I was installing NFS server on otherwise public host recently, and noticed that conventional wisdom about securing NFS server is somewhat dated. My goal was to expose NFS on two internal interfaces without exposing it to whole wide Internet (assumptions about network security changed a lot since NFS was designed, sadly).
For a start, you are probably running rpcbind instead of portmap on recent Debian installations. So you will need to modify flags which are passed to portmap on startup:
root@rsync1:~# cat /etc/default/rpcbind OPTIONS="-w -l -h 172.16.10.2 -h 192.168.0.219"You will also need to add following line:
root@rsync1:~# grep rpcbind /etc/hosts.deny rpcbind: ALLNow you will notice that rpcinfo -p still works OK on localhost. That's because rpcbind will always add loopback address, so we have to test it from another machine:
root@rsync1-dev:~# rpcinfo -p 192.168.0.219 rpcinfo: can't contact portmapper: RPC: Authentication error; why = Client credential too weakThat's more like it! If we take a look in log...
root@rsync1:~# tail -1 /var/log/auth.log May 8 20:31:51 rsync1 rpcbind: connect from 192.168.0.21 to dump(): request from unauthorized host...we don't even have to guess local system IP adress. We'll allow this host to connect with...
root@rsync1:~# grep rpcbind /etc/hosts.allow rpcbind: 192.168.0.21We can also check our tcp wrappers configuration with:
root@rsync1:~# tcpdmatch rpcbind 192.168.0.21 client: address 192.168.0.21 server: process rpcbind access: granted