Securing NIS
The Network Information Service (NIS) is an RPC service, called ypserv,--> which is used in conjunction with portmap and other related services to distribute maps of usernames, passwords, and other sensitive information to any computer claiming to be within its domain.
An NIS server is comprised of several applications. They include the following:
/usr/sbin/rpc.yppasswdd- Also called theyppasswddservice, this daemon allows users to change their NIS passwords.
/usr/sbin/rpc.ypxfrd- Also called theypxfrdservice, this daemon is responsible for NIS map transfers over the network./usr/sbin/yppush- This application propagates changed NIS databases to multiple NIS servers./usr/sbin/ypserv- This is the NIS server daemon.
NIS is somewhat insecure by today's standards. It has no host authentication mechanisms and transmits all of its information over the network unencrypted, including password hashes. As a result, extreme care must be taken when setting up a network that uses NIS. This is further complicated by the fact that the default configuration of NIS is inherently insecure.
It is recommended that anyone planning to implement an NIS server first secure the Because NIS transmits sensitive information unencrypted over the network, it is important the service be run behind a firewall and on a segmented and secure network. Whenever NIS information is transmitted over an insecure network, it risks being intercepted. Careful network design can help prevent severe security breaches. Any machine within an NIS domain can use commands to extract information from the server without authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
For instance, if someone either connects a laptop computer into the network or breaks into the network from outside (and manages to spoof an internal IP address), the following command reveals the If this attacker is a root user, they can obtain the If Kerberos is used, the To make access to NIS maps harder for an attacker, create a random string for the DNS hostname, such as If the Below is a sample entry from a Never start an NIS server for the first time without creating the This technique does not provide protection from an IP spoofing attack, but it does at least place limits on what networks the NIS server services. All of the servers related to NIS can be assigned specific ports except for To do this, add the following lines to The following iptables rules can then be used to enforce which network the server listens to for these ports:
This means that the server only allows connections to ports 834 and 835 if the requests come from the 192.168.0.0/24 network.
Refer to "Firewalls" for more information about implementing firewalls with iptables commands. One of the issues to consider when NIS is used for authentication is that whenever a user logs into a machine, a password hash from the Since Kerberos uses secret-key cryptography, no password hashes are ever sent over the network, making the system far more secure. Refer to "Kerberos" for more information about Kerberos.
portmap service as outlined in "Securing Portmap", then address the following issues, such as network planning.
Carefully Plan the Network
Use a Password-like NIS Domain Name and Hostname
/etc/passwd map:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd/etc/shadow file by typing the following command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow/etc/shadow file is not stored within an NIS map.
o7hfawtgmhwg.domain.com. Similarly, create a different randomized NIS domain name. This makes it much more difficult for an attacker to access the NIS server.Edit the
/var/yp/securenets File/var/yp/securenets file is blank or does not exist (as is the case after a default installation), NIS listens to all networks. One of the first things to do is to put netmask/network pairs in the file so that ypserv only responds to requests from the appropriate network.
/var/yp/securenets file:
192.168.0.0
/var/yp/securenets file.
Assign Static Ports and Use iptables Rules
rpc.yppasswdd - the daemon that allows users to change their login passwords. Assigning ports to the other two NIS server daemons, rpc.ypxfrd and ypserv, allows for the creation of firewall rules to further protect the NIS server daemons from intruders.
/etc/sysconfig/network:
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 834 -j DROP
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 835 -j DROP
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 834 -j DROP
iptables -A INPUT -p udp -s! 192.168.0.0/24 --dport 835 -j DROPUse Kerberos Authentication
/etc/shadow map is sent over the network. If an intruder gains access to an NIS domain and sniffs network traffic, they can collect usernames and password hashes. With enough time, a password cracking program can guess weak passwords, and an attacker can gain access to a valid account on the network.