Manualshelf

User guide

ManualsBrandsRed Hat ManualsOtherENTERPRISE LINUX 4 - SELINUX GUIDE
51525354555657585960
Chapter 2. Securing Your Network
44
Below is a sample entry from a /var/yp/securenets file:
255.255.255.0 192.168.0.0
Warning
Never start an NIS server for the first time without creating the /var/yp/securenets file.
This technique does not provide protection from an IP spoofing attack, but it does at least place limits
on what networks the NIS server services.
2.2.3.4. Assign Static Ports and Use iptables Rules
All of the servers related to NIS can be assigned specific ports except for rpc.yppasswdd — the
daemon that allows users to change their login passwords. Assigning ports to the other two NIS server
daemons, rpc.ypxfrd and ypserv, allows for the creation of firewall rules to further protect the NIS
server daemons from intruders.
To do this, add the following lines to /etc/sysconfig/network:
YPSERV_ARGS="-p 834" YPXFRD_ARGS="-p 835"
The following iptables rules can then be used to enforce which network the server listens to for these
ports:
iptables -A INPUT -p ALL ! -s 192.168.0.0/24 --dport 834 -j DROP
iptables -A INPUT -p ALL ! -s 192.168.0.0/24 --dport 835 -j DROP
This means that the server only allows connections to ports 834 and 835 if the requests come from the
192.168.0.0/24 network, regardless of the protocol.
Note
Refer to Section 2.5, “Firewalls” for more information about implementing firewalls with iptables
commands.
2.2.3.5. Use Kerberos Authentication
One of the issues to consider when NIS is used for authentication is that whenever a user logs into a
machine, a password hash from the /etc/shadow map is sent over the network. If an intruder gains
access to an NIS domain and sniffs network traffic, they can collect usernames and password hashes.
With enough time, a password cracking program can guess weak passwords, and an attacker can
gain access to a valid account on the network.
Since Kerberos uses secret-key cryptography, no password hashes are ever sent over the network,
making the system far more secure. Refer to Managing Single Sign-On and Smart Cards for more
information about Kerberos.