HPE Community
Operating System - HP-UX
1846855 Members
4377 Online
110256 Solutions
New Discussion

Re: NIS security risks

 
Eduardo Jaime M.
Occasional Contributor

‎04-09-2002 09:27 AM

‎04-09-2002 09:27 AM

NIS security risks

I know NIS is insecure. For me is a "necessary bad".
What are the most weak features for security on NIS?
and
How can I mitigate the security risks?
Does HP have a procedure to do it?
I will appreciatte your comments.
regards.
0 Kudos
Reply
7 REPLIES 7
A. Clay Stephenson
Acclaimed Contributor

‎04-09-2002 09:32 AM

‎04-09-2002 09:32 AM

Re: NIS security risks

Hi:

The biggest hole in NIS is probably the lack of a shadow passwd file. If someone can do a 'ypcat passwd > myfile' the hashed passwords are visible. A user can then use a utility like 'crack' to attempt to find the plaintext passwd by comparing the hashed versions to those in 'myfile'.

Your workarounds are 1) go to NIS+ 2) ensure that your passwds are very6 difficult to crack by build a more robust version of the yppasswd command.
If it ain't broke, I can fix that.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-09-2002 09:55 AM

‎04-09-2002 09:55 AM

Re: NIS security risks

Hi Eduardo,

Definitely agree w/Clay!
No shadow file = easier to crack.

If you have to use NIS you should use NIS+ & I would recommend the further step of NIS+ under a Trusted System (C2) `.
See the following URL for info & instrs on setting up NIS+ under a Trusted System.

http://docs.hp.com/hpux/onlinedocs/B2355-90742/B2355-90742.html

HTH,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
pap
Respected Contributor

‎04-09-2002 09:55 AM

‎04-09-2002 09:55 AM

Re: NIS security risks

Hi,

NIS is not that much secure as you can compare with system without NIS.
If you need security as well as NIS set up, then it is a great thing you can go ahead with NIS+ set up.

NIS+ is quite different than NIS but if you follow step by step procedure in HP's manual about NIS+ setup, you can do great. NIS+ can be set up on trusted systems as well to enhance security.

Looking to your case, you need to go for NIS+, it gives high security and not an easy task to break the NIS+ security.

-pap
"Winners don't do different things , they do things differently"
0 Kudos
Reply
Eduardo Jaime M.
Occasional Contributor

‎04-09-2002 10:06 AM

‎04-09-2002 10:06 AM

Re: NIS security risks

Thank You for your comments and suggest.
However, before go to NIS+ as a solution; I will keep using NIS. I need to know what are the risk outside the NIS? I know anyone inside NIS can read a map; but I'm thinking about external attacks (using sniffer, etc.. Do you know something like restrict port access, etc...something avoiding he map-read from outside.
Again, I'll appreciate your comments.
Tx.
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎04-09-2002 10:30 AM

‎04-09-2002 10:30 AM

Re: NIS security risks

Well, you would definitley want to block port 111 BOTH TCP & UDP to the outside. This is the rpcbind or portmapper port & is used by attackers to determine just what ports your system listens to so that they can use that info against you.
Since NIS is a rpc-based service this is how they will "probe" you.
As far as I know there is no one port set for NIS - the client negotiates with the server to determine what port to use & the negotiation starts with port 111.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Anthony deRito
Respected Contributor

‎04-11-2002 12:05 PM

‎04-11-2002 12:05 PM

Re: NIS security risks

THis link may help...

http://forums.itrc.hp.com/cm/QuestionAnswer/1,11866,0x7496abe92dabd5118ff10090279cd0f9,00.html

Tony
0 Kudos
Reply
Victor_5
Trusted Contributor

‎04-11-2002 05:24 PM

‎04-11-2002 05:24 PM

Re: NIS security risks

Here are some points of mine:

1. If you do need NIS, use NIS+ if possible
2. Try convert your system to C2 Trusted System
3. Ensure that the only machines that have a "+" entry format in the /etc/passwd files are NIS clients, not the NIS master server
4. use secure RPC.


0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.