Disable rexec Service
The 'rexec' service, which is available with
the 'rsh-server' package and runs as a service through xinetd,
should be disabled.
The 'rexec' service can be disabled with the following command:
'$ sudo systemctl disable rexec'
Disable HTTP Digest Authentication
The 'auth_digest' module provides encrypted authentication sessions.
If this functionality is unnecessary, comment out the related module:
'#LoadModule auth_digest_module modules/mod_auth_digest.so'
Set httpd ServerSignature Directive to Off
'ServerSignature Off' restricts 'httpd' from displaying server version number
on error pages.
Add or correct the following directive in '/etc/httpd/conf/httpd.conf':
Configure Logwatch HostLimit Line
On a central logserver, you want Logwatch to summarize all syslog entries, including those which did not originate
on the logserver itself. The 'HostLimit' setting tells Logwatch to report on all hosts, not just the one on which it
' HostLimit = no '
Disable Cache Support
The 'cache' module allows 'httpd' to cache data, optimizing access to
frequently accessed content. However, it introduces potential security flaws
such as the possibility of circumventing 'Allow' and
If this functionality is
unnecessary, comment out the module:
'#LoadModule cache_module modules/mod_cache.so'
If caching is required, it should not be enable ...
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not b ...
Set Password Hashing Algorithm in /etc/libuser.conf
In '/etc/libuser.conf', add or correct the following line in its
'[defaults]' section to ensure the system will use the SHA-512
algorithm for password hashing:
'crypt_style = sha512'