Red Hat Summit8.3. Securing the NFS service
Learn how to secure Network File System (NFS) by using Kerberos authentication and encryption for file system operations. Proper security configuration helps protect remote hosts mounting file systems over a network.
When using NFSv4 with Network Address Translation (NAT) or a firewall, you can turn off the delegations by modifying the /etc/default/nfs file. Delegation is a technique by which the server delegates the management of a file to a client. In contrast, NFSv3 do not use Kerberos for locking and mounting files.
The NFS service sends the traffic using TCP in all versions of NFS. The service supports Kerberos user and group authentication, as part of the RPCSEC_GSS kernel module.
NFS allows remote hosts to mount file systems over a network and interact with those file systems as if they are mounted locally. You can merge the resources on centralized servers and additionally customize NFS mount options in the /etc/nfsmount.conf file when sharing the file systems.
8.3.1. Export options for securing an NFS server
Use export options in the /etc/exports file to define which hosts can access exported file systems and the permissions they hold. This helps control access and limits security risks.
The NFS server determines a list of directories and hosts, along with which file systems to export to which hosts, in the /etc/exports file.
You can use the following export options on the /etc/exports file:
ro- Exports the NFS volume as read-only.
rw-
Controls permission for read and write requests on the NFS volume. Use this option cautiously, as granting write access increases the risk of attacks. If your scenario requires mounting the directories with the
rwoption, make sure they are not writable for all users to reduce possible risks. root_squash-
Maps requests from
uid/gid0 to the anonymousuid/gid. This does not apply to any other UIDs or GIDs that might be equally sensitive, such as thebinuser or thestaffgroup. no_root_squash-
Turns off root squashing. By default, NFS shares change the
rootuser to thenobodyuser, which is an unprivileged user account. This changes the owner of all theroot-created files tonobody, which prevents the uploading of programs with thesetuidbit set. When using theno_root_squashoption, remote root users can change any file on the shared file system and leave applications infected by trojans for other users. secure-
Restricts exports to reserved ports. By default, the server allows client communication only through reserved ports. However, it is easy for anyone to become a
rootuser on a client on many networks, so it is rarely safe for the server to assume that communication through a reserved port is privileged. Therefore, restricting to reserved ports is of limited value; it is better to rely on Kerberos, firewalls, and limiting exports to particular clients.
See the exports(5) and nfs(5) man pages on your system for more information.
Extra spaces in the syntax of the /etc/exports file can lead to significant changes in the configuration.
In the following example, the /tmp/nfs/ directory is shared with the bob.example.com host and has read and write permissions:
/tmp/nfs/ bob.example.com(rw)
The following example is the same as the previous one, but shares the same directory to the bob.example.com host with read-only permissions and shares it to the world with read and write permissions due to a single space character after the hostname:
/tmp/nfs/ bob.example.com (rw)
You can check the shared directories on your system by entering the showmount -e <hostname> command.
Additionally, consider the following best practices when exporting an NFS server:
- Exporting home directories is a risk because some applications store passwords in plain text or in a weakly encrypted format. You can reduce the risk by reviewing and improving the application code.
- Some users do not set passwords on SSH keys, which again leads to risks with home directories. You can reduce these risks by enforcing the use of passwords or using Kerberos.
-
Restrict the NFS exports only to required clients. Use the
showmount -ecommand on the NFS server to review what the server is exporting. Do not export anything that is not specifically required. - Do not allow unnecessary users to log in to a server to reduce the risk of attacks. You can periodically check who and what can access the server.
Export an entire file system because exporting a subdirectory of a file system is not secure. An attacker might access the unexported part of a partially-exported file system.
8.3.2. Mount options for securing an NFS client
You can apply mount options when configuring an NFS client to help enforce stronger security. These settings ensure that the client/server communication uses required security protocols such as Kerberos.
The following options to the mount command might increase the security of NFS-based clients:
nosuid-
Use the
nosuidoption to disable theset-user-identifierorset-group-identifierbits. This prevents remote users from gaining higher privileges by running asetuidprogram, and you can use this option in opposition tosetuidoption. noexec-
Use the
noexecoption to disable all executable files on the client. Use this to prevent users from accidentally executing files placed in the shared file system. nodev-
Use the
nodevoption to prevent the client’s processing of device files as a hardware device. resvport-
Use the
resvportoption to restrict communication to a reserved port, and you can use a privileged source port to communicate with the server. The reserved ports are reserved for privileged users and processes such as therootuser. sec-
Use the
secoption on the NFS server to choose the RPCGSS security method for accessing files on the mount point. Valid security methods arenone,sys,krb5,krb5i, andkrb5p.
The MIT Kerberos libraries provided by the krb5-libs package do not support the Data Encryption Standard (DES) algorithm in new deployments. DES is deprecated and disabled by default in Kerberos libraries because of security and compatibility reasons. Use newer and more secure algorithms instead of DES, unless your environment requires DES for compatibility reasons.
8.3.3. Securing NFS with firewall
To secure the firewall on an NFS server, keep only the required ports open. Do not use the NFS connection port numbers for any other service.
Prerequisites
-
The
nfs-utilspackage is installed. -
The
firewalldpackage is installed and running.
Procedure
-
On NFSv4, the firewall must open TCP port
2049. On NFSv3, open four additional ports with
2049:rpcbindservice assigns the NFS ports dynamically, which might cause problems when creating firewall rules. To simplify this process, use the/etc/nfs.conffile to specify which ports to use:-
Set TCP and UDP port for
mountd(rpc.mountd) in the[mountd]section inport=<value>format. -
Set TCP and UDP port for
statd(rpc.statd) in the[statd]section inport=<value>format.
-
Set TCP and UDP port for
Set the TCP and UDP port for the NFS lock manager (
nlockmgr) in the/etc/nfs.conffile:-
Set TCP port for
nlockmgr(rpc.statd) in the[lockd]section inport=valueformat. Alternatively, you can use thenlm_tcpportoption in the/etc/modprobe.d/lockd.conffile. -
Set UDP port for
nlockmgr(rpc.statd) in the[lockd]section inudp-port=valueformat. Alternatively, you can use thenlm_udpportoption in the/etc/modprobe.d/lockd.conffile.
-
Set TCP port for
Verification
List the active ports and RPC programs on the NFS server:
$ rpcinfo -p
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}