How to make NFS secure?
Solution 1:
You could tunnel it through SSH.
- Here is a guide for NFS4.
- Here is a guide for NFS3.
Solution 2:
The server has no firewall
If the remote system is not secure (and an absence of any firewalling makes that decidedly suspect) then its doesn't matter what you do to your connection - you can't be confident of security. This is particularly true for an NFS server where authentication is not tied into the underlying protocol.
If you're assertions are correct (which I find astonishing) then find out who configured the server this way and block them out before they can do any more harm.
If you need access to NFS across the internet, use a VPN (IPSEC, SSL tunnel, SSH tunnel, even pptp) and BLOCK all direct internet access (other than the secure connection) on the server.
Solution 3:
If NFS is used on the system, please proceed via the following measures:
- If possible only allow read-only access to your exported data (-ro)
- Do not export the root folder / or /etc
- Deactivate NFS, if you do not wish to export any file systems.
- Access to NFS exports must be restricted to specified hosts
- If zfs filesystems are present, check also their attributes do not configure them to be shared over NFS.
- Use the -nosuid option for mounting folders, to prevent execution of setuid programs.
- Use the –nodev option for mounting folders, to prevent the sharing of device files.