No File Security
NFS is a very popular system for making files available on a network.
Unfortunately there are a few problems with how it works.
NFS v2.0 grants access based on ip address.
It is possible to forge this information through a variety of attacks.
Also, nfs uses UDP which is trivial to spoof. NFS also requests authentication
from the client side. This means you get to tell the server what sort of
access you would like.
So how do you protect against nfs attacks?
- Don't Use it
- If you do not absolutely need NFS then disable it.
- Do not world export anything!
- When you share a directory through nfs be sure to share it to specific
hosts
- Only share with you own internal network.
- Sharing internally makes spoofing considerably more difficult
