Can someone sniff NFS over internet?

If you use NFSv4 with sec=krb5p, then it is secure. (That means use Kerberos 5 for authentication, and encrypt the connection for privacy.) But if you use NFS v3 or NFS v4 with sys=system, then no, it's not secure at all.

There might also be some concern with exposing the kerberos and rpc ports to the internet at large, just in case of unknown vulnerabilities.


NFS itself is not generally considered secure - using the kerberos option as @matt suggests is one option, but your best bet if you have to use NFS is to use a secure VPN and run NFS over that - this way you at least protect the insecure filesystem from the Internet - ofcourse if someone breaches your VPN you're effectively wide open, but that would be the usual scenarion anyway.


I don't know who some people are, but I don't agree with them at all. sshfs is about 99% of the speed of NFS (tested) and a lot more robust. It carries with it the ability of ssh to handle the flaky nature of internet traffic without dropping, that on NFS would have you hanging with stale file handles.

I've used sshfs to mount my home directory on my box in NYC from San Jose and stayed connected and working for 3 days continuous data movement without a hiccup.

Try it, you'll like it.

Tags:

Security

Nfs