5.3. Securing NIS
NIS stands for Network Information Service. It is an RPC service called ypserv which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
An NIS server is comprised of several applications. They include the following:
/usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
/usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
/usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS servers.
/usr/sbin/ypserv — This is the NIS server daemon.
care must be taken to set up a network that uses NIS. Further complicating the situation, the default configuration of NIS is inherently insecure.
It is recommended that anyone planning to implement an NIS server first secure the portmap service as outlined in Section 5.2 Securing Portmap, then address following issues.
5.3.1. Carefully Plan the Network
passed over an insecure network, it risks being intercepted. Careful network design in these regards can help prevent severe security breaches.
5.3.2. Use a Password-Like NIS Domain Name and Hostname
the /etc/passwd map:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd |
If this attacker is a root user, they can obtain the /etc/shadow file by typing the following command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow |
 | Note |
|---|---|
If Kerberos is used, the /etc/shadow file is not stored within an NIS map. |
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as o7hfawtgmhwg.domain.com. Similarly, create a different randomized NIS domain name. This will make it much more difficult for an attacker to access the NIS server.
5.3.3. Edit the /var/yp/securenets File
NIS will listen to all networks if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things you should do is put a netmask/network pairs in the file so that ypserv will only respond to requests from the proper network.
Below is a sample entry from a /var/yp/securenets file:
255.255.255.0 192.168.0.0 |
 | Warning |
|---|---|
Never start an NIS server for the first time without creating the /var/yp/securenets file. |
This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server will service.
5.3.4. Assign Static Ports and Use iptables Rules
All of the servers related to NIS can be assigned specific ports except for rpc.yppasswdd — the daemon that allows users to change their login passwords. Assigning ports to the other two NIS server daemons, rpc.ypxfrd and ypserv, allows you to create firewall rules to further protect the NIS server daemons from intruders.
To do this, add the following lines to /etc/sysconfig/network:
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835" |
The following iptables rules can be issued to enforce which network the server will listen to for these ports:
iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 834 -j DROP iptables -A INPUT -p ALL -s! 192.168.0.0/24 --dport 835 -j DROP |
 | Tip |
|---|---|
Refer to Chapter 7 Firewalls for more information about implementing firewalls with iptables commands. |
5.3.5. Use Kerberos Authentication
One of the most glaring flaws inherent when NIS is used for authentication is that whenever a user logs into a machine, a password hash from the /etc/shadow cracking program can guess weak passwords, and an attacker can gain access to a valid account on the network.
Kerberos in the Red Hat Linux Reference Guide.
| Главная |