How to Harden Linux Systems: Practical Security Steps for RHEL7

Linux System Security Hardening

Linux is a free, open‑source Unix‑like operating system. While its servers are praised for security, efficiency and stability, improper permission management can still leave them vulnerable. This guide uses RHEL 7 to improve security through account hardening, login control, SELinux configuration and other measures.

Since 1985 the U.S. Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC), dividing systems into classes D, C1, C2, B1, B2, B3 and A1, with increasing protection levels. Modern operating systems often fall short of these standards; for example Windows NT reaches only C2, whereas a hardened Linux can achieve B1.

Control System Accounts

System accounts are listed in cat /etc/passwd. Apart from the root account, all other accounts should be disabled for login.

Lock a user’s login with passwd -l username. The following Bash script disables all non‑root accounts:

#!/bin/bash

for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
        passwd -l $temp
done

Password Aging

The password lifetime settings are stored in cat /etc/login.defs | grep "PASS". Reduce the maximum age, for example:

[root@localhost ~]# vim /etc/login.defs

# Password aging controls:
PASS_MAX_DAYS   90   # maximum days a password may be used
PASS_MIN_DAYS   0    # minimum days between password changes
PASS_MIN_LEN    7    # minimum password length
PASS_WARN_AGE   10   # days before expiration to warn user

Password Complexity

Configure complexity in cat /etc/pam.d/system-auth by adding:

password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout

Set an idle timeout (e.g., 300 seconds) in /etc/profile:

TMOUT=300
export TMOUT

Limit TTY Login Attempts

Add the following line to /etc/pam.d/login to deny after three failed attempts and lock the account for 300 seconds:

auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10

Change SSH Port

Modify /etc/ssh/sshd_config to use a high, non‑standard port such as 65534 and reduce the maximum authentication attempts:

Port 65534
MaxAuthTries=3

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo privileges, and set PermitRootLogin no in /etc/ssh/sshd_config. Restart the SSH service afterwards.

Restrict Allowed SSH Users

Specify permitted users or groups in /etc/ssh/sshd_config:

AllowUsers lyshark admin
AllowGroup lyshark admin

Login Warning Message

Edit /etc/motd and /etc/issue.net to display a warning banner for unauthorized access.

Umask Restriction

Set the default file creation mask to 0777 to prevent newly created files from being readable or writable:

# echo "umask 0777" >> /etc/bashrc

Lock Critical System Files

Make important binaries immutable with chattr +i (e.g., /sbin, /usr/lib).

chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /sbin/
chattr +i /usr/lib
chattr +i /usr/lib64
chattr +i /usr/libexec

Restrict GCC Compiler

Remove execute permissions from all gcc binaries and then create a dedicated group with limited access:

chmod 000 /usr/bin/gcc
groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc

Protect Log Files

Make log files append‑only so they cannot be deleted:

chattr +a /var/log/dmesg /var/log/cron /var/log/lastlog /var/log/messages /var/log/secure /var/log/wtmp

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 6553) and HTTP/HTTPS traffic:

iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 6553 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 6553 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables-save

Enable SELinux

Set SELINUX=enforcing in /etc/selinux/config and apply with setenforce 1. Then allow the new SSH port: semanage port -a -t ssh_port_t -p tcp 6553 These steps collectively raise the security posture of a RHEL 7 system, moving it toward a B1‑level trusted computing baseline.