How Can I Secure My NFS Shares from Anonymous Access?

To tackle the anonymous access risk, think about making the filesystem read-only. Since you're probably just serving OS images, any necessary file access afterward should be authenticated. Make sure to document how you mitigated this risk, like having a read-only setting and highlighting that no sensitive data is there. Just remember, it might not pass every security check, but if it's designed that way without public info, it should be okay.

The biggest security issue I see is the `no_root_squash` option. This setting lets clients retain root permissions on your NFS server, which is a major security flaw. Also, using `insecure` allows unsecured connections that break NFS security expectations. Consider tightening your IP range too, as `/12` allows possibly thousands of clients. How many do you actually need?

Have you checked your network setup? It's crucial to manage your network and firewalls properly. If someone malicious already has access to your subnets, you might have bigger concerns than just NFS shares.

It looks like there might be an error in your `/etc/exports`. There's a space between the IP range and the options, which isn't allowed. The right format should not include any whitespace there.

Thanks for the feedback! I plan to change `no_root_squash` to `root_squash` and remove `insecure`. I'll also narrow down the IP range since we have about 350 clients split over five ranges. Appreciate the advice!