Hardening RHEL7: Practical Linux Security Steps and Commands

Background

Linux is a free, open‑source Unix‑like operating system widely deployed for servers, but its security depends on proper configuration and permission management. The guide focuses on RHEL7 and demonstrates how to harden the system to reach a B1 security level.

TCSEC Security Levels

The U.S. Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC) with levels D, C1, C2, B1, B2, B3, and A1, ranging from minimal security (D) to formally verified protection (A1). Modern Linux can be hardened to at least B1.

Hardening Steps

Account Lockout

List accounts with cat /etc/passwd. Lock all non‑root accounts using passwd -l <username>. A Bash script can automate this:

#!/bin/bash
for user in $(cut -d ':' -f1 /etc/passwd | grep -v "root"); do
    passwd -l $user
done

Password Aging

Adjust password expiration in /etc/login.defs (e.g., PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 7, PASS_WARN_AGE 10).

# vim /etc/login.defs
PASS_MAX_DAYS   90   # maximum days a password may be used
PASS_MIN_DAYS   0    # minimum days between changes
PASS_MIN_LEN    7    # minimum password length
PASS_WARN_AGE   10   # days before expiration to warn

Password Complexity

Add a pam_cracklib rule to /etc/pam.d/system-auth to require digits, lower‑case, upper‑case, special characters and a minimum length of 10:

# vim /etc/pam.d/system-auth
password    required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout

Set an inactivity timeout by adding to /etc/profile:

TMOUT=300
export TMOUT

TTY Login Attempt Limitation

Configure /etc/pam.d/login with pam_tally2 to deny after three failures and lock for 300 seconds:

# vim /etc/pam.d/login
auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

SSH Port Change

Modify /etc/ssh/sshd_config to use a high‑numbered port (e.g., 65534) and reduce authentication attempts, then restart SSH. Adjust SELinux with semanage to allow the new port.

# vim /etc/ssh/sshd_config
Port 65534
MaxAuthTries 3
# systemctl restart sshd
# yum install -y policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 65534

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights, and set PermitRootLogin no in sshd_config.

# useradd lyshark
# passwd lyshark
# vim /etc/sudoers
root    ALL=(ALL)       ALL
lyshark ALL=(ALL)       ALL
# vim /etc/ssh/sshd_config
PermitRootLogin no
# systemctl restart sshd

Allow Specific Users

Restrict SSH access to chosen users/groups:

# vim /etc/ssh/sshd_config
AllowUsers lyshark admin
AllowGroup lyshark admin

Login Warning Message

Insert a warning in /etc/motd and /etc/issue.net that displays on remote login.

# vim /etc/motd
# vim /etc/issue.net
---
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---

Umask Restriction

Set a restrictive umask (0777) in /etc/bashrc so newly created files have no permissions:

# echo "umask 0777" >> /etc/bashrc

Immutable System Files

Make critical binaries immutable with chattr +i (e.g., /sbin, /usr/lib).

# chattr +i /sbin/
# chattr +i /usr/lib/
# chattr +i /usr/lib64/

Restrict GCC Compiler

Remove execute permissions from GCC binaries, create a dedicated group, and grant limited access:

# chmod 000 /usr/bin/gcc
# groupadd compilerGroup
# chown root:compilerGroup /usr/bin/gcc
# chmod 0750 /usr/bin/gcc

Log File Protection

Make log files append‑only with chattr +a to prevent deletion:

# cd /var/log
# chattr +a dmesg cron lastlog messages secure wtmp

Minimal Firewall Rules

Flush existing iptables rules, drop all traffic, then allow SSH (custom port) and HTTP/HTTPS:

# iptables -F
# iptables -P INPUT DROP
# iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp --dport 443 -j ACCEPT
# iptables-save

Enable SELinux

Set SELinux to enforcing mode and apply immediately:

# vim /etc/selinux/config
SELINUX=enforcing
# setenforce 1

Allow SSH Port in SELinux

Use semanage to add the custom SSH port to the SELinux policy:

# yum install -y policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 65534

Set Web Directory Context

Assign the correct SELinux type to web content files:

# semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
# restorecon -v /var/www/html/index.html

Conclusion

By applying the above configurations—account restrictions, password policies, SELinux enforcement, SSH hardening, immutable system files, compiler limitation, log protection, and a minimal firewall—the RHEL7 system’s security posture can be elevated to at least the B1 level, providing stronger defense against unauthorized access and common attacks.