๐ AlmaLinux Security Checklist: Essential Hardening Steps
Ready to fortress your AlmaLinux system against cyber threats? ๐ก๏ธ Today weโll implement essential security hardening steps to protect your server from attacks! Whether youโre securing a web server, database, or desktop system, this comprehensive checklist ensures your AlmaLinux installation is bulletproof! ๐
๐ค Why is AlmaLinux Security Hardening Critical?
Proper security hardening delivers life-saving protection:
- ๐ Prevent data breaches - Stop attackers from accessing sensitive information
- ๐ง Block malicious attacks - Protect against ransomware, malware, and intrusions
- ๐ Maintain system availability - Prevent downtime from security incidents
- ๐ Ensure compliance - Meet security standards and regulations
- โญ Protect reputation - Avoid costly security breaches and customer trust loss
๐ฏ What You Need
Before hardening your AlmaLinux system:
- โ Fresh AlmaLinux 9 installation (server or desktop)
- โ Root or sudo access
- โ Backup of important data and configurations
- โ Basic understanding of Linux commands
- โ Network access for security updates
๐ Step 1: System Updates and Package Management
Keep your system current with security patches! ๐
Update System Completely
# Update all packages to latest versions
sudo dnf update -y
# Check for security-only updates
sudo dnf updateinfo list security
# Install security updates only
sudo dnf update --security -y
# Enable automatic security updates
sudo dnf install -y dnf-automatic
# Configure automatic updates
sudo nano /etc/dnf/automatic.conf
# Change these settings:
# upgrade_type = security
# apply_updates = yes
# Enable and start automatic updates
sudo systemctl enable --now dnf-automatic-install.timer
echo "โ
System updates and automatic security patching configured!"Remove Unnecessary Packages
# List installed packages to identify what to remove
dnf list installed | wc -l
# Remove common unnecessary packages
sudo dnf remove -y telnet rsh talk
# Remove development tools if not needed on production
# sudo dnf groupremove -y "Development Tools"
# Clean package cache
sudo dnf clean all
# List services to identify what to disable
systemctl list-unit-files --state=enabled
echo "โ
Unnecessary packages removed!"Security principle: ๐ก๏ธ Smaller attack surface = better security!
๐ง Step 2: User Account Security and Authentication
Secure user accounts and authentication mechanisms:
Disable Root SSH Login
# Configure SSH for security
sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup
# Edit SSH configuration
sudo nano /etc/ssh/sshd_config
# Find and modify these settings:
# PermitRootLogin no
# PasswordAuthentication no
# PubkeyAuthentication yes
# Protocol 2
# MaxAuthTries 3
# ClientAliveInterval 300
# ClientAliveCountMax 2
# Apply changes with sed
sudo sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config
# Restart SSH service
sudo systemctl restart sshd
# Test SSH configuration
sudo sshd -t
echo "โ
SSH hardened - root login disabled!"Set Up SSH Key Authentication
# Generate SSH key pair (on your client machine)
ssh-keygen -t ed25519 -C "[email protected]"
# Copy public key to server
ssh-copy-id username@your-server-ip
# Alternatively, manually copy the key:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Paste your public key into ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
# Test key-based authentication
ssh -i ~/.ssh/id_ed25519 username@your-server-ip
echo "โ
SSH key authentication configured!"Implement Strong Password Policies
# Install password quality checking
sudo dnf install -y libpwquality
# Configure password requirements
sudo nano /etc/security/pwquality.conf
# Add these requirements:
echo "minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
minclass = 3
maxrepeat = 2" | sudo tee -a /etc/security/pwquality.conf
# Lock accounts after failed attempts
sudo nano /etc/pam.d/system-auth
# Add: auth required pam_faillock.so deny=5 unlock_time=900
# Set password aging policy
sudo nano /etc/login.defs
# PASS_MAX_DAYS 90
# PASS_MIN_DAYS 7
# PASS_WARN_AGE 7
echo "โ
Strong password policies enforced!"๐ Step 3: Firewall and Network Security
Configure robust network protection:
Configure Firewalld
# Enable and start firewalld
sudo systemctl enable --now firewalld
# Check default zone
sudo firewall-cmd --get-default-zone
# Set restrictive default zone
sudo firewall-cmd --set-default-zone=drop
# Allow only essential services
sudo firewall-cmd --zone=drop --add-service=ssh --permanent
sudo firewall-cmd --zone=drop --add-service=http --permanent # if web server
sudo firewall-cmd --zone=drop --add-service=https --permanent # if web server
# Allow specific ports if needed
# sudo firewall-cmd --zone=drop --add-port=8080/tcp --permanent
# Remove unnecessary services
sudo firewall-cmd --remove-service=cockpit --permanent
sudo firewall-cmd --remove-service=dhcpv6-client --permanent
# Enable logging for dropped packets
sudo firewall-cmd --set-log-denied=all
# Reload firewall rules
sudo firewall-cmd --reload
# Verify configuration
sudo firewall-cmd --list-all
echo "โ
Firewall configured with restrictive rules!"Network Security Hardening
# Disable IPv6 if not needed
echo "net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1" | sudo tee -a /etc/sysctl.conf
# Network security parameters
echo "# Network Security Hardening
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1" | sudo tee -a /etc/sysctl.conf
# Apply sysctl settings
sudo sysctl -p
echo "โ
Network security parameters configured!"Install and Configure Fail2ban
# Install fail2ban for intrusion prevention
sudo dnf install -y fail2ban
# Create local configuration
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
# Configure fail2ban
sudo tee /etc/fail2ban/jail.local << 'EOF'
[DEFAULT]
bantime = 3600
findtime = 600
maxretry = 3
backend = systemd
usedns = warn
[sshd]
enabled = true
port = ssh
logpath = %(sshd_log)s
backend = %(sshd_backend)s
maxretry = 3
bantime = 3600
[postfix]
enabled = false
[apache-auth]
enabled = false
[apache-badbots]
enabled = false
EOF
# Enable and start fail2ban
sudo systemctl enable --now fail2ban
# Check fail2ban status
sudo fail2ban-client status
sudo fail2ban-client status sshd
echo "โ
Fail2ban intrusion prevention configured!"โ Step 4: SELinux Security and File Permissions
Strengthen access controls and file security:
Configure SELinux Properly
# Check SELinux status
getenforce
# Ensure SELinux is enforcing
sudo setenforce 1
# Make SELinux enforcing permanent
sudo sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
sudo sed -i 's/SELINUX=permissive/SELINUX=enforcing/' /etc/selinux/config
# Install SELinux management tools
sudo dnf install -y setroubleshoot-server setools-console
# Check SELinux policy
sudo sestatus
# View SELinux denials
sudo ausearch -m AVC -ts recent
# Common SELinux fixes for web servers
# sudo setsebool -P httpd_can_network_connect 1
# sudo setsebool -P httpd_can_network_connect_db 1
echo "โ
SELinux configured for maximum security!"Secure File Permissions
# Set restrictive permissions on important files
sudo chmod 600 /etc/ssh/sshd_config
sudo chmod 600 /etc/shadow
sudo chmod 644 /etc/passwd
sudo chmod 644 /etc/group
sudo chmod 600 /boot/grub2/grub.cfg
# Secure home directories
sudo chmod 750 /home/*
# Find world-writable files (potential security risk)
find / -xdev -type f -perm -0002 -ls 2>/dev/null
# Find files with no owner
find / -xdev \( -nouser -o -nogroup \) -ls 2>/dev/null
# Set proper permissions on log files
sudo chmod 640 /var/log/messages
sudo chmod 640 /var/log/secure
# Remove execute permissions from unnecessary files
find /etc -type f -executable -exec chmod -x {} \; 2>/dev/null
echo "โ
File permissions secured!"Implement File Integrity Monitoring
# Install AIDE (Advanced Intrusion Detection Environment)
sudo dnf install -y aide
# Initialize AIDE database
sudo aide --init
# Move database to active location
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Check system integrity
sudo aide --check
# Create cron job for daily integrity checks
echo "0 3 * * * /usr/sbin/aide --check" | sudo crontab -
# Configure AIDE for important directories
sudo tee -a /etc/aide.conf << 'EOF'
# Custom monitoring rules
/etc NORMAL
/bin NORMAL
/sbin NORMAL
/usr/bin NORMAL
/usr/sbin NORMAL
/root/.ssh NORMAL
EOF
echo "โ
File integrity monitoring configured!"๐ฎ Quick Examples
Example 1: Web Server Security Hardening ๐
echo "=== Web Server Security Hardening ==="
# Install and configure mod_security for Apache
sudo dnf install -y httpd mod_security
# Configure Apache security headers
sudo tee /etc/httpd/conf.d/security.conf << 'EOF'
# Security Headers
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
Header always set X-XSS-Protection "1; mode=block"
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
Header always set Referrer-Policy "strict-origin"
# Hide Apache version
ServerTokens Prod
ServerSignature Off
# Disable unnecessary HTTP methods
<Location />
<LimitExcept GET POST HEAD>
Require all denied
</LimitExcept>
</Location>
EOF
# Configure SSL/TLS securely
sudo tee /etc/httpd/conf.d/ssl-security.conf << 'EOF'
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder on
SSLSessionTickets off
EOF
# Restart Apache
sudo systemctl restart httpd
echo "โ
Web server security hardened!"Example 2: Database Security Hardening ๐พ
echo "=== Database Security Hardening ==="
# MySQL/MariaDB security improvements
mysql -u root -p << 'EOF'
-- Remove default databases and users
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.db WHERE Db='test' OR Db='test\\_%';
DELETE FROM mysql.user WHERE User='';
-- Secure root account
UPDATE mysql.user SET Password=PASSWORD('NewStrongRootPassword123!') WHERE User='root';
DELETE FROM mysql.user WHERE User='root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');
-- Create application user with limited privileges
CREATE USER 'appuser'@'localhost' IDENTIFIED BY 'SecureAppPassword123!';
GRANT SELECT, INSERT, UPDATE, DELETE ON appdb.* TO 'appuser'@'localhost';
-- Flush privileges
FLUSH PRIVILEGES;
EOF
# Configure MySQL for security
sudo tee -a /etc/my.cnf.d/security.cnf << 'EOF'
[mysqld]
# Security settings
skip-networking=1
skip-show-database
local-infile=0
skip-symbolic-links=1
# Logging
log-error=/var/log/mysql/error.log
general-log=1
general-log-file=/var/log/mysql/general.log
slow-query-log=1
slow-query-log-file=/var/log/mysql/slow.log
EOF
sudo systemctl restart mariadb
echo "โ
Database security hardened!"Example 3: Comprehensive Security Audit Script โก
# Create comprehensive security audit script
cat > ~/security-audit.sh << 'EOF'
#!/bin/bash
echo "=== AlmaLinux Security Audit Report ==="
echo "Date: $(date)"
echo "System: $(hostname)"
echo ""
echo "1. SYSTEM UPDATES:"
updates=$(dnf check-update --security 2>/dev/null | wc -l)
echo "Security updates available: $updates"
echo ""
echo "2. USER ACCOUNTS:"
echo "Active user accounts:"
awk -F: '$7 !~ /\/false|\/nologin/ { print $1 }' /etc/passwd
echo ""
echo "3. SSH CONFIGURATION:"
echo "Root login enabled: $(grep PermitRootLogin /etc/ssh/sshd_config)"
echo "Password auth enabled: $(grep PasswordAuthentication /etc/ssh/sshd_config)"
echo ""
echo "4. FIREWALL STATUS:"
firewall-cmd --state 2>/dev/null || echo "Firewall not running"
echo "Open ports:"
ss -tuln
echo ""
echo "5. SELINUX STATUS:"
sestatus | grep "SELinux status\|Current mode"
echo ""
echo "6. FAILED LOGIN ATTEMPTS:"
grep "Failed password" /var/log/secure | tail -5
echo ""
echo "7. LISTENING SERVICES:"
systemctl list-units --type=service --state=running | grep -E "ssh|http|mysql|ftp"
echo ""
echo "8. FILE PERMISSIONS:"
echo "World-writable files:"
find /etc /usr /var -xdev -type f -perm -0002 2>/dev/null | head -5
echo ""
echo "9. DISK USAGE:"
df -h | grep -vE '^Filesystem|tmpfs|cdrom'
echo ""
echo "10. SYSTEM LOAD:"
uptime
echo ""
echo "=== Audit Complete ==="
EOF
chmod +x ~/security-audit.sh
~/security-audit.sh
# Schedule weekly security audits
echo "0 6 * * 1 ~/security-audit.sh > ~/security-audit-$(date +\%Y\%m\%d).log 2>&1" | crontab -
echo "โ
Comprehensive security audit configured!"๐จ Fix Common Problems
Problem 1: SELinux Denying Legitimate Operations โ
Symptoms:
- Applications canโt access files/network
- Web server returns 403 errors
- Database connections fail
Try this:
# Check SELinux denials
sudo ausearch -m AVC -ts recent
# Temporarily set SELinux to permissive
sudo setenforce 0
# Test if issue is resolved, then fix properly:
# For web server connectivity:
sudo setsebool -P httpd_can_network_connect 1
sudo setsebool -P httpd_can_network_connect_db 1
# For file access issues:
sudo restorecon -R /var/www/html
# Set SELinux back to enforcing
sudo setenforce 1Problem 2: Locked Out of SSH โ
Try this:
# If you have console access:
# 1. Login via console (VirtualBox, VMware, physical access)
# 2. Check SSH configuration:
sudo nano /etc/ssh/sshd_config
# 3. Temporarily enable password authentication:
# PasswordAuthentication yes
# 4. Restart SSH:
sudo systemctl restart sshd
# 5. Test connection, then re-secureProblem 3: Firewall Blocking Necessary Traffic โ
Check these things:
# List current firewall rules
sudo firewall-cmd --list-all
# Check if service needs to be allowed
sudo firewall-cmd --zone=drop --add-service=http --permanent
sudo firewall-cmd --zone=drop --add-port=8080/tcp --permanent
# Check firewall logs
sudo journalctl -f -u firewalld
# Reload firewall rules
sudo firewall-cmd --reload๐ Complete Security Checklist
| Security Area | Task | Status |
|---|---|---|
| System Updates | โ Enable automatic security updates | โก |
| User Security | โ Disable root SSH login | โก |
| Authentication | โ Configure SSH key authentication | โก |
| Password Policy | โ Enforce strong passwords | โก |
| Firewall | โ Configure restrictive firewall rules | โก |
| Intrusion Prevention | โ Install and configure Fail2ban | โก |
| SELinux | โ Enable and configure SELinux | โก |
| File Permissions | โ Set secure file permissions | โก |
| File Integrity | โ Configure AIDE monitoring | โก |
| Network Security | โ Harden network parameters | โก |
| Service Hardening | โ Secure web/database services | โก |
| Monitoring | โ Set up security auditing | โก |
๐ก Tips for Success
- Defense in depth ๐ - Layer multiple security controls
- Regular updates ๐ - Keep system and software current
- Monitor continuously ๐ - Watch logs and audit reports
- Test configurations ๐ - Verify security settings work properly
- Document everything ๐ - Keep records of security changes
๐ What You Learned
Congratulations! Now you can:
- โ Implement comprehensive system hardening on AlmaLinux
- โ Configure secure authentication and access controls
- โ Set up firewall and intrusion prevention systems
- โ Enable SELinux and file integrity monitoring
- โ Audit and maintain security configurations
๐ฏ Why This Matters
Your hardened AlmaLinux system provides:
- ๐ Maximum security against current and emerging threats
- ๐ Compliance readiness with security standards and regulations
- ๐ Reduced risk of data breaches and system compromises
- โก Professional confidence in your security posture
Remember: Security is not a destination but a journey - regularly review and update your security measures as threats evolve. With these hardening steps, your AlmaLinux system has enterprise-grade protection! โญ
Youโve successfully implemented comprehensive security hardening for AlmaLinux! Your system is now protected with multiple layers of security controls that will defend against attacks and keep your data safe! ๐
