BestHub
Sign in
Information Security 12 min read

How to Harden RHEL7: Essential Linux Security Hardening Steps

This guide walks through practical Linux security hardening on RHEL7, covering TCSEC security levels, account lockdown, password policies, SSH hardening, SELinux activation, firewall minimization, immutable system files, and other configuration tweaks to raise the system to a B1 security rating.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Harden RHEL7: Essential Linux Security Hardening Steps

Background

Linux, an open‑source Unix‑like operating system, is widely deployed for its stability and efficiency, but its security depends on proper permission management. The article demonstrates a series of hardening measures on a RHEL7 system to improve its security posture.

TCSEC Security Levels

The Trusted Computer System Evaluation Criteria (TCSEC) defines four families (D, C, B, A) and seven grades. D is the lowest, C1 provides discretionary access control, C2 adds auditing, B1 introduces mandatory access control, B2 requires structured design, B3 adds comprehensive access control, and A1 demands formal verification.

Account Control

System accounts are listed in /etc/passwd. To prevent non‑root logins, lock all accounts except root:

#!/bin/bash
for user in $(cut -d ':' -f1 /etc/passwd | grep -v "root"); do
    passwd -l $user
done

Password Policy

Adjust password aging in /etc/login.defs (e.g., PASS_MAX_DAYS 90, PASS_MIN_DAYS 0, PASS_MIN_LEN 7, PASS_WARN_AGE 10) to shorten the password lifetime.

Password Complexity

Modify /etc/pam.d/system-auth to require at least one digit, one lowercase, one uppercase, one special character, and a minimum length of 10:

password    required pam_cracklib.so try_first_pass retry=3 \
    dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10

Login Timeout

Set an inactivity timeout by adding to /etc/profile:

TMOUT=300
export TMOUT

TTY Login Attempt Limiting

Configure /etc/pam.d/login to lock an account after three failed TTY attempts:

#%PAM-1.0
auth required pam_tally2.so deny=3 lock_time=300 \
    even_deny_root root_unlock_time=10

SSH Port Change

Change the SSH daemon port to a high, less‑scanned value (e.g., 65534) and limit authentication attempts:

# vim /etc/ssh/sshd_config
Port 65534
MaxAuthTries 3

Restart the service: systemctl restart sshd.

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights, and disable root SSH login:

# useradd lyshark
# passwd lyshark
# vim /etc/sudoers   # add: lyshark ALL=(ALL) ALL
# vim /etc/ssh/sshd_config   # set: PermitRootLogin no
# systemctl restart sshd

Restrict SSH Users

Allow only specific users or groups to SSH:

AllowUsers lyshark admin
AllowGroup lyshark admin

Login Warning Banner

Edit /etc/motd and /etc/issue.net to display a warning message upon remote login:

---------------------------------------------------------------
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---------------------------------------------------------------

Umask Adjustment

Set a restrictive default file mode by adding umask 0777 to /etc/bashrc. New files will be created without read/write/execute permissions for anyone.

Immutable System Files

Mark critical binaries as immutable so even root cannot modify them:

chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /usr/lib
chattr +i /usr/lib64
chattr +i /usr/libexec

Restrict GCC Compiler

Remove execute permissions from all GCC binaries and create a dedicated group with limited access:

# chmod 000 /usr/bin/gcc*
# groupadd compilerGroup
# chown root:compilerGroup /usr/bin/gcc
# chmod 0750 /usr/bin/gcc

Users not in compilerGroup will see “Permission denied” when invoking gcc.

Protect Log Files

Make log files append‑only to prevent deletion:

# cd /var/log
# chattr +a dmesg cron lastlog messages secure wtmp

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 65534) and HTTP/HTTPS traffic:

# iptables -F
# iptables -P INPUT DROP
# iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
# iptables -I INPUT -p tcp --dport 80 -j ACCEPT
# iptables -I INPUT -p tcp --dport 443 -j ACCEPT
# iptables-save

Enable SELinux

Set SELinux to enforcing mode:

# vim /etc/selinux/config   # SELINUX=enforcing
# setenforce 1

Install the policy tools and allow the new SSH port:

# yum install -y policycoreutils-python
# semanage port -a -t ssh_port_t -p tcp 65534

Web Directory Context

Assign the correct SELinux type to web content:

# semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
# restorecon -v /var/www/html/index.html
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxSELinuxRHEL7security hardening
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment