Boost Linux Server Security: Practical Hardening Steps for RHEL7

Linux is a free, open‑source Unix‑like operating system widely used for servers, but its security depends on proper permission and configuration.

Since 1985 the U.S. Department of Defense defined the TCSEC security classes (D, C1, C2, B1, B2, B3, A1); modern OSes often fall short, while a hardened Linux can reach B1.

D – lowest security

C1 – discretionary access control

C2 – improved DAC and auditing

B1 – mandatory access control (MAC)

B2 – structured design, formal security model

B3 – comprehensive access control, trusted recovery

A1 – formal verification

Lock System Accounts

System accounts are listed in

cat /etc/passwd

. All accounts except root are locked with:

<code>#!/bin/bash
for temp in `cut -d ":" -f 1 /etc/passwd | grep -v "root"`
do
    passwd -l $temp
done</code>

Set Password Aging

Adjust password lifetime in

cat /etc/login.defs | grep "PASS"

by editing

/etc/login.defs

:

<code># Password aging controls:
PASS_MAX_DAYS   90   # maximum days a password may be used
PASS_MIN_DAYS   0    # minimum days between password changes
PASS_MIN_LEN    7    # minimum acceptable password length
PASS_WARN_AGE   10   # days of warning before expiration</code>

Enforce Password Complexity

Modify

/etc/pam.d/system-auth

to require strong passwords:

<code>password required pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=10</code>

Limit Login Timeout

Set inactivity timeout in

/etc/profile

:

<code>TMOUT=300
export TMOUT</code>

Restrict TTY Login Attempts

Add to

/etc/pam.d/login

to deny after three failures:

<code>auth required pam_tally2.so deny=3 lock_time=300 even_deny_root root_unlock_time=10</code>

Change SSH Port

Modify

/etc/ssh/sshd_config

to use a high port (e.g., 65534) and restart SSH:

<code>Port 65534
MaxAuthTries=3</code>

Disable Root SSH Login

Create a regular user (e.g., lyshark), grant sudo rights, and set

PermitRootLogin no

in

/etc/ssh/sshd_config

, then restart SSH.

Login Warning Messages

Edit

/etc/motd

and

/etc/issue.net

to display a warning banner for unauthorized logins.

<code>---------------------------------------------------------------
Warning! If unauthorized, illegal login system, please exit immediately!!
Your system fingerprint has been recorded!!
---------------------------------------------------------------</code>

Set Umask to 0777

Append

umask 0777

to

/etc/bashrc

so newly created files have no permissions.

Lock Critical System Binaries

Make key directories immutable:

<code>chattr +i /sbin/
chattr +i /usr/sbin/
chattr +i /bin/
chattr +i /usr/lib/
chattr +i /usr/lib64/
chattr +i /usr/libexec/</code>

Restrict GCC Compiler

Remove execute permission from compiler binaries and assign them to a dedicated group:

<code># Remove permissions
chmod 000 /usr/bin/gcc
chmod 000 /usr/bin/g++
# Create group and set ownership
groupadd compilerGroup
chown root:compilerGroup /usr/bin/gcc
chmod 0750 /usr/bin/gcc</code>

Protect Log Files

Make log files append‑only to prevent deletion:

<code>cd /var/log/
chattr +a dmesg cron lastlog messages secure wtmp</code>

Minimal Firewall Rules

Flush existing rules and allow only SSH (port 65534), HTTP (80) and HTTPS (443):

<code>iptables -F
iptables -P INPUT DROP
iptables -I INPUT -p tcp --dport 65534 -j ACCEPT
iptables -I OUTPUT -p tcp --dport 65534 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables-save</code>

Enable SELinux

Set SELinux to enforcing mode:

<code># /etc/selinux/config
SELINUX=enforcing</code>

Apply the change with

setenforce 1

.

Allow SSH Port in SELinux

Install policy tools and add the new SSH port:

<code>yum install -y policycoreutils-python
semanage port -a -t ssh_port_t -p tcp 65534</code>

Set Web Directory Context

Label the web root with the appropriate SELinux type:

<code>semanage fcontext -a -t httpd_sys_content_t /var/www/html/index.html
restorecon -v /var/www/html/index.html</code>