50


Chapter 5. Server Security


5.3.4. Assign Static Ports and Use


All of the servers related to NIS can be assigned specific ports except for


rpc.yppasswdd


  the


daemon that allows users to change their login passwords. Assigning ports to the other two NIS server


daemons,


rpc.ypxfrd


and


ypserv


, allows you to create firewall rules to further protect the NIS


server daemons from intruders.


To do this, add the following lines to


/etc/sysconfig/network


:


YPSERV_ARGS=" p 834"


YPXFRD_ARGS=" p 835"


The following


iptables


rules can be issued to enforce which network the server will listen to for


these ports:


iptables  A INPUT  p ALL  s! 192.168.0.0/24


  dport 834  j DROP


iptables  A INPUT  p ALL  s! 192.168.0.0/24


  dport 835  j DROP


Tip


Refer to Chapter 7 for more information about implementing firewalls with iptables commands.


5.3.5. Use Kerberos Authentication


One of the most glaring flaws inherent when NIS is used for authentication is that whenever a user


logs into a machine, a password hash from the


/etc/shadow


map is send over the network. If an


intruder gains access to an NIS domain and sniffs network traffic, usernames and password hashes


can be quietly collected. With enough time a password cracking program can guess weak passwords,


and the attacker has a valid login on the network.


Since Kerberos using secret key cryptography, no password hashes are ever sent over the network,


making the system far more secure. For more about Kerberos, see the chapter titled Kerberos in the


Official Red Hat Linux Reference Guide.


5.4. Securing NFS


The Network File System or NFS is an RPC service used in conjunction with


portmap


and other


related services to provide network accessible mount points for client machines. For more information


on how NFS works, see the chapter titled Network File System (NFS) in the Official Red Hat Linux


Reference Guide. For more information about configuring NFS, refer to the Official Red Hat Linux


Customization Guide. The following subsections will assume basic knowledge of NFS.


It is recommended that anyone planning to implement an NFS server first secure the


portmap


service


as outlined in Section 5.2, then address following issues.


5.4.1. Carefully Plan the Network


Because NFS passes all information unencrypted over the network, it is important the service be run


behind a firewall and on a segmented and secure network. Any time information is passed over NFS an


insecure network, it risks being intercepted. Careful network design in these regards can help prevent


security breaches.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      web hosting comparison

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved