Securing NFS Connections Over Public Internet: Best Practices for Remote Server Protection


12 views

When exposing NFS directly to the internet without firewall protection, you face multiple threats: eavesdropping, unauthorized access, and data manipulation. NFS was originally designed for trusted networks, making its default configurations particularly dangerous for public internet use.

1. Implement Transport Layer Security:

# Configure NFS with Kerberos authentication
/etc/nfs.conf:
[nfsd]
vers4.2=y
sec=krb5p

2. Enforce Client Restrictions:

# Edit /etc/exports to restrict access
/data 192.168.1.100(ro,root_squash,insecure) 
# Never use 'no_root_squash' on public networks

VPN Tunnel Solution: Create an OpenVPN tunnel before NFS communication:

# OpenVPN server configuration
server 10.8.0.0 255.255.255.0
push "route 192.168.1.0 255.255.255.0"
tls-auth ta.key 0
cipher AES-256-CBC

Stunnel Encryption: Add SSL/TLS wrapper for NFS:

# stunnel configuration for NFS
[nfs]
accept = 2049
connect = 127.0.0.1:2049
cert = /etc/stunnel/nfs-cert.pem
key = /etc/stunnel/nfs-key.pem
  • Disable NFSv2 and NFSv3 (vulnerable to sniffing)
  • Implement ID mapping to prevent uid/gid spoofing
  • Set proper file permissions (0700 for sensitive directories)
  • Enable NFS port monitoring with fail2ban

Regularly audit NFS access logs:

# Monitor NFS connections
nfsstat -s
rpcinfo -p
cat /var/log/messages | grep nfsd

Consider implementing intrusion detection rules specifically for NFS traffic patterns in your monitoring solution.

NFS (Network File System) was originally designed for trusted local networks, making it inherently insecure when exposed to the internet. Without proper security measures, you're vulnerable to:

  • Data interception (sniffing)
  • Unauthorized access
  • Man-in-the-middle attacks
  • IP spoofing

For remote NFS access, you'll need to implement multiple layers of protection:

1. Mandatory VPN Tunnel

Always route NFS traffic through a VPN. Here's a basic WireGuard configuration example:

# /etc/wireguard/wg0.conf (Server)
[Interface]
PrivateKey = YOUR_SERVER_PRIVATE_KEY
Address = 10.0.0.1/24
ListenPort = 51820

[Peer]
PublicKey = CLIENT_PUBLIC_KEY
AllowedIPs = 10.0.0.2/32

# /etc/wireguard/wg0.conf (Client)
[Interface]
PrivateKey = YOUR_CLIENT_PRIVATE_KEY
Address = 10.0.0.2/24

[Peer]
PublicKey = SERVER_PUBLIC_KEY
AllowedIPs = 10.0.0.0/24
Endpoint = your.server.ip:51820
PersistentKeepalive = 25

2. NFS Version Selection

Always use NFSv4 or newer, as it includes improved security features:

# /etc/exports
/mnt/share 10.0.0.2(rw,sync,no_subtree_check,sec=krb5p)

3. Firewall Implementation

Even if your server currently has no firewall, you must add one:

# Basic iptables rules for NFS over VPN
iptables -A INPUT -p udp --dport 51820 -j ACCEPT  # WireGuard
iptables -A INPUT -p tcp --dport 2049 -j DROP     # Block direct NFS access
iptables -A INPUT -i wg0 -j ACCEPT                # Allow VPN traffic

Kerberos Authentication

For enterprise environments, implement Kerberos:

# Install required packages
apt-get install nfs-kernel-server krb5-kdc krb5-admin-server

# Configure /etc/krb5.conf
[realms]
EXAMPLE.COM = {
    kdc = kdc.example.com
    admin_server = kdc.example.com
}

Stunnel for Additional Encryption

Add TLS encryption on top of your VPN:

# /etc/stunnel/stunnel.conf
[nfs]
accept = 20490
connect = 2049
cert = /etc/stunnel/stunnel.pem
key = /etc/stunnel/stunnel.key

Implement these ongoing security practices:

  • Regularly audit NFS access logs
  • Set up fail2ban to block brute force attempts
  • Keep all security packages updated
  • Consider port knocking for additional obscurity

If security is paramount, consider these NFS alternatives:

  • SSHFS (FUSE-based filesystem over SSH)
  • SFTP with chroot
  • Samba with encrypted transport