Securing Network Information Service
An NIS server has several applications. They include the following:
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.
/usr/sbin/ypserv
This is the NIS server daemon.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.
NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.
Below is a sample entry from a /var/yp/securenets file:
This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services
Leave a Reply
You must be logged in to post a comment.
