topic Re: NIS security risks in Operating System - HP-UX

NIS security risks

Eduardo Jaime M. — Tue, 09 Apr 2002 16:27:14 GMT

I know NIS is insecure. For me is a "necessary bad".
What are the most weak features for security on NIS?
and
How can I mitigate the security risks?
Does HP have a procedure to do it?
I will appreciatte your comments.
regards.

Re: NIS security risks

A. Clay Stephenson — Tue, 09 Apr 2002 16:32:41 GMT

Hi:

The biggest hole in NIS is probably the lack of a shadow passwd file. If someone can do a 'ypcat passwd > myfile' the hashed passwords are visible. A user can then use a utility like 'crack' to attempt to find the plaintext passwd by comparing the hashed versions to those in 'myfile'.

Your workarounds are 1) go to NIS+ 2) ensure that your passwds are very6 difficult to crack by build a more robust version of the yppasswd command.

Re: NIS security risks

Jeff Schussele — Tue, 09 Apr 2002 16:55:15 GMT

Hi Eduardo,

Definitely agree w/Clay!
No shadow file = easier to crack.

If you have to use NIS you should use NIS+ & I would recommend the further step of NIS+ under a Trusted System (C2) `.
See the following URL for info & instrs on setting up NIS+ under a Trusted System.

http://docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html

HTH,
Jeff

Re: NIS security risks

pap — Tue, 09 Apr 2002 16:55:58 GMT

Hi,

NIS is not that much secure as you can compare with system without NIS.
If you need security as well as NIS set up, then it is a great thing you can go ahead with NIS+ set up.

NIS+ is quite different than NIS but if you follow step by step procedure in HP's manual about NIS+ setup, you can do great. NIS+ can be set up on trusted systems as well to enhance security.

Looking to your case, you need to go for NIS+, it gives high security and not an easy task to break the NIS+ security.

-pap

Re: NIS security risks

Eduardo Jaime M. — Tue, 09 Apr 2002 17:06:43 GMT

Thank You for your comments and suggest.
However, before go to NIS+ as a solution; I will keep using NIS. I need to know what are the risk outside the NIS? I know anyone inside NIS can read a map; but I'm thinking about external attacks (using sniffer, etc.. Do you know something like restrict port access, etc...something avoiding he map-read from outside.
Again, I'll appreciate your comments.
Tx.

Re: NIS security risks

Jeff Schussele — Tue, 09 Apr 2002 17:30:10 GMT

Well, you would definitley want to block port 111 BOTH TCP & UDP to the outside. This is the rpcbind or portmapper port & is used by attackers to determine just what ports your system listens to so that they can use that info against you.
Since NIS is a rpc-based service this is how they will "probe" you.
As far as I know there is no one port set for NIS - the client negotiates with the server to determine what port to use & the negotiation starts with port 111.

Rgds,
Jeff

Re: NIS security risks

Anthony deRito — Thu, 11 Apr 2002 19:05:52 GMT

THis link may help...

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x7496abe92dabd5118ff10090279cd0f9,00.html

Tony

Re: NIS security risks

Victor_5 — Fri, 12 Apr 2002 00:24:22 GMT

Here are some points of mine:

1. If you do need NIS, use NIS+ if possible
2. Try convert your system to C2 Trusted System
3. Ensure that the only machines that have a "+" entry format in the /etc/passwd files are NIS clients, not the NIS master server
4. use secure RPC.