48


Chapter 5. Server Security


5.2. Securing Portmap


The


portmap


service is a dynamic port assignment daemon for RPC services such as NIS and NFS.


It has weak authentication mechanisms and has the ability to assign a wide range of ports for the


services it controls. For these reasons, it is difficult to secure.


If you are running RPC services, you should follow some basic rules.


5.2.1. Protect


portmap


With TCP Wrappers


It is important to use TCP wrappers to limit which networks or hosts have access to the


portmap


service since it has no built in form of authentication.


Further, use only IP addresses when limiting access to the service. Avoid these hostnames as they can


be more via DNS poisoning and other methods.


5.2.2. Protect


portmap


With


iptables


To further restrict access to the


portmap


service, it is a good idea to add


iptables


rules to the server,


restricting access to specific networks.


Below is an example of an


iptables


command that allows TCP connections to


portmap


, listening


on port 111, from the 192.168.0/24 network exclusively. All other packets are dropped.


iptables  A INPUT  p tcp  s! 192.168.0.0/24


  dport 111  j DROP


To similarly limit UDP traffic, use the following command.


iptables  A INPUT  p udp  s! 192.168.0.0/24


  dport 111  j DROP


5.3. Securing NIS


NIS stands for Network Information Service. It is an RPC service called


ypserv


which is used in


conjunction with


portmap


and other related services to distribute maps of usernames, passwords, and


other sensitive information to any computer claiming to be within its domain.


An NIS server is comprised of several applications. They include the following:


  /usr/sbin/rpc.yppasswdd


  Also called the


yppasswdd


service, this daemon allows users to


change their NIS passwords.


  /usr/sbin/rpc.ypxfrd


  Also called the


ypxfrd


service, this daemon is responsible for NIS


map transfers over the network.


  /usr/sbin/yppush


  This application propagates changed NIS databases to multiple NIS


servers.


  /usr/sbin/ypserv


  This is the NIS server daemon.


NIS is rather insecure by todays standards. It has no host authentication mechanisms and passes all


of its information in clear text, including password hashes. As a result, extreme care must be taken to


set up a network that uses NIS. Further complicating the situation, the default configuration of NIS is


inherently insecure.


It is recommended that anyone planning to implement an NIS server first secure the


portmap


service


as outlined in Section 5.2, then address following issues.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved