Securing Network Information Service

An NIS server has several applications. They include the following:

/usr/sbin/rpc.yppasswdd
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.

/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.

/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.

/usr/sbin/ypserv
This is the NIS server daemon.

To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.

NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.

Below is a sample entry from a /var/yp/securenets file:

255.255.255.0 192.168.0.0

This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services

Trackback URI | Comments RSS

Leave a Reply

You must be logged in to post a comment.