Open Port 2049: Network File System
What this means
Network File System, known as NFS, is a protocol that allows file sharing between systems over a network.
It typically runs on port 2049 and is used to enable remote access to shared directories.
It’s based on the client-server model, where the client requests files and the server provides them.
Why this is a problem
When NFS port 2049 is open and accessible over the internet or an untrusted network, it allows anyone with network access to probe and potentially mount shared file systems.
If NFS is not secured or misconfigured, it can lead to:
- unauthorised access to system resources and data
- ransomware and malware injection.
- denial-of-Service (DoS) attacks by overwhelming the service.
- lateral movement where an attacker gains access to one system and spreads across the network.
How to check if the problem is there
Check Open HTTPS Ports
Run the following command to check if NFS ports are open.
Windows (Command Prompt):
netstat -an | find ":2049"
Linux/Mac (Terminal):
sudo netstat -tulnp | grep ":2049"
How to fix this
To mitigate attacks against an open NFS, an administrator can take the following steps to block access or reduce the attack surface.
Restrict network access
Restrict network access by carrying out the following:
- remove any inbound firewall or port forwarding rules allowing port 2049
- configure firewall rules to allow connections only from trusted IP addresses
- Disable the services if not required
Enable authentication and encryption
Use Kerberos authentication for NFS services.
Regularly monitor logs
Regularly monitor your event logs and consider:
- using SIEM tools to detect anomalies
- deploying Intrusion Detection Systems (IDS)