Boost Linux Security: Essential Hardening Steps for RHEL 7

Linux System Security Hardening

Linux is a free, open‑source Unix‑like OS; its servers are widely used for their security, efficiency and stability. However, without proper permission management the security of a Linux system can be compromised. This guide uses RHEL 7 to improve security through account hardening, login control, SELinux configuration and other measures.

Since 1985 the US Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC), which classifies systems into four families (A‑D) and seven security levels. The levels range from D (lowest) to A (verified protection).

D – lowest security

C1 – discretionary access control (DAC)

C2 – improved DAC and auditing

B1 – mandatory access control (MAC)

B2 – structured design, formal security model

B3 – comprehensive access control, trusted recovery

A1 – formal verification

Modern operating systems typically achieve lower levels; for example Windows NT reaches only C2, while a hardened Linux system can reach B1.

Lock system accounts

System accounts are listed in cat /etc/passwd. Apart from the root account, all other accounts are set to disallow login.

Lock a user with passwd -l username. The following Bash script disables login for every non‑root account:

#!/bin/bash

for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
        passwd -l $temp
done

Set password aging

Adjust password lifetime in cat /etc/login.defs | grep "PASS". Example configuration:

# Password aging controls:
PASS_MAX_DAYS   90   # maximum days a password may be used
PASS_MIN_DAYS   0    # minimum days between password changes
PASS_MIN_LEN    7    # minimum password length
PASS_WARN_AGE   10   # days of warning before expiration

Enforce password complexity

Modify cat /etc/pam.d/system-auth to include:

password    required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login timeout

Set inactivity timeout by adding TMOUT=300 and export TMOUT to /etc/profile.

Limit TTY login attempts

Add to /etc/pam.d/login:

auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Change SSH port

Modify /etc/ssh/sshd_config to use a high port such as 65534 and restart the service.

Disable root SSH login

Create a regular user (e.g., lyshark), grant sudo rights, and set PermitRootLogin no in /etc/ssh/sshd_config.

Login warning banner

Edit /etc/motd and /etc/issue.net to display a warning message for unauthorized access.

Restrict umask

Set umask 0777 in /etc/bashrc so newly created files have no permissions by default.

Make system binaries immutable

Apply the immutable attribute to critical directories:

chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /usr/lib
chattr +i /usr/lib64
chattr +i /usr/libexec

Restrict GCC compiler

Set execute permission to 000 for compiler binaries and assign them to a dedicated group:

chmod 000 /usr/bin/gcc
groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Protect log files

Make log files append‑only so they cannot be deleted:

chattr +a /var/log/dmesg /var/log/cron /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp

Minimal firewall rules

Flush existing rules and allow only SSH (port 6553) and HTTP/HTTPS:

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 6553 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELINUX=enforcing in /etc/selinux/config and run setenforce 1. Then allow the custom SSH port with semanage:

semanage port -a -t ssh_port_t -p tcp 6553

Set web directory context

Assign the correct SELinux type to web files:

semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html