Tip

Protecting the NIS Maps Directory

The /var/yp directory should only be accessible by root. Change the permissions accordingly. If you are running TripWire, COPS or any other security tool, you should make it a part of the security audit process.

Setup /var/yp/securenets

You should configure NIS to make its maps available only to certain networks. This can be done with the /var/yp/securenets file, here is an example:

255.255.255.0 10.10.20.0 255.255.255.0 10.10.21.0

To restrict availability to hosts, simply add the IP address of that host(s):

255.255.255.0 10.10.20.2 255.255.255.0 10.10.20.1

Secure your Root account

The root account should always be local! You should never allow it to be a part of NIS. If a hacker discovered the root password, he/she would have access to all of the machines within the NIS domain. Also, if NIS ever failed, you may not be able to login as root on any machine in the domain.

Move NIS Maps

NIS uses the /etc/passwd, /etc/shadow, /etc/inetd/netmasks files by default for its maps. Two problems with this are; anyone with login access to the system will be able to read all of the NIS maps; second, with /etc/passwd and /etc/shadow as NIS map sources, root login will be possible only if NIS is running properly. You should move these files out of the /etc directory.


    Requires Free Membership to View

This was first published in July 2001

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.