I am attempting to secure my NFS client by reducing the network attack surface (open network ports).
My question relates to an NFS client mounting a read-only file system from an NFS server. This is assuming NFSv3.
I noticed that the nfs-utils package is generic and includes the client and server process. There isn’t a separate NFS client and NFS server package.
When installing nfs-utils on Centos 6.6, at least 5 services/daemons are installed. These include:
Rpcpind
Rpcgssd
Rpcsvcgssd
Nfs
Nfslock (depends on rpcbind)
Here are my assumptions. Please correct me if I’m wrong:
1. If I’m mounting an NFS file system read-only (options ro and nolock in /etc/fstab), I no longer need to run nfslock? If I don’t need nfslock, there is no need for RPCBind to be running? Are there any other reasons RPCBind should be running in this situation?
2. Even after disabling RPCBind using chkconfig, the NFS kernel module appears to start RPCBind anyway since the NFS module has a dependency on the SUNRPC module. If my first assumption is correct (RPCBind is not needed), is there a way to disable the loading of the SUNRPC module? Is this feasible since I don’t need the features provided by the SUNRPC module (lockd,nfs_acl,etc)?
By disabling RPCBind, TCP port 111 would not need to be opened. I understand that I can block this port using Iptables, but would like to know why RPCBind is needed in the scenario I have explained.
Thanks,
Keith
RpcBind Needed for NFS client Mounting Read-Only Filesystem?
Re: RpcBind Needed for NFS client Mounting Read-Only Filesys
If you don't have RPC (Remote Procedure Call) then you don't have NFS, it's pretty mandatory.