Disable Server Side Includes
Server Side Includes provide a method of dynamically generating web pages through the
insertion of server-side code. However, the technology is also deprecated and
introduces significant security concerns.
If this functionality is unnecessary, comment out the related module:
'#LoadModule include_module modules/mod_include.so'
If there is a critical need for Server Sid ...
Disable Ctrl-Alt-Del Reboot Activation
By default, the system includes the following line in
to reboot the system when the Ctrl-Alt-Del key sequence is pressed:
'exec /sbin/shutdown -r now "Control-Alt-Delete pressed"'
To configure the system to log a message instead of
rebooting the system, alter that line to read as follows:
'exec /usr/bin/logger -p security ...
Configure statd to use static port
Configure the 'statd' daemon to use a static port as
opposed to letting the RPC Bind service dynamically assign a port. Edit the
file '/etc/sysconfig/nfs'. Add or correct the following line:
Where 'statd-port' is a port which is not used by any other service on your network.
Disable WebDAV (Distributed Authoring and Versioning)
WebDAV is an extension of the HTTP protocol that provides distributed and
collaborative access to web content. If its functionality is unnecessary,
comment out the related modules:
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
If there is a critical need for WebDAV, extra care should be taken in its ...
Specify a Remote NTP Server
To specify a remote NTP server for time synchronization, edit
the file '/etc/ntp.conf'. Add or correct the following lines,
substituting the IP or hostname of a remote NTP server for
Specify Additional Remote NTP Servers
Additional NTP servers can be specified for time synchronization
in the file '/etc/ntp.conf'. To do so, add additional lines of the
following form, substituting the IP address or hostname of a remote NTP server for
Restrict NFS Clients to Privileged Ports
By default, the server NFS implementation requires that all client requests be made
from ports less than 1024. If your organization has control over machines connected to its
network, and if NFS requests are prohibited at the border firewall, this offers some protection
against malicious requests from unprivileged users. Therefore, the default should not b ...