Bugtraq mailing list archives
Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox)
From: mouse () Collatz McRCIM McGill EDU (der Mouse)
Date: Fri, 14 Apr 1995 14:58:38 -0400
I keep hearing people say this ["it's insecure"] about NIS.
Have a firewall block the ports NIS is using
The trouble is, this changes from each boot to the next, and changes from host to host. When the daemon starts up, it picks a port randomly (well, actually, the kernel picks it at the daemon's request) and registers it with the portmapper. The router thus would have to constantly do GETPORT queries to be sure of blocking the correct port. I don't know of any commercial router box that can do this, and doubt one exists; if you're rolling your own firewall on an OS you have source to, anything is possible. Alternatively, you could have it do something like keep an open TCP connection to every host (say, to the discard port) with keepalives on. When a machine reboots, the keepalives will kill this connection and the firewall will notice and realize it needs to redo the GETPORT query for that machine. Of course, it may not notice quite soon enough; perhaps you should connect to the echo port, and write a byte and wait for it to come back before forwarding a packet.
and make sure the router is programmed not to allow NIS packets through an outside line.
The problem here is telling which packets are NIS packets.
Then the questions come, what ports do I block? On one setup, I already block the ports for sunrpc. Is that enough?
Not if you mean just port 111, as was discussed here quite recently. It's far too easy for the attacker to just fire queries at a couple of thousand ports to find the one NIS is listening on. der Mouse mouse () collatz mcrcim mcgill edu
Current thread:
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox), (continued)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Dale Babiy (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Benjamin Cline (Apr 15)
- Obtaining NIS domainname from Gatorbox Dennis Glatting (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Jon Peatfield (Apr 15)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Andreas Siegert (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Bob Beck (Apr 18)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Dale Babiy (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Scott Barman (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 13)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) der Mouse (Apr 14)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Jim Thompson (Apr 16)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Terje Normann Marthinussen (Apr 17)
- Re: Replacement for NIS? (was Re: Obtaining NIS domainname from Gatorbox) Ollivier Robert (Apr 18)