NFS and other RPC based programs are a big security risk for several
reasons. First, they have a less than admirable record. Most Linux
compromises on campus come from users who have enabled NFS and other
RPC services and forgot to patch them. Second, NFS and other RPC
services have horrendous logging, which makes it difficult to track
what is going on. Third, NFS has traditionally been hard to set up
properly, though Linux is making strong in-roads in this department.
Last, NFS just plain isn't needed by most people. You need not run
the service if you only want to mount other hosts filesystems.
You only need to run NFS if you absolutely must export one of your
filesystems. Redhat (not us) by default disables NFS and their Medium
or High Level firewall settings disable all RPC services, including NFS
and NIS
|