Sep 30th, 2009
Securing Network Information Service
An NIS server has several applications. They include the following:
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
This application propagates changed NIS databases to multiple NIS servers.
This is the NIS server daemon.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.
NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.
Below is a sample entry from a /var/yp/securenets file:
This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services