Program your firewall and
routers to block NFS and SMB packets.
Use NFS Version 3, if available, in TCP mode.
Use the netgroups mechanism to restrict the export of (and thus the
ability to remotely mount) filesystems to a small set of local
machines.
Mount partitions NOSUID unless SUID access is absolutely necessary.
Mount partitions NODEV, if available.
Set root ownership on files and directories
exported remotely.
Never export a mounted partition on your system to an untrusted
machine if the partition has any world- or group-writable
directories.
Set the kernel portmon variable to ignore NFS
requests from unprivileged ports.
Export filesystems to a small set of hosts using the
access= or ro= options.
Export read-only when possible.
Do not export user home directories in a writable mode.
Do not export server executables.
Do not export filesystems to yourself!
Do not use the root= option when exporting
filesystems unless absolutely necessary.
Use fsirand on all partitions that are exported.
Rerun the program periodically.
When possible, use the secure option for NFS
mounts.
Monitor who is mounting your NFS partitions (but realize that you may
not have a complete picture because of the stateless nature of NFS).
Restrict login access to the NFS or Samba server.
Use "user" or
"domain" security with Samba.
Enable encrypted passwords.
Require SMB clients to use a recent version of the protocol using the
min protocol directive on
the Samba server.
Don't use the admin user option.
Use the veto files option if appropriate.
Don't map the DOS archive bit to the Unix executable
permission.
Use NetBIOS nameservers for name registration and queries, rather
than broadcast packets.
Reconsider why you want to use a network filesystem, and think about
going without one. For instance, replicating disks on local machines
may be a safer approach.
