How to Secure NFS on untrusted clients environment

security linux ubuntu nfs

NFS is a security hole with file access -- there is nothing you can really do to mitigate that. The best thing you can do is only allow exports to trusted clients as you described, and optionally use firewall rules to prevent other people from sneaking through and talking to your NFS server (even though they theoretically wouldn't be able to do anything you may as well make sure they're locked out).

If you use NFSv4 exclusively you can Kerberize your NFS environment, which offers some better security options in terms of authenticating clients, but the work of maintaining the Kerberos environment is probably equal to (or greater than) maintaining netgroup export lists -- If you're using Kerberos anyway though it may be a better solution for you.

Related

Receive total send and received emails Exchange 2010
How do I secure my Asterisk server?
Moving Gitlab and Gitolite server to another machine
nginx SSL error
Script to run chown on all folders and setting the owner as the folder name minus the trailing /
In, IPTables, whats the difference between these two rules?
Process for configuring network settings on a headless rack mount device
Use server's IP via SSH tunnel
Microsoft VDI 2012 - VDI Personal collection vs Session-based deployment
How to find last login user on given computer name on AD
Bridging Hyper-V virtual network and physical network kills physical network connection [closed]
How to redeploy host-manager webapp on Tomcat 7?