- Limit exports to explicit client IP ranges or hostnames.
- Avoid
no_root_squash except for tightly controlled administrative cases.
- Set minimal required options (read-only where possible).
¶ Protocol and Authentication
- Prefer NFSv4 and disable older unused protocol versions.
- Use Kerberos (
sec=krb5p) for strong authentication and encryption.
- Restrict rpcbind and related ports with firewall rules.
- Keep NFS traffic on trusted internal networks.
- Avoid exposing NFS ports to public or user-segment networks.
- Use VLAN separation for storage and general client traffic.
¶ Monitoring and Resilience
- Monitor mount failures, stale file handles, and unusual write spikes.
- Keep backups independent from NFS availability.
- Validate restore procedures and permission preservation.