Archive for the tag 'Information'

SBDavid

Securing Network Information Service

Securing Network Information Service

An NIS server has several applications. They include the following:

/usr/sbin/rpc.yppasswdd
Also called the yppasswdd service, this daemon allows users to change their NIS passwords.

/usr/sbin/rpc.ypxfrd
Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.

/usr/sbin/yppush
This application propagates changed NIS databases to multiple NIS servers.

/usr/sbin/ypserv
This is the NIS server daemon.

To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as fdfdfdfdfdfg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.

NIS listens to all networks, if the /var/yp/securenets file is blank or does not exist (as is the case after a default installation). One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the proper network.

Below is a sample entry from a /var/yp/securenets file:

255.255.255.0 192.168.0.0

This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services

SBDavid

Using Dig- domain information groper

dig, or domain information groper, provides the ability to query any domain server for information about the domains it serves. It operates in both an interactive mode and a batch query mode.

Using dig is much like using host, in that in its simplest mode you enter just the command and the name to lookup.

However, dig is more verbose by default and presents a much wider array or information, though in a somewhat less readable form.

; <> DiG 9.5.1-P1 <> @218.248.240.181 serverbuddies.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24726
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;serverbuddies.com. IN A

;; ANSWER SECTION:
serverbuddies.com. 13075 IN A 192.168.0.3

;; AUTHORITY SECTION:
serverbuddies.com. 85706 IN NS ns1.serverbuddies.com.
serverbuddies.com. 85706 IN NS NS2.serverbuddies.com.

;; ADDITIONAL SECTION:
ns1.serverbuddies.com. 13699 IN A 192.168.0.1
NS2.serverbuddies.com. 13706 IN A 192.168.0.2

;; Query time: 467 msec
;; SERVER: 218.248.240.181#53(218.248.240.181)
;; WHEN: Thu Sep 10 15:01:04 2009
;; MSG SIZE rcvd: 119

Just like host, it is possible to query your default system resolver, or you can query a name server specified on the command line. For example, I could query name server about the google.com domain.

Above, we have a large amount of information, though not all of it is generally useful to us. First is the version of dig, and the command line options we specified.

The comes some status information, including the NOERROR designator that indicates the name was retrieve without error. If the domain did not exist, or could not be queried, there would be an NXDOMAIN error or some other error. Next are the flags of the query.

In this case, we have one query and one answer which are contained in the QUESTION and ANSWER sections below it. The next two items inform us of the number of AUTHORITY and ADDITIONAL sections that follow. In this case, the authority section gives us the primary and secondary name servers for this domain, ns1.serverbuddies.com and ns2.serverbuddies.com, and the additional section provides the IP addresses of those name servers.

The last few lines give the time the query required, the server that was queried and the port on which it was queried, the time and date on which the query was made, and the size of the message received from the name server.

Like host, dig has a mode in which you can query all of the information available about the domain. This can be done by appending the ANY argument to the end of the command line. Furthermore, the options NS, MX, CNAME, etc. are also available and do just what you would expect.

Reference - for more please check - http://doxfer.com/Webmin/

SBDavid

Network Information System

Network Information System

On of the important use for NIS is to keep vital data such as user account information (e.g. /etc/hosts, /etc/passwd and /etc/group files) synchronized between all hosts.Let us see how we can configure NIS. NIS is a server-client based architecture. There will be a NIS server and then a NIS client. Let us see how we can configure this both

NIS SERVER:

You must first check whether we have a package called ypserv installed in the server. Once the package is installed then start the service called ypserv. Then you must give a NIS domain name for the server which can be provided

nisdomainname test

Also you can verify your domain name by just typing “nisdomainname:. Also there should be entry in the file /etc/sysconfig/network like this

NISDOMAINNAME=test

The next thing you have to do is you have to share the directory where you user accounts are residing. For example lets suppose that you creat a directory called home1 and you want to the NIS users home directory to be home1 then you can do this like,

mkdir /home1
useradd -d /home1/test test

where test is the NIS user. Once created you have to export this file through nfs.This can be done like this

by putting entries in the /etc/exports file

/home1 *(rw,sync)

Once you have put these entries make sure that the services portmap and nfs are started. Once you have done this we have to make the yp file which can be done like this,

/usr/lib/yp/ypinit -m

Then restart the ypserv services. Also make sure that the service called yppasswdd is also turned on These are the things that has to be done on the server side.

NIS CLIENT: To make a NIS client check whether the package ypbind is installed in the system. Also check that the service called autofs is also turned on.Then there are two important files that we need to consider that is /etc/auto.master and /etc/auto.misc . The service autofs is used so that the directory that we use or shared through nfs is automatically mounted and also see that when a nisuser login then a directory is also automatically created.In /etc/auto.master file give the entries like this

/home1 /etc/auto.misc –timeout=60

Then an entry about our nis server should be given auto.misc like this

* -rw,soft,intr :/home1/&

Also you have to tell the client which is the NIS server which can be told like this. In the command prompt

authconfig

Select NIS then select next then give the nisdomain name and the ip of the NIS server and then exit. If it listenx to the NIS server then there wil be no errors shown. now if everything goes well you should be able to login as test in all the NIS clients.

« Prev