-
Program your firewall and routers to block NFS and SMB packets.
-
Use NFS Version 3, if available, in TCP mode.
-
Use the netgroups mechanism to restrict the export of (and thus the ability to remotely mount) filesystems to a small set of local machines.
-
Mount partitions NOSUID unless SUID access is absolutely necessary.
-
Mount partitions NODEV, if available.
-
Set root ownership on files and directories exported remotely.
-
Never export a mounted partition on your system to an untrusted machine if the partition has any world- or group -writable directories.
-
Set the kernel portmon variable to ignore NFS requests from unprivileged ports.
-
Export filesystems to a small set of hosts using the access= or ro= options. Export read-only when possible.
-
Do not export user home directories in a writable mode.
-
Do not export server executables.
-
Do not export filesystems to yourself!
-
Do not use the root= option when exporting filesystems unless absolutely necessary.
-
Use fsirand on all partitions that are exported. Rerun the program periodically.
-
When possible, use the secure option for NFS mounts.
-
Monitor who is mounting your NFS partitions (but realize that you may not have a complete picture because of the stateless nature of NFS).
-
Restrict login access to the NFS or Samba server.
-
Use "user" or "domain" security with Samba. Enable encrypted passwords.
-
Require SMB clients to use a recent version of the protocol using the min protocol directive on the Samba server.
-
Don't use the admin user option.
-
Use the veto files option if appropriate.
-
Don't map the DOS archive bit to the Unix executable permission.
-
Use NetBIOS nameservers for name registration and queries, rather than broadcast packets.
-
Reconsider why you want to use a network filesystem, and think about going without one. For instance, replicating disks on local machines may be a safer approach.
