How to Avoid NFS Hacks to Linux Systems
The Network File System (NFS) in Linux is used to mount remote file systems (similar to shares in Windows) from the local machine. Hackers love these remote systems! Given the remote access nature of NFS, it certainly has its fair share of hacks.
If NFS was set up improperly or its configuration has been tampered with — namely, the /etc/exports file containing a setting that allows the world to read the entire file system — remote hackers can easily obtain remote access and do anything they want on the system. Assuming no access control list (ACL) is in place, all it takes is a line, such as the following, in the /etc/exports file:
This line says that anyone can remotely mount the root partition in a read-write fashion. Of course, the following conditions must also be true:
The NFS daemon (nfsd) must be loaded, along with the portmap daemon that would map NFS to RPC.
The firewall must allow the NFS traffic through.
The remote systems that are allowed into the server running the NFS daemon must be placed into the /etc/hosts.allow file.
This remote-mounting capability is easy to misconfigure. It’s often related to a Linux administrator’s misunderstanding of what it takes to share out the NFS mounts and resorting to the easiest way possible to get it working. After hackers gain remote access, the system is theirs.
Countermeasures against NFS attacks
The best defense against NFS hacking depends on whether you actually need the service running.
If you don’t need NFS, disable it.
If you need NFS, implement the following countermeasures:
Filter NFS traffic at the firewall — typically, TCP port 111 (the portmapper port) if you want to filter all RPC traffic.
Add network ACLs to limit access to specific hosts.
Make sure that your /etc/exports and /etc/hosts.allow files are configured properly to keep the world outside your network.