NFS operates over TCP/IP on a local secure network. On the Internet, it opens the system to nonsecure access. It enables secure access to resources on remote machines. A user can mount a file system, as were local to its network. The different systems on a network can access the file directly, without having to keep their copy. The NFS4 protocol has an advantage of greater security, reliability, and speed.
NFS Daemons
It runs several daemons to support access by other systems, which include:
- rpc.nfsd: Receives NFS requests from the remote systems and translate them into requests for local system
- rpc.mountd: Performs requested mount and unmount operations
- rpc.portmapper: Maps remote requests to the appropriate NFS daemon
- rpc.rquotad: Provide user disk quota management
- rpc.statd: Provides locking services when a remote host reboots
- rpc.lockd: Handles lock recovery for systems that have gone down
Scripts
- nfs service: It start up the portmapper, nfsd, mountd and rquotad daemons
- nfslock: enables NFS locking by starting the statd and lockd daemons. NFS locking provides better recovery from interrupted operations that occurs from system crashes on remote hosts
Start NFS automatically on Linux Distributions
- chkconfig on Red Hat, Fedora, SUSE
- services-admin or sysv-rc-conf on Debian, Ubuntu
Check NFS Status
# rpcinfo -p
the command will provide entries for mountd and nfs, if NFS is running.
The /etc/hosts.allow and /etc/hosts.deny files controls access to NFS server. The hosts.allow file to permit access by specific hosts and hosts.deny explicitly deny access to a particular host.
It is advisable to add control for specific NFS services in the hosts.deny file:
mountd:ALL
rquotad:ALL
statd:ALL
lockd:ALL
and then add entries in the hosts.allow to allow access to hosts with listed IP addresses
mountd:192.168.0.0/255.255.255.0, 10.0.0.21
rquotad:192.168.0.0/255.255.255.0, 10.0.0.21
statd:192.168.0.0/255.255.255.0, 10.0.0.21
lockd:192.168.0.0/255.255.255.0, 10.0.0.21
Portmapper Service
Portmapper is a service that locates the NFS service on the system. When not adequately firewalled, abused to conduct DDOS attacks. Hence, most hosting companies recommend all portmapper services be behind a firewall, and restricted to only IPs that need to contact them.
For Linux machines, add firewall rules to block port 111 on both UDP and TCP:
iptables -I INPUT 1 -m tcp -p tcp --dport 111 -j DROP iptables -I INPUT 1 -m udp -p udp --dport 111 -j DROP
For strong security, access denied to all hosts except those explicitly allowed. In the host.deny file, place the following entry
portmap:ALL
ALL is a special keyword denoting all hosts.
In hosts.allow file, enter the hosts permitted to have access to NFS server, by entering the list of IP addresses separated by commas.
portmap: 192.168.0.0/255.255.255.0, 10.0.0.21
