The Linux/Unix Network File System (NFS) is used to mount remote file systems (similar to shares in Windows) from the local machine. Given the remote access nature of NFS, it certainly has its fair share of hacks.
If NFS was set up improperly or its configuration has been tampered with — namely, the /etc/exports file containing a setting that allows the world to read the entire file system — remote hackers can easily obtain remote access and do anything they want on the system.
Assuming no access control list (ACL) is in place, all it takes is a line, such as the following, in the
/etc/ exports file:
This line says that anyone can remotely mount the root partition in a read‐ write fashion. Of course, the following conditions must also be true:
- The NFS daemon (nfsd) must be running, along with the portmap daemon that would map NFS to RPC.
- The firewall must allow the NFS traffic through.
- The remote systems that are allowed into the server running the NFS daemon must be placed into the
This remote‐mounting capability is easy to misconfigure. It’s often related to a Linux administrator’s misunderstanding of what it takes to share out the NFS mounts and resorting to the easiest way possible to get it working. If someone can gain remote access, the system is theirs.
Countermeasures against NFS attacks
The best defense against NFS hacking depends on whether you actually need the service running.
If you don’t need NFS, disable it. If you need NFS, implement the following countermeasures:
- Filter NFS traffic at the firewall — typically, UDPport 111 (the port- mapper port) if you want to filter all RPC traffic.
- Add network ACLs to limit access to specific hosts.
- Make sure that your
/etc/hosts.allowfiles are configured properly to keep the world outside your network.
Published on Thu 12 March 2015 by Mal Torrance in Security with tag(s): nfs-security