Archive for September, 2009

SBDavid

Securing Network Information Service

Securing Network Information Service

An NIS server has several applications. They include the following:

/usr/sbin/rpc.yppasswdd
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.

/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.

/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.

/usr/sbin/ypserv
This is the NIS server daemon.

To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.

NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.

Below is a sample entry from a /var/yp/securenets file:

255.255.255.0 192.168.0.0

This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services

SBDavid

Securing Portmap service

Securing Portmap service

The portmap service is a dynamic port assignment daemon for RPC services such as NIS and NFS. It has weak authentication mechanisms and has the ability to assign a wide range of ports for the services it controls. For these reasons, it is difficult to secure.

NFSv4 no longer requires it. If you plan to implement a NFSv2 or NFSv3 server, then portmap is required.

It is important to use TCP wrappers to limit which networks or hosts have access to the portmap service since it has no built-in form of authentication.

Further, use only IP addresses when limiting access to the service. Avoid using hostnames, asthey can be forged via DNS poisoning and other methods.

Below are two example IPTables commands that allow TCP connections to the portmap service (listening on port 111) from the 192.168.0/24 network and from the localhost. All other packets are dropped.

iptables -A INPUT -p tcp -s! 192.168.0.0/24 –dport 111 -j DROP iptables -A INPUT -p tcp -s

To similarly limit UDP traffic, use the following command.

iptables -A INPUT -p udp -s! 192.168.0.0/24 –dport 111 -j DROP

Controlling Server Resources from denial of service using Xinetd

Another important feature of xinetd is its ability to control the amount of resources which services under its control can utilize.

It does this by way of the following directives:

cps = [number_of_connections] [wait_period] — Dictates the connections allowed to the service per second. This directive accepts only integer values.

instances = [number_of_connections] — Dictates the total number of connections allowed to a service. This directive accepts either an integer value or UNLIMITED.

per_source = [number_of_connections] — Dictates the connections allowed to a service by each host. This directive accepts either an integer value or UNLIMITED.

rlimit_as = [number[K|M]] — Dictates the amount of memory address space the service can occupy in kilobytes or megabytes. This directive accepts either an integer value or UNLIMITED.

rlimit_cpu = [number_of_seconds] — Dictates the amount of time in seconds that a service may occupy the CPU. This directive accepts either an integer value or UNLIMITED.

Using these directives can help prevent any one xinetd service from overwhelming the system, resulting in a denial of service.

SBDavid

TCP Wrappers and Enhanced Logging

TCP Wrappers and Enhanced Logging

If certain types of connections are of more concern than others, the log level can be elevated for that service via the severity option.

For this example, assume anyone attempting to connect to port 23 (the Telnet port) on an FTP server is a cracker. To denote this, place a emerg flag in the log files instead of the default flag, info, and deny the connection.

To do this, place the following line in /etc/hosts.deny:

in.telnetd : ALL : severity emerg

This uses the default authpriv logging facility, but elevates the priority from the default value of info to emerg, which posts log messages directly to the console.

Securing Services With TCP Wrappers and xinetd

TCP wrappers provide access control to a variety of services. Most modern network services, such as SSH, Telnet, and FTP, make use of TCP wrappers, which stand guard between an in-coming request and the requested service.

The benefits offered by TCP wrappers are enhanced when used in conjunction with xinetd, a super service that provides additional access, logging, binding, redirection, and resource utilization control.

For a thorough list of TCP wrapper functionality and control language, refer to the hosts_options man page.

To implement a TCP wrappers banner for a service, use the banner option.

This example implements a banner for vsftpd. To begin, create a banner file. It can be any-where on the system, but it must bear same name as the daemon. For this example, the file is called /etc/banners/vsftpd.

The contents of the file look like this:

Hello, %c All activity on ftp.serverbuddies.com is logged.

The %c token supplies a variety of client information, such as the username and hostname, or the username and IP address to make the connection even more intimidating.

For this banner to be presented to incoming connections, add the following line to the /etc/hosts.allow file:

vsftpd : ALL : banners /etc/banners/

Next »