The Name Switching Service (NSS) tells your system where to look to find the mapping of names to other information, such as machine addresses, service port numbers , and so on. This is handled by the file /etc/nsswitch.conf. This file consists of lines of text. The # symbol denotes a comment and is ignored. Entries consist of an entry name followed by a colon , then a space-separated list of places to find the information. Order is important, as the resources are checked in order.
Here are some sample entries from /etc/nsswitch.conf:
passwd: files shadow: files group: files hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: nisplus publickey: nisplus automount: files nisplus aliases: files nisplus
If you re not running in an NIS/NIS+ environment, then the references to NIS should be removed. Probably the most commonly referenced entry is the hosts line. Our example line tells the system to look in files, then use the domain name service. So the system s resolver will first look in /etc/hosts, then use the name server listed in /etc/resolv.conf to find a host. Since we re not in an NIS+ environment, we wouldn t want the system to use a network information server to resolve hostnames (any NIS server on our network would be a hostile machine!). Files come before DNS because we want the ability to force a hostname to a particular IP address in /etc/hosts for several reasons. We can then blackhole a malicious machine by setting its address to loopback, make and test changes on a per-system basis, and override a DNS response if the DNS has been cache poisoned, compromised, or if the server is down. This requires keeping /etc/hosts up to date. If we switch the order, we can have DNS answers go first, then the /etc/hosts file, which would give us a fallback if DNS was down, but not protect from the other issues raised.
You can simply delete the word nisplus from every single entry where it s found to batten down the system. Removing NIS from the equation not only makes it more difficult for an attacker to redirect such services, but also removes a lot of potentially buggy library code from the execution path of the system.
If you are in an NIS/NIS+ environment, then you should decide which resources you want to get from the NIS server, and remove the dependencies from the other entries.