Hello,
there is no best practice how to setup NFS repository (best way against vulnerability)
thank you
-
makacmar
- Service Provider
- Posts: 54
- Liked: 5 times
- Joined: Oct 04, 2019 7:43 am
- Full Name: Marcel Kacmar
- Location: Slovakia
- Contact:
-
PetrM
- Veeam Software
- Posts: 3626
- Liked: 608 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Best practice for NFS repository - Case # 05337268
Hi Marcel,
There are no best practices specifically for NFS repository but general security considerations and infrastructure hardening best practices are still valid in this case. I'd also recommend to have a dedicated gateway server to have just a single node which can write data to the repository and to enable data encryption for backup jobs.
Thanks!
There are no best practices specifically for NFS repository but general security considerations and infrastructure hardening best practices are still valid in this case. I'd also recommend to have a dedicated gateway server to have just a single node which can write data to the repository and to enable data encryption for backup jobs.
Thanks!
-
makacmar
- Service Provider
- Posts: 54
- Liked: 5 times
- Joined: Oct 04, 2019 7:43 am
- Full Name: Marcel Kacmar
- Location: Slovakia
- Contact:
Re: Best practice for NFS repository - Case # 05337268
Hello Petr,
in this case we were struggling how to setup nfs protocol nfs41 instead of nfs3 -
so some recommendation are missing like
if is recommended to install nfs client on gateway server or not
if yes, what GID, UID should be used on gateway side
how should looks like export policy on nfs server side?
which permission to be used on folders
which options should be used for exporting particular folder in /etc/exports
in this case we were struggling how to setup nfs protocol nfs41 instead of nfs3 -
so some recommendation are missing like
if is recommended to install nfs client on gateway server or not
if yes, what GID, UID should be used on gateway side
how should looks like export policy on nfs server side?
which permission to be used on folders
which options should be used for exporting particular folder in /etc/exports
-
PetrM
- Veeam Software
- Posts: 3626
- Liked: 608 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Best practice for NFS repository - Case # 05337268
Hi Marcel,
The main idea is that the gateway server must have read-write access to the NFS share and we don't have special requirements for deployment of NFS itslef. You can tweak permissions according to your preferences and provide access to specific clients in /etc/exports. You will need to install NFS client package if you assign the gateway role to a Linux-based server. You may review this page on our help center and let us know what's missing from your point of view.
Thanks!
The main idea is that the gateway server must have read-write access to the NFS share and we don't have special requirements for deployment of NFS itslef. You can tweak permissions according to your preferences and provide access to specific clients in /etc/exports. You will need to install NFS client package if you assign the gateway role to a Linux-based server. You may review this page on our help center and let us know what's missing from your point of view.
Thanks!
-
makacmar
- Service Provider
- Posts: 54
- Liked: 5 times
- Joined: Oct 04, 2019 7:43 am
- Full Name: Marcel Kacmar
- Location: Slovakia
- Contact:
Re: Best practice for NFS repository - Case # 05337268
Hello Petr,
i expect some best practice from veeam, as there is always discussion against vulnerabilities
like using nobody:nobody for exporting fs
if gateway is trying to login into exported fs over user account in veeam of gateway, or over anonymous
....
i expect some best practice from veeam, as there is always discussion against vulnerabilities
like using nobody:nobody for exporting fs
if gateway is trying to login into exported fs over user account in veeam of gateway, or over anonymous
....
-
PetrM
- Veeam Software
- Posts: 3626
- Liked: 608 times
- Joined: Aug 28, 2013 8:23 am
- Full Name: Petr Makarov
- Location: Prague, Czech Republic
- Contact:
Re: Best practice for NFS repository - Case # 05337268
Hi Marcel,
We address to the share on behalf of root user (uid=0, gid=0) which was used to add a gateway server into Backup Infrastructure and who mounted a share to the gateway. However, on the share side commands are executed under the user specified at the level of NFS settings. For instance, if you use no_root_squash, commands triggered by gateway root will be executed on behalf of NFS share root. I'd suggest to use root_squash because it forces NFS to change the client’s root to an anonymous ID, thus to increase security by preventing ownership of the root account, you may find more details in this article. Also, this list with general NFS security guidelines might be also helpful. From Veeam perspective, all general security considerations mentioned in the first post are valid for NFS repository as well.
Thanks!
We address to the share on behalf of root user (uid=0, gid=0) which was used to add a gateway server into Backup Infrastructure and who mounted a share to the gateway. However, on the share side commands are executed under the user specified at the level of NFS settings. For instance, if you use no_root_squash, commands triggered by gateway root will be executed on behalf of NFS share root. I'd suggest to use root_squash because it forces NFS to change the client’s root to an anonymous ID, thus to increase security by preventing ownership of the root account, you may find more details in this article. Also, this list with general NFS security guidelines might be also helpful. From Veeam perspective, all general security considerations mentioned in the first post are valid for NFS repository as well.
Thanks!
Who is online
Users browsing this forum: No registered users and 67 guests