Use Root-Squashing on All Exports
If a filesystem is exported using root squashing, requests from root on the client
are considered to be unprivileged (mapped to a user such as nobody). This provides some mild
protection against remote abuse of an NFS server. Root squashing is enabled by default, and
should not be disabled.
Ensure that no line in '/etc/exports' contains the option 'no_root_squas ...
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not b ...
Disable GNOME3 Automounting
The system's default desktop environment, GNOME3, will mount
devices and removable media (such as DVDs, CDs and USB flash drives) whenever
they are inserted into the system. To disable automount and autorun within GNOME3,
the 'automount', 'automount-open', and 'autorun-never' settings must be set
under an appropriate configuration file(s) in the '/etc/dconf/db/local.d ...
Disable Zone Transfers from the Nameserver
Is it necessary for a secondary nameserver to receive zone dat
Avia zone transfer from the primary server? If not, follow the instructions in
this section. If so, see the next section for instructions on protecting zone
transfers.
Add or correct the following directive within '/etc/named.conf':
options {
allow-transfer { none; };
...
}
Authenticate Zone Transfers
If it is necessary for a secondary nameserver to receive zone dat
Avia zone transfer from the primary server, follow the instructions here. Use
dnssec-keygen to create a symmetric key file in the current directory:
$ cd /tmp
$ sudo dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dns.example.com
Kdns.example.com .+aaa +iiiii
This output is the name of a file containing the ne ...
Disable Dynamic Updates
Is there a mission-critical reason to enable the risky dynamic
update functionality? If not, edit '/etc/named.conf'. For each zone
specification, correct the following directive if necessary:
zone "example.com " IN {
allow-update { none; };
...
};
Install vsftpd Package
If this machine must operate as an FTP server, install the 'vsftpd' package via the standard channels.
'$ sudo yum install vsftpd'
Place the FTP Home Directory on its Own Partition
By default, the anonymous FTP root is the home directory of the FTP user account. The df command can
be used to verify that this directory is on its own partition.