| Firewall Check | Status | Comment |
|---|---|---|
| Check whether csf is enabled | OK | |
| Check csf is running | OK | |
| Check whether csf is in TESTING mode | OK | |
| Check csf AUTO_UPDATES option | OK | |
| Check whether lfd is enabled | OK | |
| Check incoming MySQL port | OK | |
| Check csf LF_SSHD option | OK | |
| Check csf LF_FTPD option | OK | |
| Check csf LF_SMTPAUTH option | OK | |
| Check csf LF_POP3D option | OK | |
| Check csf LF_IMAPD option | OK | |
| Check csf LF_HTACCESS option | OK | |
| Check csf LF_MODSEC option | OK | |
| Check csf LF_DIRWATCH option | OK | |
| Check csf LF_INTEGRITY option | OK | |
| Check csf SAFECHAINUPDATE option | WARNING | This option closes a window of opportunity that opens when dynamic chain updates occur |
| Server Check | Status | Comment |
| Check /tmp permissions | OK | |
| Check /tmp ownership | OK | |
| Check /tmp is mounted as a filesystem | OK | |
| Check /tmp is mounted noexec,nosuid | WARNING | /tmp is not mounted with the noexec,nosuid options (currently: none). You should consider adding a mountpoint into /etc/fstab for /tmp with those options |
| Check /var/tmp permissions | OK | |
| Check /var/tmp ownership | OK | |
| Check /var/tmp is mounted as a filesystem | WARNING | /var/tmp should either be symlinked to /tmp or mounted as a filesystem |
| Check /usr/tmp permissions | OK | |
| Check /usr/tmp ownership | OK | |
| Check /usr/tmp is mounted as a filesystem or is a symlink to /tmp | OK | |
| Check /dev/shm is mounted noexec,nosuid | WARNING | /dev/shm is not mounted with the noexec,nosuid options (currently: none). You should modify the mountpoint in /etc/fstab for /dev/shm with those options and remount |
| Check server runlevel | OK | |
| Check nobody cron | OK | |
| Check Operating System support | OK | |
| Check perl version | OK | |
| Check SUPERUSER accounts | OK | |
| Check for IPv6 | OK | |
| Check for kernel logger | OK | |
| SSH/Telnet Check | Status | Comment |
| Check SSHv1 is disabled | OK | |
| Check SSH on non-standard port | WARNING | You should consider moving SSH to a non-standard port [currently:22] to evade basic SSH port scans. Don't forget to open the port in the firewall first! |
| Check SSH PasswordAuthentication | WARNING | For ultimate SSH security, you should consider disabling PasswordAuthentication and only allow access using PubkeyAuthentication |
| Check SSH UseDNS | WARNING | You should disable UseDNS by editing /etc/ssh/sshd_config and setting: UseDNS no Otherwise, lfd will be unable to track SSHD login failures successfully as the log files will not report IP addresses |
| Check telnet port 23 is not in use | OK | |
| Server Services Check | Status | Comment |
| Check server startup for cups | OK | |
| Check server startup for xfs | OK | |
| Check server startup for nfslock | OK | |
| Check server startup for canna | OK | |
| Check server startup for FreeWnn | OK | |
| Check server startup for cups-config-daemon | OK | |
| Check server startup for iiim | OK | |
| Check server startup for mDNSResponder | OK | |
| Check server startup for nifd | OK | |
| Check server startup for rpcidmapd | WARNING | On most servers rpcidmapd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service rpcidmapd stop chkconfig rpcidmapd off |
| Check server startup for bluetooth | WARNING | On most servers bluetooth is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service bluetooth stop chkconfig bluetooth off |
| Check server startup for anacron | WARNING | On most servers anacron is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service anacron stop chkconfig anacron off |
| Check server startup for gpm | WARNING | On most servers gpm is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service gpm stop chkconfig gpm off |
| Check server startup for saslauthd | OK | |
| Check server startup for avahi-daemon | OK | |
| Check server startup for avahi-dnsconfd | OK | |
| Check server startup for hidd | WARNING | On most servers hidd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service hidd stop chkconfig hidd off |
| Check server startup for pcscd | WARNING | On most servers pcscd is not needed and should be stopped and disabled from starting, as it could pose a security threat. This service is currently enabled in init and can be disabled using: service pcscd stop chkconfig pcscd off |
| Check server startup for sbadm | OK |
|
Your Score: 45/58*
*This scoring does not necessarily reflect the security of your server or the relative merits of each check |