

/Etc/hosts. allow

Portmap: 192.168.0.0/255.255.255.0: allow

Portmap: 140.116.44.125: allow

Pay more attention to this !!

/Tmp * (rw, no_root_squash)

No_root_squash: if the user logging on to the NFS host is a ROOT user, the user has the ROOT permission. this parameter is insecure and is not recommended.

Sometimes, when you need to detach an nfs disk array from umont, you may encounter a situation where the device is busy, which literally means the device is busy and other processes are using the device.

In this case, you need to use the command fuser

The format is $ fuser-m-v (nfs mount point). After you press enter to execute the command, the following result is displayed: User process number permission command.

This command can be used to view all processes accessing the device. After the process is stopped, umount.

If the-k parameter is added, all processes currently accessing the nfs shared disk array can be stopped at a time. You can also add-I to enable interactive display for confirmation.

Or run the fuser command:

# Fuser-v-m mount point

You can investigate the user PID and so on, KILL the process and then umount.

Or

# Umount-l mount point

Option-l does not immediately umount, but umount again after the directory is idle. you can also use the command ps aux to view the PID of the program that occupies the device, and then use the command kill to kill the process that occupies the device, so that umount is very relieved.