Spent a day on studying NFS. Here are some recommended NFS security measures,
- Tighten access with tcpwrapper, i.e. hosts.allow and hosts.deny, and firewall.
- Export with the root_squash flag.
- All important binaries and files on server should be owned by root, and not bin or other non-root account (so root_squash can protect them).
- Export with the secure flag so malicious user on client machine can’t setup spoofing connection to the server.
- Mount with nosuid flag
- Tunnel NFS over ssh