Overview
The insecurity of NFS is mainly reflected in the following four aspects:
- Lack of access control mechanism
- No real user authentication mechanism, only process authentication for RPC/Mount requests
- Older versions of NFS can allow unauthorized users to obtain valid file handles
- In RPC remote calls, SUID programs have superuser privileges
Reinforcement plan
To effectively deal with the above security risks, it is recommended that you use the following reinforcement solutions.
Configure shared directory (/etc/exports)
Configure the shared directory using anonuid, anongid so that clients mounted to the NFS server have only minimal permissions. Do not use no_root_squash.
Use network access control
Use Security Group Policy or iptable firewall to limit the range of machines that can connect to the NFS server.
iptables -A INPUT -i eth0 -p TCP -s 192.168.0.0/24--dport 111-j ACCEPT iptables -A INPUT -i eth0 -p UDP -s 192.168.0.0/24--dport 111-j ACCEPT iptables -A INPUT -i eth0 -p TCP -s 140.0.0.0/8--dport 111-j ACCEPT iptables -A INPUT -i eth0 -p UDP -s 140.0.0.0/8--dport 111-j ACCEPT
Account verification
Use Kerberos V5 as the login authentication system, requiring all visitors to log in with an account to improve security.
Set the number of COPYs for NFSD
In Linux, the number of COPYs for NFSD is defined in the startup file /etc/rc.d/init.d/nfs, and the default value is 8.
The optimal number of COPYs generally depends on the number of possible clients. You can test to find a near-optimal value for the number of COPYs and set the parameter manually.
Select a transport protocol
For different network situations, the UDP or TCP transport protocol is selected accordingly. The transport protocol can be selected automatically or set manually.
mount -t nfs -o sync,tcp,noatime,rsize=1024,wsize=1024 EXPORT_MACHINE:/EXPORTED_DIR /DIR
UDP protocol has fast transmission speed and is convenient for non-connection transmission, but its transmission stability is not as good as TCP. When the network is unstable or hacked, it is easy to significantly reduce the performance of NFS and even cause network paralysis. In general, NFS using TCP is more stable, and NFS using UDP is faster.
- When there are fewer machines and good network conditions, using the UDP protocol can bring better performance.
- When there are many machines and the network situation is complex, it is recommended to use the TCP protocol (V2 only supports UDP protocol).
- It is better to use UDP protocol in LAN, because LAN has a relatively stable network guarantee, and using UDP can bring better performance.
- It is recommended to use the TCP protocol in the WAN. The TCP protocol allows NFS to maintain the best transmission stability in complex network environments.
Limit the number of clients
Modify /etc/hosts.allow and /etc /hosts.deny to limit the number of clients.
/etc/hosts.allow portmap:192.168.0.0/255.255.255.0: allow portmap:140.116.44.125: allow /etc/hosts.deny portmap: ALL :deny
Change default NFS port
NFS uses port 111 by default. This port value can be changed using the port parameter. Changing the default port value can enhance security to a certain extent.
Configuring nosuid and noexec
SUID (Set User ID) or SGID (Set Group ID) programs allow ordinary users to execute with permissions exceeding their own. Many SUID/SGID executable programs are necessary, but they may also be exploited by some malicious local users to obtain permissions that they should not have.
Minimize files whose owner is root or in the root group but has SUID/SGID attributes. You can delete such files or change their properties like:
Use the nosuid option to disable the set-UID program from running on the NFS server. You can add a line to /etc/exports:
/www www.abc.com(rw, root_squash, nosuid)
Use noexec to disable direct execution of binaries within it.
Next, I will divide a study plan for each student!
Study plan
So the question comes again, as a newbie, what should I learn first and what should I learn next?
Since you have asked so straightforwardly, I will tell you what you should start learning from scratch:
Phase 1: Junior Network Security Engineer
Next, I will arrange a one-month basic network security plan for you. After you finish the course, you can basically work in a network security-related job, such as penetration testing, Web penetration, security services, security analysis, etc. ;Among them, if you learn the class guarantee module well, you can also work as a class guarantee engineer.
The comprehensive salary range is 6k~15k
1. Network security theoretical knowledge (2 days)
① Understand the relevant background and prospects of the industry and determine the development direction.
②Learn laws and regulations related to network security.
③The concept of network security operations.
④Introduction to MLPS, regulations, processes and specifications for MLPS. (Very important)
2. Penetration testing basics (1 week)
①Penetration testing process, classification and standards
②Information collection technology: active/passive information collection, Nmap tool, Google Hacking
③Vulnerability scanning, vulnerability exploitation, principles, utilization methods, tools (MSF), bypassing IDS and anti-virus reconnaissance
④Host attack and defense drills: MS17-010, MS08-067, MS10-046, MS12-20, etc.
3. Operating system basics (1 week)
①Common functions and commands of Windows system
②Common functions and commands of Kali Linux system
③Operating system security (system intrusion investigation/system reinforcement basis)
4. Computer network basics (1 week)
①Computer network basics, protocols and architecture
②Network communication principles, OSI model, data forwarding process
③Common protocol analysis (HTTP, TCP/IP, ARP, etc.)
④Network attack technology and network security defense technology
⑤Web vulnerability principles and defense: active/passive attacks, DDOS attacks, CVE vulnerability recurrence
5. Basic database operations (2 days)
①Database basics
②SQL language basics
③Database security reinforcement
6. Web penetration (1 week)
①Introduction to HTML, CSS and JavaScript
②OWASP Top10
③Web vulnerability scanning tool
④Web penetration tools: Nmap, BurpSuite, SQLMap, others (Chopper, Miss Scan, etc.)
So, it has taken about a month so far. You have successfully become a “script kiddie”. So do you still want to continue exploring?
Stage 2: Intermediate or senior network security engineer (depending on your ability)
The comprehensive salary range is 15k~30k
7. Script programming learning (4 weeks)
in the field of cybersecurity. The ability to program is the essential difference between a “script kiddie” and a true network security engineer. In the actual penetration testing process, in the face of complex and changeable network environments, when commonly used tools cannot meet actual needs, it is often necessary to expand existing tools, or write tools and automated scripts that meet our requirements. At this time, Requires certain programming skills. In the CTF competition, where every second counts, if you want to effectively use homemade script tools to achieve various purposes, you need to have programming skills.
For students who are starting from scratch, I suggest you choose one of the scripting languages Python/PHP/Go/Java and learn to program common libraries.
Set up a development environment and choose an IDE. Wamp and XAMPP are recommended for PHP environments, and Sublime is highly recommended for IDEs;
Learn Python programming. The learning content includes: grammar, regularity, files, networks, multi-threading and other common libraries. We recommend “Python Core Programming”. There is no need to read it all.
Use Python to write exploits for vulnerabilities, and then write a simple web crawler
Learn basic PHP syntax and write a simple blog system
Be familiar with the MVC architecture and try to learn a PHP framework or Python framework (optional)
Understand Bootstrap layout or CSS.
Phase 3: Top Network Security Engineer
If you are interested in getting started with network security, you can click here if you need it Big benefits of network security: Getting started & advanced full set of 282G learning resource package to share for free!
Sharing learning materials
Of course, giving only plans but not learning materials is tantamount to being a hooligan. Here is a [282G] learning material package for network security engineers from entry to proficiency. You can click on the two below Get the QR code link.
