Chapter 5. Server Security
49
5.3.1. Carefully Plan the Network
Because NIS passes sensitive information unencrypted over the network, it is important the service
be run behind a firewall and on a segmented and secure network. Any time NIS information is passed
over an insecure network, it risks being intercepted. Careful network design in these regards can help
prevent severe security breaches.
5.3.2. Use a Password Like NIS Domain Name and Hostname
Any machine within an NIS domain can use commands to extract information from the server without
authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
For instance, if someone either connects a laptop computer into the network or breaks into the network
from outside (and manages to spoof an internal IP address) the following command will reveal the
/etc/passwd
map:
ypcat d
NIS_domain
h
DNS_hostname
passwd
If this attacker is a root user, they can obtain the
/etc/shadow
file by typing the following command:
ypcat d
NIS_domain
h
DNS_hostname
shadow
Note
If Kerberos is used, the /etc/shadow file is not stored within an NIS map.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname,
such as
o7hfawtgmhwg.domain.com
. Similarly, create a different randomized NIS domain name.
This will make it much more difficult for an attacker to access the NIS server.
5.3.3. Edit the
/var/yp/securenets
File
NIS will listen to all networks if the
/var/yp/securenets
file does not exist, as is the case after a
default installation, or is blank. One of the first thing you should do is put netmask/network pairs in
the file so that
ypserv
will only respond to requests from the proper network.
Warning
Never start an NIS server for the first time without creating the /var/yp/securenets file.
Below is a sample entry from a
/var/yp/securenets
file:
255.255.255.0
192.168.0.0
This technique does not provide protection from an IP spoofing attack, but it does at least place limits
on what networks the NIS server will service.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved