Locking Down NFS
December 7th, 2007 Posted in LinuxNFS is one of the most prevalent network file systems available for Unix and Linux based systems. It comes standard on nearly every distribution, so at some point a System Administrator is going to have to deal with it. The problem is that NFS is designed to work in a utopian trusted network. These days we know that no such network exists, so steps must be taken to protect NFS when we use it. To protect NFS, we’re going to use a couple different methods. We’re going to restrict access to portmap via tcp wrappers, limit the ports NFS can use, and finally use iptables to restrict connections to our server.
First on the list is to add a line to /etc/hosts.deny.
portmap: ALL
This enables the portmap restriction via tcp wrappers. It doesn’t offer huge amounts of protection, but remember: It’s all about the layers. This statement has sort of the same effect as setting a default REJECT policy for iptables. Basically we’re telling TCP wrappers to block everything. We want to secure it, not disable it entirely, so now we need to specify who’s actually allowed to connect. To do this, we need to add our ’safe’ machines to /etc/hosts.allow
In /etc/hosts.allow, add a line like the following:
portmap: safe.machine.ip.here, safe.machine2.ip.here, 10.0.0.
This line allows our two safe machines to connect (by ip, not by hostname. Don’t use hostnames for this) and the 10.0.0.0/24 network. You’ll need to change this line around to suit your environment, obviously. If you’re thinking to yourself that you have way too many ips to add, and you can’t use a netblock like our 10. example, then you should probably consider a different approach to sharing out your data. Remember, the server needs to access all the client machines. The client machines simply need to access the server. Adjust your hosts.deny and hosts.allow files accordingly.
Okay, now that we have the portmapper service restricted by tcp wrappers, it’s on to smacking nfs around directly. To restrict NFS to just a couple ports, you’ll need to create (or edit) the file /etc/sysconfig/nfs. Add (or modify) the following lines:
LOCKD_TCPPORT=2050
LOCKD_UDPPORT=2050
MOUNTD_PORT=2051
RQUOTAD_PORT=2052
STATD_PORT=2053
STATD_OUTGOING_PORT=2054
You don’t have to use these numbers, but these are reasonably standard and should work just fine. This step has to be done on the client machines too, not just the server.
The last thing that we need to do is edit IPTables to open the holes we need. To do this, you’ll need to add a ruleset like the one below to /etc/sysconfig/iptables. Remember to change netwk/mask to match the ip addresses or netblocks opened in /etc/hosts.allow for the server. The clients simply need to connect to the server.
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 111 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2050 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 2050 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2051 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 2051 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2052 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 2052 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p tcp --dport 2053 -j ACCEPT
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 2053 -j ACCEPT
From here, you can either take the windows route and restart the machine, or just restart all the applicable services.
This will give you a good, reasonably secure NFS setup, but there are some added steps which will help protect NFS even further. For example, on your nfs client machines, you can add nodev , noexec and nosuid as an option to the lines related to your nfs mounts. You can also ensure that the nfs options insecure and no_root_squash are not used in your /etc/exports file unless they are absolutely necessary.