Talking about NFS server security

NFS server security has always been a hot topic. As the network continues to change, security issues are becoming more and more important. So where can we talk about the security of NFS servers? First, let's take a look at the basic definition of NFS. NFS is short for Network File System. It is an integral part of a distributed computing System. It can share and assemble remote File systems on Heterogeneous Networks. Developed by Sun, NFS has become a standard for file services (RFC1904, RFC1813 ). Its biggest function is to share data with computers of different operating systems, so it can also be seen as a file server. NFS provides methods for communication between Windows, Linux, Unix, and Linux in addition to SAMBA.

Any network server may have security issues, and NFS is no exception. Due to design considerations, NFS servers cannot be absolutely secure. Generally, NFS servers should not be run on sensitive systems or machines with only general firewalls. They should be placed after firewalls as much as possible. To configure a secure NFS server, you can restrict the access to the RCP service and control the export permissions of the file system.

Security risks faced by NFS

NFS transfers all information in the network in plain text. According to the default settings, NFS share changes the root user to the user nfsnobody, which is a non-privileged user account. In this way, all the files created by the root user will be owned by the user nfsnobody, thus preventing the setuid program from being uploaded to the system. If no_root_squash is used, remote users can change any files in the shared file system, leave programs with Trojan horses to other users, and inadvertently execute them.

NFS server security policy

1) Use TCP_Wrappers.

The combination of portmap and rpc. nfsd makes it easy to obtain files on the NFS server even if they do not have any permissions. You can use access control to ensure network security. When using NFS, it is best to use TCP_Wrappers to limit the scope of use.

2) Pay attention to configuration file syntax errors. According to expert observation, such theories and phenomena are worth consideration by webmasters. Therefore, we hope you can do more research and study and strive to sum up more and better experiences.

The NFS server uses the/etc/exports file to determine which file systems to export and which hosts to export these directories. Be careful when editing this file. Do not add extra spaces. For a real winner, no matter what his living conditions are, he will not erase himself.

For example, the following lines in the/etc/exports file allow the host bob.example.com to share the/tmp/nfs/directory.

 
 

  
  
/tmp/nfs/ bob.example.com(rw) 
 
 

However, the rows in the/etc/exports file are different. It shares the same directory, giving the host bob.example.com read-only permission, but giving the global read/write permission. This is all caused by a space behind the host.

 
 

  
  
/tmp/nfs/  
  
  
bob.example.com (rw)　  
 
 

It is a good habit to use the showmount command to check which directories are shared and NFS sharing configurations. Showmount format:

 
 

  
  
showmount -e 
 
 

3) Use iptables Firewall

As NFS transmits all information in the network in plain text, it is important to enable the NFS server to run on a security network after the firewall. NFS information may be intercepted at any time on an insecure network. From this perspective, careful preparation of network plans will help defend against important security damages. Generally, the firewall is used to restrict access to RCP services. Besides TCP-Wrapper, ipchians and iptalbes firewalls are also used. To fully use the Linux 2.4 or later kernel, understanding iptables is sufficient. By default, portmap uses port 111, while NFS uses port 2049. You can use iptables to restrict access to this Port:

 
 

  
  
iptables -t filter -A INPUT -p udp -d 127.0.0.1 --dport 111 -j DROP  
  
  
iptables -t filter -A INPUT -p udp -d 127.0.0.1 --dport 2049 -j DROP  
  
  
iptables -t filter -A INPUT -p udp -s trusted_client -d this_server_ip --dport \2049 -j  
  
  
 ACCEPTiptables -t filter -A INPUT -p udp -s not_trusted_client -d this_server_ip -dport  
  
  
 \2049 -j DROP 
 
 

4) restrict the Open Directory to read-only permissions. According to Experts' observation, this theory and phenomenon are worthy of consideration by webmasters. Therefore, we hope you can do more research and study and strive to sum up more and better experiences.

You can set the permission option ro in the/etc/exports file. Generally, you need to set any directory or file system that the NFS server opens to the customer as read-only access:

 
 

  
  
/app devpc.nitec.com(ro)  
 
 

In this way, customers in the devpc.nitec.com network can only perform read-only access to the/app directory.

5) prohibit access to some Directories

When a complete file system or directory is opened, its sub-directories are automatically accessible by default. If you want to restrict access to its sub-directories, you can use the noaccess access option. For example, you want to enable/pub directory permission but disable access to/pub/staff-only sub-directories:

 
 

  
  
/pub weblab-??.nitec.com (ro)   
  
  
/pub/staff-only weblab-??.nitec.com (noaccess)  
 
 

Note: "?" Represents any character.

6) root squashing access problems

By default, the user ID and group ID of the root user are both 0. Root permission compression Root squashing) maps user ID0 and group ID0 to anonymous users and group IDs, so root users on the customer will not have Root privileges on the NFS server. If this option is selected, the root user will not be mapped to an anonymous user, and the root user on the customer will have the root privilege on the exported directory. Selecting this option greatly reduces system security. Do not select it unless absolutely necessary. To explicitly execute this rule, you can modify the file/etc/exports:

 
 

  
  
/www www1.nitec.com(rw, root_squash)  
 
 

In this case, if the client's UID0root) user wants to access a read, write, and delete NFS file system, the server will replace the nobody account of the server with the UID. In this way, the root user of the client cannot modify or access the files that can be accessed and modified by the root user of the server. .

7) using the nosuid and noexec options according to expert observation, this theory and phenomenon are worth consideration by the webmasters. Therefore, I hope you can do more research and study and try to sum up more and better experiences.

SUIDSet User ID) or SGIDSet Group ID) can be executed by common users in a way that exceeds their own permissions. Many SUID/SGID executable programs are required, such as passwd mentioned above. The SUID/SGID program will be exploited by some malicious local users to obtain the permissions they do not have. Run the following command to find all programs with this property:

 
 

  
  
#find / \( -perm -4000 -o -perm -2000 \)  
 
 

Users must view this list and try to delete or modify files whose owner is root or that have SUID/SGID attributes in the root group. Use the nosuid option to disable the set-UID program from running on the NFS server. You can add a line to the/etc/exports file:

 
 

  
  
/www www1.nitec.com(rw, root_squash, nosuid) 
 
 

The preceding example shows that the/www directory can be accessed on www1.nitec.com. Users of www1.nitec.com can read/www files and directories, but cannot run the set-UID program.

 
 

  
  
/www www1.nitec.com(rw, root_squash, noexec)  
 
 

The above example shows that the/www directory can be accessed on www1.nitec.com, and www1.nitec.com users can read/www files and directories, but the execution of files in the logged-on file system is prohibited.

NFS is an important network protocol. Many enterprises share hard disks and other devices through the NFS protocol. Setting the NFS directory as read-only access, improving the security of the portmap service, squashing root access, and using the on set-UID and non-executable File Settings can improve the security of the NFS server.