How to Harden Linux Systems: Practical Security Hardening Steps for RHEL 7

Linux System Security Hardening

Linux is a free, open‑source Unix‑like operating system widely used for servers due to its security, efficiency, and stability. However, without proper permission management, its security can be compromised. This article uses RHEL 7 to demonstrate hardening techniques such as account security, login control, and SELinux configuration.

In 1985, the U.S. Department of Defense introduced the Trusted Computer System Evaluation Criteria (TCSEC), which classifies systems into four categories (A‑D) and seven security levels, ranging from the lowest D level to the highest A1 level. Modern operating systems often fall short of high security; for example, Windows NT reaches only C2, while a hardened Linux system can achieve B1.

Control System Accounts

System accounts are listed in cat /etc/passwd. Apart from the root account, all other accounts should be set to disallow login. Use passwd -l username to lock a user, and a Bash script can batch‑lock accounts:

#!/bin/bash
for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
    passwd -l $temp
done

Modify Password Lifetime

The password aging settings are stored in cat /etc/login.defs | grep "PASS". Reduce the maximum password age by editing /etc/login.defs:

# Password aging controls:
# PASS_MAX_DAYS   Maximum number of days a password may be used.
# PASS_MIN_DAYS   Minimum number of days allowed between password changes.
# PASS_MIN_LEN    Minimum acceptable password length.
# PASS_WARN_AGE  Number of days warning given before a password expires.
PASS_MAX_DAYS   90   # max days
PASS_MIN_DAYS   0    # min days
PASS_MIN_LEN    7    # min length
PASS_WARN_AGE   10   # warning days

Set Password Complexity

Edit /etc/pam.d/system-auth to require at least one digit, one lowercase, one uppercase, one special character, and a minimum length of 10:

password    required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout and TTY Attempts

Set an idle timeout by adding TMOUT=300 and export TMOUT to /etc/profile. Limit TTY login attempts with /etc/pam.d/login:

auth required  pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Change SSH Port

Modify /etc/ssh/sshd_config to use a high‑numbered port (e.g., 65534) and reduce authentication attempts:

Port 65534
MaxAuthTries 3

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights, and set PermitRootLogin no in /etc/ssh/sshd_config. Restart SSHD afterwards.

Login Warning Message

Edit /etc/motd and /etc/issue.net to display a warning when users log in.

Restrict Umask

Set a restrictive umask (e.g., 0777) in /etc/bashrc so newly created files have no permissions.

Lock System Files

Make critical binaries immutable with chattr +i on directories such as /sbin, /usr/sbin, /bin, /usr/lib, and /usr/lib64.

Restrict GCC Compiler

Remove execute permissions from compiler binaries and assign them to a dedicated group:

chmod 000 /usr/bin/gcc
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Protect Log Files

Set the append‑only attribute on important logs to prevent deletion:

chattr +a /var/log/dmesg /var/log/cron /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 6553), HTTP (80), and HTTPS (443):

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 6553 -j ACCEPT
iptables -I INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELINUX=enforcing in /etc/selinux/config and run setenforce 1. Then allow the new SSH port with semanage:

yum install -y policycoreutils-python
semanage port -a -t ssh_port_t -p tcp 6553

Set Web Directory Context

Assign the correct SELinux context to web files:

semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html

These steps collectively raise the security posture of a Linux server, making it more resistant to unauthorized access and attacks.