header image

A bit of NFS Security

Posted by: martinl | April 26, 2013 |

Spent a day on studying NFS. Here are some recommended NFS security measures,

  1. Tighten access with tcpwrapper, i.e. hosts.allow and hosts.deny, and firewall.
  2. Export with the root_squash flag.
  3. All important binaries and files on server should be owned by root, and not bin or other non-root account (so root_squash can protect them).
  4. Export with the secure flag so malicious user on client machine can’t setup spoofing connection to the server.
  5. Mount with nosuid flag
  6. Tunnel NFS over ssh
under: computer security, sysadmin

Leave a response -

You must be logged in to post a comment.