Hardening RHEL7: Practical Steps to Secure Linux Accounts, SSH, SELinux, and Firewall

Background and Goal

Linux is a free, open‑source Unix‑like operating system widely used for servers because of its security, efficiency, and stability. To fully protect a Linux system, especially RHEL7, administrators must allocate permissions wisely and apply a series of hardening measures.

TCSEC Security Levels

The U.S. Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC) in 1985, dividing systems into four classes (A‑D) and seven security grades. The article lists the grades from lowest (D) to highest (A1) and notes that most mainstream OSes, such as Windows NT, only reach C2, while a hardened Linux can achieve B1.

Account Control

System accounts are stored in cat /etc/passwd. The tutorial disables login for all non‑root accounts using passwd -l <username> and provides a Bash script to lock them in bulk:

#!/bin/bash
for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
    passwd -l $temp
done

Password Lifetime

The password aging parameters are in cat /etc/login.defs | grep "PASS". The example sets PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 7, and PASS_WARN_AGE 10 via vim /etc/login.defs.

Password Complexity

Complexity rules are defined in cat /etc/pam.d/system-auth. Adding the line below enforces at least one digit, one lowercase, one uppercase, one special character, and a minimum length of 10:

password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout

Set an inactivity timeout by adding to /etc/profile:

TMOUT=300
export TMOUT

TTY Login Attempt Limitation

Prevent brute‑force attacks on local terminals by editing /etc/pam.d/login and adding:

auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Check attempts with pam_tally2 --user lyshark.

SSH Port Change

Change the SSH daemon port to a high number (e.g., 65534) to avoid default scans, and update SELinux policy:

Port 65534
MaxAuthTries=3

Restart with systemctl restart sshd.

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights in /etc/sudoers, and set PermitRootLogin no in /etc/ssh/sshd_config, then restart SSH.

Restrict Allowed SSH Users

Limit SSH access to specific users or groups by adding to /etc/ssh/sshd_config:

AllowUsers lyshark admin
AllowGroup lyshark admin

Login Warning Banner

Edit /etc/motd and /etc/issue.net to display a warning message when users log in.

---------------------------------------------------------------
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---------------------------------------------------------------

Umask Restriction

Set the default file permission mask to 0777 (no permissions) by appending umask 0777 to /etc/bashrc. New files will have no read/write/execute bits for anyone.

Immutable System Files

Make critical binaries immutable with chattr +i on directories such as /sbin, /usr/sbin, /bin, /usr/lib, and /usr/lib64.

Restrict GCC Compiler

Remove execute permission from all GCC binaries:

chmod 000 /usr/bin/gcc*
chmod 000 /usr/bin/cc
chmod 000 /usr/bin/c89
chmod 000 /usr/bin/c99

Create a dedicated group (e.g., compilerGroup) and give the group execute rights only to the compiler binary:

groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Other users will see “Permission denied”.

Log File Protection

Set the append‑only attribute on important logs so they cannot be deleted:

chattr +a /var/log/dmesg /var/log/cron /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 65534), HTTP (80), and HTTPS (443):

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELINUX=enforcing in /etc/selinux/config and apply with setenforce 1. After enabling, adjust SSH configuration if SELinux blocks the service.

Allow SSH Port in SELinux

Install the policy tools and add the new port to the SELinux policy:

yum install -y policycoreutils-python-2.5-29.el7.x86_64
semanage port -a -t ssh_port_t -p tcp 6553

Set Web Directory Context

Assign the proper SELinux type to a web file:

semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html