Security tips for running RT3 0 Protect your RT installation by making it only accessible via SSL 1 Be sure to change the password for the root user of RT. The default password is "password". This can be changed via the RT web interface at: Preferences > About me 2 Be sure to protect your RT_SiteConfig.pm file if it contains database credentials or other sensitive information. This file only needs to be readable by RT and your web server. One way to accomplish this is to make the file readable only by root and the group that RT runs as, and then make sure your web server is a member of that group. Advanced configuration may be required if other users have the ability to run CGIs or access the server where RT is running. Otherwise, those users may have access to become RT superusers. 3 Be sure to protect your database. If it does not need to talk to the world, then don't allow it to listen for remote connections. With MySQL this can be accomplished via "skip-networking". If you use your database for other things and must allow remote connections, be sure to use a strong, hard to guess password for RT. 4 Apache, lighttpd, and most other web servers support name based virtual hosts. When possible, configure RT as a name based virtual host to raise the bar against DNS rebinding attacks. Note: If when you visit http://your.servers.ipaddress.here you see RT, it means you are not likely getting this additional protection.