BestHub
Sign in
Information Security 15 min read

Essential Linux Redhat Security Hardening Checklist: Accounts, SSH, Logging, and More

This guide provides a step‑by‑step hardening checklist for Red Hat AS 3/4, covering shared‑account detection, redundant‑account lock policies, root remote‑login restrictions, password complexity and lifespan, critical directory permissions, audit logging, SSH configuration, unnecessary service removal, and patch installation.

Liangxu Linux
Liangxu Linux
Liangxu Linux
Essential Linux Redhat Security Hardening Checklist: Accounts, SSH, Logging, and More

Linux Red Hat AS 3/4 Security Hardening Checklist

1. Shared Account Verification

List all local accounts and ensure each user has a dedicated account. Shared accounts increase the risk of privilege escalation.

# cat /etc/passwd               # display all local accounts
# useradd <em>username</em>        # create a new account if needed
# passwd <em>username</em>         # set a strong password

2. Redundant Account Locking

Lock or disable accounts that are not required for system operation (e.g., lp, nuucp, hpdb, www, daemon). Set their login shell to nologin or lock the password.

# grep -E "(lp|nuucp|hpdb|www|daemon)" /etc/passwd
# usermod -s /sbin/nologin <em>username</em>
# passwd -l <em>username</em>      # lock the password
# passwd -d <em>username</em>      # unlock (password becomes invalid)

3. Root Remote‑Login Restriction

Prevent direct SSH login as root. Users must log in with a regular account and then use su or sudo for privileged actions.

# vi /etc/ssh/sshd_config
#   PermitRootLogin no
# service sshd restart

4. Password Complexity Policy

Enforce a minimum length of 12 characters and require at least two digits, two uppercase letters, two lowercase letters, and two special symbols. Adjust the pam_cracklib parameters accordingly.

# vi /etc/pam.d/system-auth
password    requisite   /lib/security/$ISA/pam_cracklib.so \
    minlen=12 retry=3 dcredit=-2 ucredit=-2 lcredit=-2 ocredit=-2

5. Maximum Password Lifetime

Force password changes at least every 90 days and provide a 7‑day warning before expiration.

# vi /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS    0
PASS_WARN_AGE    7

6. Critical File Permission Hardening

Set the most restrictive permissions for authentication files.

# chmod 644 /etc/passwd   # readable by all, writable only by root
# chmod 600 /etc/shadow   # readable/writable only by root
# chmod 644 /etc/group    # readable by all, writable only by root
# chmod -R go-w,o-r /etc   # remove write/read for group/others where not needed

7. Default umask Configuration

Define a global umask of 027 (or 077 for stricter environments) to ensure newly created files are not world‑readable.

# grep umask /etc/bashrc
umask 027
# or per‑user in ~/.bash_profile
umask 027

8. Security Log Completeness

Configure syslog (or rsyslog) to capture authentication events.

# vi /etc/syslog.conf
authpriv.*    /var/log/secure
# service syslogd restart

9. Centralized Remote Log Server

Forward logs to a dedicated log collector for tamper‑resistant storage and analysis.

# vi /etc/syslog.conf
*.*   @192.168.0.1   # replace with the actual log server IP or hostname
# service syslogd restart

10. Command History Timestamp

Record date and time for each command in the Bash history to improve auditability.

# vi /etc/bashrc
export HISTTIMEFORMAT="%F %T"
# source /etc/bashrc   # or start a new shell

11. SSH Daemon Hardening

Enforce SSH protocol 2, disable insecure authentication methods, and prohibit empty passwords and root login.

# vi /etc/ssh/sshd_config
Protocol 2
X11Forwarding yes
IgnoreRhosts yes
RhostsAuthentication no
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitRootLogin no
PermitEmptyPasswords no
Banner /etc/motd
# service sshd restart

12. Disable Unnecessary Services

Identify services that are not required for the server’s role and disable them using chkconfig (or systemctl on newer releases).

# chkconfig --list               # list all services and their run‑level status
# service <em>service_name</em> stop   # stop the service immediately
# chkconfig <em>service_name</em> off   # prevent it from starting at boot
# Example of typical services to disable:
#   sendmail, telnet, bind, lpd, routed, bluetooth, identd, xfs, rlogin, rwho, rsh, rexec, inetd/xinetd‑based services (daytime, chargen, echo)

13. Disable Ctrl‑Alt‑Del Reboot

Prevent accidental reboots caused by the keyboard shortcut.

# vi /etc/inittab
# Comment out the line that binds Ctrl‑Alt‑Del to shutdown:
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
# Apply the change
# /sbin/init q

14. Apply Operating System Updates

Regularly install security errata from the Red Hat Network (RHN) to patch known vulnerabilities.

# yum update                     # for systems with yum configured
# or manually download RPMs from https://rhn.redhat.com/errata/
# rpm -ivh <em>patch.rpm</em>
# reboot                         # apply kernel or library updates
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxloggingSecuritySSHPassword policyRedhatHardening
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment