If you want to setup NIS server, you should know few things:
1) NIS will transmit account data unencrypted through network
2) They are easily spoofed
3) With portmap you can tell open ports to someone you wouldn't like
So, what we can do! We can:
1) Use TCP wrappers and packet filtering for portmap
2) Restrict hosts that have access to NIS
3) Don't give any RPC data out of network
4) USE KERBEROS with NIS
For now we will setup NIS server which will use to provide centralized information about user accounts.
In this point, you should install ypserv and open ports what you need in firewall. Use portmap to see which ports you should open.
program vers proto port
100000 2 tcp 111 portmapper
100000 2 udp 111 portmapper
100024 1 udp 711 status
100024 1 tcp 714 status
In this point, you should change ypserv so he can use always same port. You should add line in /etc/sysconfig/network like I do
After this you should setup your server to be client also. I will use same as my hostname. Add this in /etc/yp.conf
You are now setup NIS server. Don't forget to open ports in firewall. Do initialize for NIS maps, as I do now:
You can see that this will work. Try:
OK, we are setup now NIS server, but we doesn't want to this can be accessible by external (untrusted) networks. We can change few things here:
1) Reduce client's which can access to service
2) Setup firewall rules
According to first point, you should create /var/yp/securenets file with next content:
First is netmask, and second is IP addresses from exact pool. Look for setup in firewall also (especial for port 111), you should add access to trusted network only. Restart service, and try now command from intruder1. It will failed.
We setup permissions now, but we need to setup NIS for proper use. On security2 you should start
And in part for NIS Domain add SETENFORCE.COM and for NIS host add security1.example.com Save your work. Now we need to add user on NIS server, in this case that will be testing After this you should rebuild your NIS maps.
Also, do setup in client side.
Test your configuration, as we can see, you can ssh to security2, but user testing doesn't exist in passwd (security2) file.
Now you see that this is working, but it is easy to spoof. So you should lock user testing on security1, and of course should rebuild your NIS maps .