Securing Nis - Red Hat ENTERPRISE LINUX 5 - DEPLOYMENT Deployment Manual

Chapter 43. Securing Your Network
iptables -A INPUT -p tcp -s! 192.168.0.0/24 --dport 111 -j DROP
iptables -A INPUT -p tcp -s 127.0.0.1
To similarly limit UDP traffic, use the following command.
iptables -A INPUT -p udp -s! 192.168.0.0/24
Tip
Section 43.8, "Firewalls"
Refer to
iptables commands.

43.2.3. Securing NIS

The Network Information Service (NIS) is an RPC service, called ypserv,--> which is used in
conjunction with portmap and other related services to distribute maps of usernames, passwords,
and other sensitive information to any computer claiming to be within its domain.
An NIS server is comprised of several applications. They include the following:
• /usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to
change their NIS passwords.
• /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS
map transfers over the network.
• /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS
servers.
• /usr/sbin/ypserv — This is the NIS server daemon.
NIS is somewhat insecure by today's standards. It has no host authentication mechanisms and
transmits all of its information over the network unencrypted, including password hashes. As a result,
extreme care must be taken when setting up a network that uses NIS. This is further complicated by
the fact that the default configuration of NIS is inherently insecure.
It is recommended that anyone planning to implement an NIS server first secure the portmap service
Section 43.2.2, "Securing
as outlined in
planning.
43.2.3.1. Carefully Plan the Network
Because NIS transmits sensitive information unencrypted over the network, it is important the service
be run behind a firewall and on a segmented and secure network. Whenever NIS information is
transmitted over an insecure network, it risks being intercepted. Careful network design can help
prevent severe security breaches.
43.2.3.2. Use a Password-like NIS Domain Name and Hostname
Any machine within an NIS domain can use commands to extract information from the server without
authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
626
--dport 111 -j ACCEPT
--dport 111 -j DROP
for more information about implementing firewalls with
Portmap", then address the following issues, such as network