How can we secure NIS on the Exalogic? See our insights

Published on: Category: Oracle

I’ve been visiting a plenty of customers using the NFSv4 for exposing their middleware shares, and usually implemented with NIS. Oracle also recommends NIS with the Exalogic deployment, and we know that we have a lack of security on this service. But there’s a few things that we can do to avoid some problems and make it safest. In this blog I’ll tell you more about it!

The NIS server is comprised of several applications. They include the following:

  • /usr/sbin/rpc.yppasswdd — Also called the yppasswdd service, this daemon allows users to change their NIS passwords.
  • /usr/sbin/rpc.ypxfrd — Also called the ypxfrd service, this daemon is responsible for NIS map transfers over the network.
  • /usr/sbin/yppush — This application propagates changed NIS databases to multiple NIS servers.
  • /usr/sbin/ypserv — This is the NIS server daemon.

NIS is rather insecure by today’s standards. It has no host authentication mechanisms and passes all of its information over the network unencrypted, including password hashes. As a result, extreme care must be taken to set up a network that uses NIS. Further complicating the situation, the default configuration of NIS is inherently insecure.

Steps to avoid common security problems

  • Edit the /var/yp/securenets File
    NIS listens to all networks if the /var/yp/securenets file is blank or does not exist (as is the case after the default installation). One of the first things to do is edit and configure this file with the proper Infiniband netmask/network pair, so that ypserv only responds to requests from the Infiniband network.
  • Assign Static Ports and Use IPTables Rules
    All of the servers related to NIS can be assigned to specific ports except for rpc.yppasswdd — the daemon that allows users to change their login passwords. Assigning ports to the other two NIS server daemons, rpc.ypxfrd and ypserv, allows for the creation of firewall rules to further protect the NIS server daemons from intruders. To do this, add the following lines to /etc/sysconfig/network:
  1. YPSERV_ARGS=”-p <any port, in eg. 834>
  2. YPXFRD_ARGS=”-p <any port, in eg. 835>

Tip: You can play with IPTables rules to force all the traffic to accept only the ports that you choose.

  • Restrict the access of some commands to root only
  1. [oracle@Myserver01 ~]$ ypcat hosts
  2. -bash: /usr/bin/ypcat: Permission denied
  3. [oracle@Myserver01 ~]$ /usr/bin/ypcat hosts
  4. -bash: /usr/bin/ypcat: Permission denied
  • Change the password policy

      – Deny login for any NIS user after 5 consecutive incorrect login attempts.
      – User lockout for 600 seconds which is 10 minutes after 5 consecutive incorrect login attempts.
      – Minimum password length of 10 characters for NIS users.
      – Minimum of 1 lower case in password for NIS users.
      – Minimum of 1 upper case in password for NIS users.
      – Minimum of 1 numeric digit in password for NIS users.
      – Minimum of 1 special character in password for NIS users.
      – Fail password change attempt if 3 or more characters in new password are present in old password.

Conclusion

The objective of this article was not make a comparison between the available authentication methods for the Exalogic, but enhance the security of your environment if you are already working with NIS.

These tricks mentioned above has been used for administrators for a long time. Although NIS is not the safest service, still fast and performing for NFS authentication, especially if we are using environments with too much IO.

 

About the author Marcello Morettoni

Marcello Morettoni is an Oracle Fusion Middleware Consultant.

More posts by Marcello Morettoni
Comments
Reply