48
Chapter 5. Server Security
5.2. Securing Portmap
The
portmap
service is a dynamic port assignment daemon for RPC services such as NIS and NFS.
It has weak authentication mechanisms and has the ability to assign a wide range of ports for the
services it controls. For these reasons, it is difficult to secure.
If you are running RPC services, you should follow some basic rules.
5.2.1. Protect
portmap
With TCP Wrappers
It is important to use TCP wrappers to limit which networks or hosts have access to the
portmap
service since it has no built in form of authentication.
Further, use only IP addresses when limiting access to the service. Avoid these hostnames as they can
be more via DNS poisoning and other methods.
5.2.2. Protect
portmap
With
iptables
To further restrict access to the
portmap
service, it is a good idea to add
iptables
rules to the server,
restricting access to specific networks.
Below is an example of an
iptables
command that allows TCP connections to
portmap
, listening
on port 111, from the 192.168.0/24 network exclusively. All other packets are dropped.
iptables  A INPUT  p tcp  s! 192.168.0.0/24
  dport 111  j DROP
To similarly limit UDP traffic, use the following command.
iptables  A INPUT  p udp  s! 192.168.0.0/24
  dport 111  j DROP
5.3. Securing NIS
NIS stands for Network Information Service. It is an RPC service called
ypserv
which is used in
conjunction with
portmap
and other related services to distribute maps of usernames, passwords, and
other sensitive information to any computer claiming to be within its domain.
An NIS server is comprised of several applications. They include the following:
  /usr/sbin/rpc.yppasswdd
  Also called the
yppasswdd
service, this daemon allows users to
change their NIS passwords.
  /usr/sbin/rpc.ypxfrd
  Also called the
ypxfrd
service, this daemon is responsible for NIS
map transfers over the network.
  /usr/sbin/yppush
  This application propagates changed NIS databases to multiple NIS
servers.
  /usr/sbin/ypserv
  This is the NIS server daemon.
NIS is rather insecure by todays standards. It has no host authentication mechanisms and passes all
of its information in clear text, including password hashes. As a result, extreme care must be taken to
set up a network that uses NIS. Further complicating the situation, the default configuration of NIS is
inherently insecure.
It is recommended that anyone planning to implement an NIS server first secure the
portmap
service
as outlined in Section 5.2, then address following issues.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

web hosting comparison

 

Our partners: PHP: Hypertext Preprocessor Best Web Hosting Java Web Hosting Inexpensive Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Jsp Hosting Cheap Hosting

Visionwebhosting.net Business web hosting division of Web Design Plus. All rights reserved