Skip to content
PortsDB

Port reference

Port 2049 (TCP) – NFS

Network File System — Unix/Linux protocol for sharing directories over the network.

tcpRegisteredCommonly attacked

Default state

Open on hosts running an NFS server with exported shares. Not enabled by default; commonly exposed inside data-center and storage networks.

Common attacks

  • Export enumeration to discover shared directories
  • Unauthenticated file read/write on world-accessible exports
  • Privilege escalation via no_root_squash misconfiguration
  • UID/GID spoofing to access other users' files (AUTH_SYS)

Hardening

  • Never export to * — restrict exports to specific hosts/subnets
  • Enable root_squash (avoid no_root_squash) and export read-only where possible
  • Use NFSv4 with Kerberos (krb5p) for authentication and encryption
  • Do not expose 2049 to the internet — keep it on trusted internal networks
  • Audit /etc/exports and showmount output regularly

nmap snippet

nmap -p2049 --script nfs-showmount,nfs-ls,nfs-statfs <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 2049?

Port 2049 is the standard port for NFS (Network File System), the Unix/Linux protocol for mounting and accessing remote directories as if they were local. NFSv4 consolidates everything onto port 2049, while NFSv2/v3 additionally rely on the portmapper (port 111) and ancillary services like mountd. It is the backbone of shared storage in many data centers and clusters.

Why it matters for security

Traditional NFS with AUTH_SYS authentication trusts whatever UID/GID the client claims, so anyone who can reach the export can impersonate any user and read or write their files. Loose exports (sharing to *) expose data to the whole network, and the no_root_squash option lets a remote root act as root on the share — a direct path to dropping SUID binaries or tampering with system files. Exposing 2049 to the internet is especially dangerous.

How it's attacked

Attackers run showmount -e or the nmap nfs-showmount script to list exported directories, then mount world-accessible shares and use nfs-ls to browse and exfiltrate data — often without any authentication. By spoofing UID/GID they reach other users' files. Where no_root_squash is set, they write a root-owned SUID binary to escalate privileges on the host owning the data.

Hardening checklist

Never export to * — limit each export to specific hosts or subnets and make it read-only where possible. Keep root_squash on and avoid no_root_squash. Move to NFSv4 with Kerberos (krb5p) for real authentication and encryption instead of trusting client UIDs. Keep 2049 (and 111) off the internet, confined to trusted segments, and audit /etc/exports regularly. Use the nmap snippet above to enumerate exports on systems you are authorized to test.

Related ports

Port 111Port 445Port 2048Port 20048

Frequently asked questions

Is NFS on port 2049 secure?
Only if hardened. Classic NFS (AUTH_SYS) trusts the client-supplied UID/GID, so an attacker on the network can impersonate any user. Use NFSv4 with Kerberos and tight export rules.
What is the no_root_squash risk?
no_root_squash lets a remote root user act as root on the export. An attacker can write a SUID binary or modify files to escalate privileges on the server's data.