Boost Linux Server Security: Practical Hardening Steps for RHEL7

Linux is a free, open‑source Unix‑like operating system widely used for servers, but its security depends on proper permission and configuration.

Since 1985 the U.S. Department of Defense defined the TCSEC security classes (D, C1, C2, B1, B2, B3, A1); modern OSes often fall short, while a hardened Linux can reach B1.

D – lowest security

C1 – discretionary access control

C2 – improved DAC and auditing

B1 – mandatory access control (MAC)

B2 – structured design, formal security model

B3 – comprehensive access control, trusted recovery

A1 – formal verification

Lock System Accounts

System accounts are listed in cat /etc/passwd. All accounts except root are locked with:

#!/bin/bash
for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
    passwd -l $temp
done

Set Password Aging

Adjust password lifetime in cat /etc/login.defs | grep "PASS" by editing /etc/login.defs:

# Password aging controls:
PASS_MAX_DAYS   90   # maximum days a password may be used
PASS_MIN_DAYS   0    # minimum days between password changes
PASS_MIN_LEN    7    # minimum acceptable password length
PASS_WARN_AGE   10   # days of warning before expiration

Enforce Password Complexity

Modify /etc/pam.d/system-auth to require strong passwords:

password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Limit Login Timeout

Set inactivity timeout in /etc/profile:

TMOUT=300
export TMOUT

Restrict TTY Login Attempts

Add to /etc/pam.d/login to deny after three failures:

auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Change SSH Port

Modify /etc/ssh/sshd_config to use a high port (e.g., 65534) and restart SSH:

Port 65534
MaxAuthTries=3

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights, and set PermitRootLogin no in /etc/ssh/sshd_config, then restart SSH.

Login Warning Messages

Edit /etc/motd and /etc/issue.net to display a warning banner for unauthorized logins.

---------------------------------------------------------------
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---------------------------------------------------------------

Set Umask to 0777

Append umask 0777 to /etc/bashrc so newly created files have no permissions.

Lock Critical System Binaries

Make key directories immutable:

chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /usr/lib/
chattr +i /usr/lib64/
chattr +i /usr/libexec/

Restrict GCC Compiler

Remove execute permission from compiler binaries and assign them to a dedicated group:

# Remove permissions
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/g++
# Create group and set ownership
groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Protect Log Files

Make log files append‑only to prevent deletion:

cd /var/log/
chattr +a dmesg cron lastlog messages secure wtmp

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 65534), HTTP (80) and HTTPS (443):

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELinux to enforcing mode:

# /etc/selinux/config
SELINUX=enforcing

Apply the change with setenforce 1.

Allow SSH Port in SELinux

Install policy tools and add the new SSH port:

yum install -y policycoreutils-python
semanage port -a -t ssh_port_t -p tcp 65534

Set Web Directory Context

Label the web root with the appropriate SELinux type:

semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html