rpcbind is new portmap or how to make nfs secure on Linux

I was installing NFS server on otherwise public host recently, and noticed that conventional wisdom about securing NFS server is somewhat dated. My goal was to expose NFS on two internal interfaces without exposing it to whole wide Internet (assumptions about network security changed a lot since NFS was designed, sadly).

For a start, you are probably running rpcbind instead of portmap on recent Debian installations. So you will need to modify flags which are passed to portmap on startup:

root@rsync1:~# cat /etc/default/rpcbind 
OPTIONS="-w -l -h -h"

You will also need to add following line:

root@rsync1:~# grep rpcbind /etc/hosts.deny 
rpcbind: ALL

Now you will notice that rpcinfo -p still works OK on localhost. That’s because rpcbind will always add loopback address, so we have to test it from another machine:

root@rsync1-dev:~# rpcinfo -p
rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weak

That’s more like it! If we take a look in log…

root@rsync1:~# tail -1 /var/log/auth.log
May  8 20:31:51 rsync1 rpcbind: connect from to dump(): request from unauthorized host

…we don’t even have to guess local system IP adress. We’ll allow this host to connect with…

root@rsync1:~# grep rpcbind /etc/hosts.allow 

We can also check our tcp wrappers configuration with:

root@rsync1:~# tcpdmatch rpcbind
client:   address
server:   process  rpcbind
access:   granted

Ref : http://blog.rot13.org/2012/05/rpcbind-is-new-portmap-or-how-to-make-nfs-secure.html


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s