[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

249966

 
 

909

 
 

195636

 
 

282

 
 
 
Paid content will be excluded from the download.

Filter
Matches : 30475 Download | Alert*

Use Root-Squashing on All Exports If a filesystem is exported using root squashing, requests from root on the client are considered to be unprivileged (mapped to a user such as nobody). This provides some mild protection against remote abuse of an NFS server. Root squashing is enabled by default, and should not be disabled. Ensure that no line in '/etc/exports' contains the option 'no_root_squas ...

Ensure tftp Daemon Uses Secure Mode If running the 'tftp' service is necessary, it should be configured to change its root directory at startup. To do so, ensure '/etc/xinetd.d/tftp' includes '-s' as a command line argument, as shown in the following example (which is also the default): 'server_args = -s /var/lib/tftpboot'

Configure SNMP Service to Use Only SNMPv3 or Newer Edit '/etc/snmp/snmpd.conf', removing any references to 'rocommunity', 'rwcommunity', or 'com2sec'. Upon doing that, restart the SNMP service: '$ sudo service snmpd restart'

Disable Web Server Configuration Display The 'info' module creates a web page illustrating the configuration of the web server. This can create an unnecessary security leak and should be disabled. If its functionality is unnecessary, comment out the module: '#LoadModule info_module modules/mod_info.so' If there is a critical need for this module, use the 'Location' directive to provide an access ...

Disable HTTP mod_rewrite The 'mod_rewrite' module is very powerful and can protect against certain classes of web attacks. However, it is also very complex and has Asignificant history of vulnerabilities itself. If its functionality is unnecessary, comment out the related module: '#LoadModule rewrite_module modules/mod_rewrite.so'

Disable Support for RPC IPv6 RPC services for NFSv4 try to load transport modules for 'udp6' and 'tcp6' by default, even if IPv6 has been disabled in '/etc/modprobe.d'. To prevent RPC services such as 'rpc.mountd' from attempting to start IPv6 network listeners, remove or comment out the following two lines in '/etc/netconfig': udp6 tpi_clts v inet6 udp - - tcp6 ...

Disable Logwatch on Clients if a Logserver Exists Does your site have a central logserver which has been configured to report on logs received from all systems? If so: $ sudo rm /etc/cron.daily/0logwatch If no logserver exists, it will be necessary for each machine to run Logwatch individually. Using a central logserver provides the security and reliability benefits discussed earlier, and ...

Prevent Other Programs from Using Avahi's Port To prevent other mDNS stacks from running, edit '/etc/avahi/avahi-daemon.conf' and ensure the following line appears in the '[server]' section: 'disallow-other-stacks=yes'

System Audit Logs Must Be Owned By Root To properly set the owner of '/var/log', run the command:

Configure Logwatch SplitHosts Line If 'SplitHosts' is set, Logwatch will separate entries by hostname. This makes the report longer but significantly more usable. If it is not set, then Logwatch will not report which host generated a given log entry, and that information is almost always necessary ' SplitHosts = yes '


Pages:      Start    3022    3023    3024    3025    3026    3027    3028    3029    3030    3031    3032    3033    3034    3035    ..   3047

© SecPod Technologies