Securing NIS

The Network Information Service (NIS) is an RPC s e rvice , calle d ypserv, which is us e d in conjunction with rpcbind and othe r re late d s e rvice s to dis tribute maps of us e rname s , pas s words , and othe r s e ns itive information to any compute r claiming to be within its domain.

A NIS s e rve r is compris e d of s e ve ral applications . The y include the following:

/usr/sbin/rpc.yppasswdd — Als o calle d the yppasswdd s e rvice , this dae mon allows us e rs to change the ir NIS pas s words .

/usr/sbin/rpc.ypxfrd — Als o calle d the ypxfrd s e rvice , this dae mon is re s pons ible for NIS map trans fe rs ove r the ne twork.

/usr/sbin/ypserv — This is the NIS s e rve r dae mon.

NIS is s ome what ins e cure by today's s tandards . It has no hos t authe ntication me chanis ms and trans mits all of its information ove r the ne twork une ncrypte d, including pas s word has he s . As a re s ult, e xtre me care mus t be take n whe n s e tting up a ne twork that us e s NIS. This is furthe r complicate d by the fact that the de fault configuration of NIS is

inhe re ntly ins e cure .

It is re comme nde d that anyone planning to imple me nt a NIS s e rve r firs t s e cure the rpcbind s e rvice as outline d in Se ction 4.3.4, “Se curing rpcbind”, the n addre s s the following is s ue s , s uch as ne twork planning.

4.3.5.1. Caref ully Plan the Network

Be caus e NIS trans mits s e ns itive information une ncrypte d ove r the ne twork, it is important the s e rvice be run be hind a fire wall and on a s e gme nte d and s e cure ne twork. Whe ne ve r NIS information is trans mitte d ove r an ins e cure ne twork, it ris ks be ing inte rce pte d. Care ful ne twork de s ign can he lp pre ve nt s e ve re s e curity bre ache s .

4.3.5.2. Use a Password-like NIS Domain Name and Hostname

Any machine within a NIS domain can us e commands to e xtract information from the s e rve r without authe ntication, as long as the us e r knows the NIS s e rve r's DNS hos tname and NIS domain name .

For ins tance , if s ome one e ithe r conne cts a laptop compute r into the ne twork or bre aks into the ne twork from outs ide (and manage s to s poof an inte rnal IP addre s s ), the following command re ve als the /etc/passwd map:

ypcat -d <NIS_domain> -h <DNS_hostname> passwd

If this attacke r is a root us e r, the y can obtain the /etc/shadow file by typing the following command:

ypcat -d <NIS_domain> -h <DNS_hostname> shadow

Note

If Ke rbe ros is us e d, the /etc/shadow file is not s tore d within a NIS map.

To make acce s s to NIS maps harde r for an attacke r, cre ate a random s tring for the DNS hos tname , s uch as o7hfawtgmhwg.domain.com. Similarly, cre ate a different randomize d NIS domain name . This make s it much more difficult for an attacke r to acce s s the NIS s e rve r.

4.3.5.3. Edit the /var/yp/securenets File

If the /var/yp/securenets file is blank or doe s not e xis t (as is the cas e afte r a de fault ins tallation), NIS lis te ns to all ne tworks . One of the firs t things to do is to put

ne tmas k/ne twork pairs in the file s o that ypserv only re s ponds to re que s ts from the appropriate ne twork.

Be low is a s ample e ntry from a /var/yp/securenets file : 255.255.255.0 192.168.0.0

Warning

Ne ve r s tart a NIS s e rve r for the firs t time without cre ating the /var/yp/securenets file .

This te chnique doe s not provide prote ction from an IP s poofing attack, but it doe s at le as t place limits on what ne tworks the NIS s e rve r s e rvice s .

4.3.5.4. Assign Static Ports and Use Rich Language Rules

All of the s e rve rs re late d to NIS can be as s igne d s pe cific ports e xce pt for rpc.yppasswdd

— the dae mon that allows us e rs to change the ir login pas s words . As s igning ports to the othe r two NIS s e rve r dae mons , rpc.ypxfrd and ypserv, allows for the cre ation of fire wall rule s to furthe r prote ct the NIS s e rve r dae mons from intrude rs .

To do this , add the following line s to /etc/sysconfig/network:

YPSERV_ARGS="-p 834"

YPXFRD_ARGS="-p 835"

The following rich language firewalld rule s can the n be us e d to e nforce which ne twork the s e rve r lis te ns to for the s e ports :

~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835"

protocol="tcp" drop'

~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" invert="True" port port="834-835"

protocol="udp" drop'

This me ans that the s e rve r only allows conne ctions to ports 834 and 835 if the re que s ts come from the 192.168.0.0/24 ne twork. The firs t rule is for TCP and the s e cond for UDP.

Note

Se e Se ction 4.5, “Us ing Fire walls ” for more information about imple me nting fire walls with iptable s commands .

4.3.5.5. Use Kerberos Authentication

One of the is s ue s to cons ide r whe n NIS is us e d for authe ntication is that whe ne ve r a us e r logs into a machine , a pas s word has h from the /etc/shadow map is s e nt ove r the

ne twork. If an intrude r gains acce s s to a NIS domain and s niffs ne twork traffic, the y can colle ct us e rname s and pas s word has he s . With e nough time , a pas s word cracking program can gue s s we ak pas s words , and an attacke r can gain acce s s to a valid account on the ne twork.

Since Ke rbe ros us e s s e cre t-ke y cryptography, no pas s word has he s are e ve r s e nt ove r the ne twork, making the s ys te m far more s e cure . Se e the Authe ntication: Ke rbe ros KDC s e ction in the Linux Domain Ide ntity, Authe ntication, and Policy Guide for more information about Ke rbe ros .