Service security reinforcement method

NFS (Network File System) is a file system supported by FreeBSD that allows computers in a network to share resources over the TCP/IP network. Improper configuration and use of NFS can cause security problems.

An overview of the

The insecurity of NFS is mainly reflected in the following four aspects:

Lack of access control mechanism There is no real user authentication mechanism, only procedural authentication for RPC/Mount requests Earlier versions of NFS enabled unauthorized users to obtain valid file handles In the RPC remote call, the SUID program has superuser privileges

Strengthening plan

In order to effectively deal with the above security risks, we recommend you to use the following reinforcement scheme.

Configuring Shared directories (/etc/exports)

With anonuid, anongid configured the Shared directory so that clients mounted to the NFS server have minimal permissions. Do not use no_root_squash.

Use network access control

Use the security group policy or the iptable firewall to limit the range of machines that can connect to the NFS server.

iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8 --dport 111 -j ACCEPT

The verification
Kerberos V5 is used as the login authentication system, requiring all visitors to log in with their accounts to improve security.

Sets the number of COPY for NFSD

In Linux, the number of COPY for NFSD is defined in the boot file /etc/rc.d/init.d/nfs , the default value is 8.

The optimal number of COPY 1 generally depends on the number of possible clients. You can test to find an approximate optimal value for the number of COPY and set this parameter manually.

Select transport protocol

UDP or TCP transport protocols are selected specifically for different network situations. The transport protocol can be selected automatically or manually.

[

mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR

]

UDP protocol has fast transmission speed and convenient non-connected transmission, but its transmission stability is not as good as TCP. When the network is unstable or invaded by hackers, THE NFS protocol's performance will be greatly reduced and even the network will be paralyzed. 1 In general, NFS using TCP is relatively stable, while NFS using UDP is faster.

In the case of fewer machines and better network condition, using UDP protocol can bring better performance. TCP protocol is recommended when there are many machines and the network is complex (V2 only supports UDP protocol). It is better to use UDP protocol in LAN, because LAN has more stable network guarantee, and UDP can bring better performance. The TCP protocol is recommended for wide area networks. The TCP protocol enables NFS to maintain the best transmission stability in complex network environments.

Limit the number of clients

Modify the /etc/hosts.allow and /etc /hosts.deny To limit the number of clients.

[

/etc/hosts.allow
portmap: 192.168.0.0/255.255.255.0 : allow
portmap: 140.116.44.125 : allow
/etc/hosts.deny
portmap: ALL : deny

]

Change the default NFS port
NFS USES port 111 by default, which can be changed using the port parameter. Changing the default port value can enhance security to a certain extent.

Configure nosuid and noexec
The SUID (Set User ID) or SGID (Set Group ID) programs allow ordinary users to execute in excess of their permissions. Many OF the SUID/SGID executables are required, but can also be exploited by malicious local users to gain unwanted permissions.

Minimize the number of files that are owned by root or that have the SUID/SGID attribute in the root group. You can delete such a file or change its properties, such as:

Use the nosuid option to disable the ES135en-ES136en program from running on the NFS server /etc/exports Add 1 row:

[

/www www.abc.com(rw, root_squash, nosuid)

]

Using noexec, you are not allowed to execute the base 2 files directly.