Service security reinforcement method
- 2020-06-23 02:38:30
- OfStack
NFS (Network File System) is a file system supported by FreeBSD that allows computers in a network to share resources over the TCP/IP network. Improper configuration and use of NFS can cause security problems.
An overview of the
The insecurity of NFS is mainly reflected in the following four aspects:
Lack of access control mechanism There is no real user authentication mechanism, only procedural authentication for RPC/Mount requests Earlier versions of NFS enabled unauthorized users to obtain valid file handles In the RPC remote call, the SUID program has superuser privilegesStrengthening plan
In order to effectively deal with the above security risks, we recommend you to use the following reinforcement scheme.
Configuring Shared directories (/etc/exports)With anonuid, anongid configured the Shared directory so that clients mounted to the NFS server have minimal permissions. Do not use no_root_squash.
Use network access controlUse the security group policy or the iptable firewall to limit the range of machines that can connect to the NFS server.
iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8 --dport 111 -j ACCEPT
iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8 --dport 111 -j ACCEPT
The verification
Kerberos V5 is used as the login authentication system, requiring all visitors to log in with their accounts to improve security.
Sets the number of COPY for NFSD
In Linux, the number of COPY for NFSD is defined in the boot file
/etc/rc.d/init.d/nfs
, the default value is 8.
The optimal number of COPY 1 generally depends on the number of possible clients. You can test to find an approximate optimal value for the number of COPY and set this parameter manually.
Select transport protocol
UDP or TCP transport protocols are selected specifically for different network situations. The transport protocol can be selected automatically or manually.
[mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR
]UDP protocol has fast transmission speed and convenient non-connected transmission, but its transmission stability is not as good as TCP. When the network is unstable or invaded by hackers, THE NFS protocol's performance will be greatly reduced and even the network will be paralyzed. 1 In general, NFS using TCP is relatively stable, while NFS using UDP is faster.
In the case of fewer machines and better network condition, using UDP protocol can bring better performance. TCP protocol is recommended when there are many machines and the network is complex (V2 only supports UDP protocol). It is better to use UDP protocol in LAN, because LAN has more stable network guarantee, and UDP can bring better performance. The TCP protocol is recommended for wide area networks. The TCP protocol enables NFS to maintain the best transmission stability in complex network environments.Limit the number of clients
Modify the
/etc/hosts.allow
and
/etc /hosts.deny
To limit the number of clients.
/etc/hosts.allow
portmap: 192.168.0.0/255.255.255.0 : allow
portmap: 140.116.44.125 : allow
/etc/hosts.deny
portmap: ALL : deny
Change the default NFS port
NFS USES port 111 by default, which can be changed using the port parameter. Changing the default port value can enhance security to a certain extent.
Configure nosuid and noexec
The SUID (Set User ID) or SGID (Set Group ID) programs allow ordinary users to execute in excess of their permissions. Many OF the SUID/SGID executables are required, but can also be exploited by malicious local users to gain unwanted permissions.
Minimize the number of files that are owned by root or that have the SUID/SGID attribute in the root group. You can delete such a file or change its properties, such as:
Use the nosuid option to disable the ES135en-ES136en program from running on the NFS server
/etc/exports
Add 1 row:
/www www.abc.com(rw, root_squash, nosuid)
]Using noexec, you are not allowed to execute the base 2 files directly.