My original question was:
> I'm running OSF1 V3.2 214 in a DEC 3000/600 with 64MB ram, 5GB disk,
> CD-ROM, DAT. I need to set up a network server to run the following
> tasks:
> o Internet mail
> o Web server
> o Anonymous FTP server
> o News server (just few groups, no alt.sex.* <8^)
> o Local network home directory share (about 20 client machines
> running Linux)
> o Export a /usr directory to the linux boxes (to save disk space
> and easy net installation of software)
> o Export home directories plus applications to Dos/Windows/Win95
> clients (the same 20 PCs not running a true operating system :-)
> using the Samba server.
> I have some questions about this:
> What are the safety risks of run NIS to share the passwords across the
> local net? Is DU's NIS able to do access control like the Linux version
> does bi means of /etc/hosts.allow and /etc/hosts.deny?
I received two answers:
> From larry_at_garfield.wsc.mass.edu Mon Jan 6 16:53:26 1997
> NIS is regarded as an insecure protocol, but lots of people like me use
> it for LANs. /etc/hosts.allow and hosts.deny aren't directly in NIS,
> but you can get tcp_wrappers to implement this (available at
> ftp.win.tue.nl).
I downloaded this and started to compile/install.
> Carlos> Is there any advantage of using C2 security side by side
> Carlos> with NIS?
> Sure. You get shadow password files and extended password lengths, if
> nothing else.
> Carlos> Is the machine configuration enough to the job?
> I've used a model 600 (just upgraded from 64M to 128M) for several
> years. I'm now running v4.0 but used to use v3.2. I have e-mail, a Web
> server, and a file server to 4 DU clients. Given your extra load
> (anonymous FTP, news, extra clients) I would regard your server as
> low-end. You'll probably get by but extra RAM and disk space
> (especially for newsgroups) will help.
> Other considerations: consider installing software in a directory like
> /usr/local and exporting that (read-only if possible). Exporting /usr
> really opens up your system binaries to attack.
I will do this
> Security is a big subject. Try to get a good reference (Practical UNIX
> & Internet Security by Garfinkel and Spafford, from O'Reilly is a good
> choice).
-----
>From Bertrand.Wallrich_at_loria.fr Mon Jan 6 16:53:34 1997 Date: Fri, 3 Jan
> I'm not sure, but it seems there is no security for ypserv until osf 4.0
> (with /etc/yp/securenets). In this case anybody who know a name of one
> of yours nis servers can bind to it, and take your password file, and
> try to crack it.
> The best way (without upgrade to 4.0) is to disable portmap for other
> nets, with the public domain portmap from Wietse Venema. (The source is
> available for anonymous FTP from ftp.win.tue.nl directory
> /pub/security/portmap_*.tar.gz.)
I'm downloading and installing this.
My DU machines are day by day more Linux-like...
----
Carlos Augusto Moreira dos Santos casantos_at_cpmet.ufpel.tche.br
Universidade Federal de Pelotas Telefone (0532) 23-2525
Centro de Pesquisas Meteorologicas FAX (0532) 23-4814
Pelotas, RS, Brasil http://www.cpmet.ufpel.tche.br
Received on Mon Jan 06 1997 - 18:48:51 NZDT