How to Harden RHEL7: Essential Linux Security Configurations
This guide walks through practical steps to harden a RHEL7 Linux server—including account restrictions, password policies, SELinux enforcement, SSH port changes, firewall rules, and file attribute protections—using concrete commands and configuration edits to boost system security.
Linux is a free, open‑source Unix‑like operating system whose security can be significantly improved by proper permission management; the following steps focus on RHEL7 and cover account security, login control, SELinux configuration, and other hardening measures.
TCSEC Security Levels
The U.S. Department of Defense defined the Trusted Computer System Evaluation Criteria (TCSEC) in 1985, classifying systems into four families (A‑D) and seven levels:
D – Minimal security
C1 – Discretionary Access Control (DAC)
C2 – Enhanced DAC and auditing
B1 – Mandatory Access Control (MAC)
B2 – Structured design with formal security model
B3 – Comprehensive access control and trusted recovery
A1 – Formal verification
Modern operating systems typically fall short of high security; for example, Windows NT reaches only C2, while a properly hardened Linux system can achieve B1.
Account Control
System accounts are listed in cat /etc/passwd. To prevent all non‑root accounts from logging in, lock them with:
#!/bin/bash
for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
passwd -l $temp
donePassword Aging
The password expiration settings are stored in cat /etc/login.defs | grep "PASS". Reduce the maximum password age by editing /etc/login.defs:
# Password aging controls:
PASS_MAX_DAYS 90 # Maximum days a password may be used
PASS_MIN_DAYS 0 # Minimum days between password changes
PASS_MIN_LEN 7 # Minimum password length
PASS_WARN_AGE 10 # Days before expiration to warn userPassword Complexity
Enforce complexity in /etc/pam.d/system-auth by adding:
password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10Login Timeout
Set an idle timeout of 300 seconds in /etc/profile:
TMOUT=300
export TMOUTTTY Attempt Limits
Prevent brute‑force attacks by configuring /etc/pam.d/login:
auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10SSH Hardening
Change the SSH daemon port and limit authentication attempts:
# vim /etc/ssh/sshd_config
Port 65534 # Use a high‑numbered port
MaxAuthTries 3 # Limit password attemptsRestart the service with systemctl restart sshd.
Root Login Restriction
Create a regular user (e.g., lyshark), grant sudo rights, and disable direct root login:
# useradd lyshark
# passwd lyshark
# vim /etc/sudoers
root ALL=(ALL) ALL
lyshark ALL=(ALL) ALL
# vim /etc/ssh/sshd_config
PermitRootLogin noSSH User Allowlist
Specify which users may log in via SSH:
AllowUsers lyshark admin
AllowGroup lyshark adminLogin Warning Messages
Edit /etc/motd and /etc/issue.net to display a warning upon remote login:
---------------------------------------------------------------
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---------------------------------------------------------------Umask Restriction
Set a restrictive umask of 0777 in /etc/bashrc so newly created files have no permissions:
# echo "umask 0777" >> /etc/bashrcImmutable System Files
Make critical binaries immutable with chattr +i:
chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /usr/lib
chattr +i /usr/lib64
chattr +i /usr/libexecRestrict GCC Compiler
Remove execute permissions from GCC binaries and assign them to a dedicated group:
# chmod 000 /usr/bin/gcc*
# groupadd compilerGroup
# chown root:compilerGroup /usr/bin/gcc
# chmod 0750 /usr/bin/gccLog File Protection
Prevent deletion of log files by setting the append‑only attribute:
# cd /var/log/
# chattr +a dmesg cron lastlog messages secure wtmpFirewall Minimization
Flush existing rules and allow only SSH, HTTP, and HTTPS:
# iptables -F
# iptables -P INPUT DROP
# iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp --dport 443 -j ACCEPT
# iptables-saveEnable SELinux
Set SELinux to enforcing mode and apply the change:
# vim /etc/selinux/config
SELINUX=enforcing
# setenforce 1Allow Custom SSH Port in SELinux
Install the policy tools and add the new SSH port to SELinux policy:
# yum install -y policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 65534Web Directory Context
Assign the correct SELinux context to the web document root:
# semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
# ls -Z /var/www/html/index.htmlSigned-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
MaGe Linux Operations
Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.