Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE Betriebsanweisung Seite 53
- Seite / 128
- Inhaltsverzeichnis
- LESEZEICHEN
Bewertet. / 5. Basierend auf Kundenbewertungen
Securing NIS
43
• /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS
map transfers over the network.
• /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS
servers.
• /usr/sbin/ypserv — This is the NIS server daemon.
NIS is somewhat insecure by today's standards. It has no host authentication mechanisms and
transmits all of its information over the network unencrypted, including password hashes. As a result,
extreme care must be taken when setting up a network that uses NIS. This is further complicated by
the fact that the default configuration of NIS is inherently insecure.
It is recommended that anyone planning to implement an NIS server first secure the portmap service
as outlined in Section 2.2.2, “Securing Portmap”, then address the following issues, such as network
planning.
2.2.3.1. Carefully Plan the Network
Because NIS transmits sensitive information unencrypted over the network, it is important the service
be run behind a firewall and on a segmented and secure network. Whenever NIS information is
transmitted over an insecure network, it risks being intercepted. Careful network design can help
prevent severe security breaches.
2.2.3.2. Use a Password-like NIS Domain Name and Hostname
Any machine within an NIS domain can use commands to extract information from the server without
authentication, as long as the user knows the NIS server's DNS hostname and NIS domain name.
For instance, if someone either connects a laptop computer into the network or breaks into the
network from outside (and manages to spoof an internal IP address), the following command reveals
the /etc/passwd map:
ypcat -d <NIS_domain> -h <DNS_hostname> passwd
If this attacker is a root user, they can obtain the /etc/shadow file by typing the following command:
ypcat -d <NIS_domain> -h <DNS_hostname> shadow
Note
If Kerberos is used, the /etc/shadow file is not stored within an NIS map.
To make access to NIS maps harder for an attacker, create a random string for the DNS hostname,
such as o7hfawtgmhwg.domain.com. Similarly, create a different randomized NIS domain name.
This makes it much more difficult for an attacker to access the NIS server.
2.2.3.3. Edit the /var/yp/securenets File
If the /var/yp/securenets file is blank or does not exist (as is the case after a default installation),
NIS listens to all networks. One of the first things to do is to put netmask/network pairs in the file so
that ypserv only responds to requests from the appropriate network.
- Red Hat Enterprise Linux 6 1
- Security Guide 1
- Edition 1.5 2
- 1. Document Conventions 7
- 1.2. Pull-quote Conventions 8
- 2. We Need Feedback! 9
- Security Overview 11
- 1.1.1.2. Security Today 12
- 1.1.2. SELinux 13
- 1.1.3. Security Controls 13
- 1.1.4. Conclusion 14
- 1.2. Vulnerability Assessment 15
- 1.2.3. Evaluating the Tools 17
- 1.2.3.2. Nessus 18
- 1.2.3.3. Nikto 18
- 1.3.1.1. Shades of Gray 19
- 1.3.2.1.1. Broadcast Networks 20
- 1.3.3.2. Unpatched Services 21
- 1.3.4.1. Bad Passwords 22
- 1.5. Security Updates 25
- 1.5.4. Applying the Changes 27
- Applying the Changes 29
- Securing Your Network 31
- /sbin/grub-md5-crypt 32
- 2.1.3. Password Security 33
- 2.1.3.2.2. Passphrases 37
- 2.1.3.2.3. Password Aging 37
- 2.1.4.1. Allowing Root Access 39
- 2.1.4.3. Limiting Root Access 42
- 2.1.4.3.2. The sudo Command 43
- 2.1.5.1. Risks To Services 44
- 2.1.5.3. Insecure Services 46
- 2.1.6. Personal Firewalls 47
- 2.2. Server Security 48
- 220-Hello, %c 49
- 2.2.1.2.1. Setting a Trap 50
- 2.2.2. Securing Portmap 52
- 2.2.3. Securing NIS 52
- 255.255.255.0 192.168.0.0 54
- 2.2.4. Securing NFS 55
- UserDir enabled 56
- UserDir disabled root 56
- 2.2.6. Securing FTP 57
- 2.2.6.2. Anonymous Access 58
- 2.2.6.3. User Accounts 58
- 2.2.7. Securing Sendmail 59
- 2.2.7.3. Mail-only Users 60
- 2.3. TCP Wrappers and xinetd 61
- 2.3.1. TCP Wrappers 62
- [root@myServer ~]# 63
- 2.3.2.1.1. Wildcards 65
- 2.3.2.1.4. Operators 67
- 2.3.2.2. Option Fields 68
- 2.3.2.2.4. Expansions 69
- 2.3.3. xinetd 70
- 2.3.4.3.1. Logging Options 72
- 2.3.5. Additional Resources 75
- 2.3.5.3. Related Books 76
- 2.4.1. How Does a VPN Work? 77
- 2.4.2. Openswan 77
- 2.4.2.3. Commands 78
- 2.5. Firewalls 79
- 2.5.1. Netfilter and IPTables 81
- 2.5.2.3. Trusted Services 83
- 2.5.2.4. Other Ports 83
- 2.5.3. Using IPTables 84
- 2.5.5. FORWARD and NAT Rules 86
- 2.5.5.2. Prerouting 88
- 2.5.5.3. DMZs and IPTables 88
- 2.5.8. IPv6 90
- 2.5.9. Additional Resources 90
- 2.6. IPTables 91
- 2.6.2.2. Command Options 94
- 2.6.2.4.1. TCP Protocol 97
- 2.6.2.4.2. UDP Protocol 98
- 2.6.2.4.3. ICMP Protocol 98
- 2.6.2.5. Target Options 99
- 2.6.3. Saving IPTables Rules 101
- 2.6.5. IPTables and IPv6 104
- 2.6.6. Additional Resources 104
- Encryption 105
- 3.5. Virtual Private Networks 106
- 3.6. Secure Shell 106
- 3.7. OpenSSL PadLock Engine 106
- 3.8. LUKS Disk Encryption 107
- Important 108
- 3.8.5. Links of Interest 109
- Security 113
- Secure Installation 115
- Software Maintenance 117
- 7.1. Introduction 119
- (NISPOM) 120
- References 121
- A.1. Synchronous Encryption 123
- A.2. Public-key Encryption 124
- A.2.2. RSA 125
- A.2.3. DSA 125
- A.2.4. SSL/TLS 125
- A.2.6. ElGamal Encryption 126
- Appendix B. Revision History 127
Verwandte Produkte und Handbücher für Software Red Hat ENTERPRISE LINUX 4 - SELINUX GUIDE
(268 Seiten)Radio Shack 14-1265 manuels
Manuels d'utilisation et guides de l'utilisateur pour Lecteurs de cassettes Radio Shack 14-1265.
Nous fournissons des manuels en pdf 2 Radio Shack 14-1265 à télécharger gratuitement par type de document : Manuel du propriétaire, Manuel de l'utilisateur
Kommentare zu diesen Handbüchern