Re: There's something about hardening NFS?

From: Kapetanakis Giannis (bilias@edu.physics.uoc.gr)
Date: 08/19/02


Date: Mon, 19 Aug 2002 11:07:20 +0300 (EEST)
From: Kapetanakis Giannis <bilias@edu.physics.uoc.gr>
To: focus-sun@securityfocus.com


Some basic security for NFS:

-Do not export to the whole world ! but just to your clients.
-Requests accepted only from a privileged port.

/etc/system :
set nfssrv:nfs_portmon = 1
and reboot. (this can also be done on the fly without reboot)
echo "nfs_portmon/W 0x1" | adb -wk /dev/ksyms /dev/mem
plus the entry in the /etc/system for the next time

-Protect your portmaper. You can change the default
rpcbind which ships with Solaris and use a tcp wrapped one
ftp://ftp.porcupine.org/pub/security/rpcbind_2.1.tar.gz.
-Use firewall on 110, 2049, 4045. RPC can also be blocked
as well in your router.
-Run mountd (/etc/init.d/nfsd.server) with "-v" for
more logging.
-Export filesystems read-only if you don't need to write on them

-For more security you can use dh_auth, gss, or kerberos
but these don't seem to work together with clients
of different unix OS.

-AFS might also be a good idea which supports many flavors
but I 've never tried this. On the other way SUN invented NFS

bilias