AlmaLinux Security Hardening Guide

适用于AlmaLinux 9.x / 10.x

This guide targets AlmaLinux 9 / 10 server environments and provides a practical security hardening baseline, covering system updates, SELinux, firewall, SSH, account policies, intrusion prevention, auditing, and compliance scanning. We recommend validating in a test environment before applying to production systems.

Hardening Principles

• Minimize: Install and expose only the necessary software and ports.
• Defense in depth: Layer SELinux, firewall, account policies, and auditing together; do not rely on a single measure.
• Reversible: Back up configurations before each change; when operating SSH/firewall remotely, always keep one connected session open.

1. Keep the System Updated

Installing security patches promptly is the most effective hardening measure.

# Update all packages
sudo dnf upgrade -y

# Install security-related updates only
sudo dnf upgrade --security -y

# View available security advisories
dnf updateinfo list security

Enable Automatic Security Updates

sudo dnf install -y dnf-automatic

# Edit /etc/dnf/automatic.conf; recommended settings:
#   upgrade_type = security      # Automatically apply security updates only
#   apply_updates = yes          # Install automatically (rather than only download)
sudo systemctl enable --now dnf-automatic.timer

2. SELinux

AlmaLinux enables SELinux by default — do not disable it just for convenience. When a service is blocked, investigate and allow it rather than disabling SELinux.

# Confirm it is in Enforcing mode
getenforce
sudo sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config

# Troubleshoot denied access
sudo dnf install -y setroubleshoot-server
sudo ausearch -m AVC,USER_AVC -ts recent
sudo sealert -a /var/log/audit/audit.log

# Allow as needed (example: permit httpd to make network connections)
sudo setsebool -P httpd_can_network_connect on

# Fix file contexts
sudo restorecon -Rv /var/www

3. Firewall (firewalld)

By default, allow only the services you truly need and close all other inbound ports.

sudo systemctl enable --now firewalld

# View currently allowed items
sudo firewall-cmd --list-all

# Allow necessary services (adjust as needed)
sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --permanent --add-service=https

# Remove unneeded services
sudo firewall-cmd --permanent --remove-service=cockpit

sudo firewall-cmd --reload

Restricting Source

You can use a rich rule to restrict management ports (such as SSH) to trusted networks:

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="203.0.113.0/24" service name="ssh" accept'
sudo firewall-cmd --permanent --remove-service=ssh
sudo firewall-cmd --reload

4. SSH Hardening

Always Keep a Session Open

Before modifying the SSH configuration and restarting the service, keep an additional logged-in SSH session open for fallback. A misconfiguration can lock you out of the system.

Edit /etc/ssh/sshd_config (or add a drop-in file under /etc/ssh/sshd_config.d/). Recommended settings:

PermitRootLogin no            # Disallow direct root login
PasswordAuthentication no     # Allow key-based login only (ensure keys are configured first)
PubkeyAuthentication yes
MaxAuthTries 3
LoginGraceTime 30
X11Forwarding no

# Generate and deploy keys locally first (run on your client)
# ssh-copy-id user@server

# Validate the configuration syntax before restarting
sudo sshd -t && sudo systemctl restart sshd

If you need to change the SSH port, remember to update the firewall and SELinux accordingly:

sudo semanage port -a -t ssh_port_t -p tcp 2222
sudo firewall-cmd --permanent --add-port=2222/tcp
sudo firewall-cmd --reload

5. Account and Permission Policies

# Use sudo instead of a shared root password; add admins to the wheel group
sudo usermod -aG wheel <your-admin-user>

# Lock system accounts that do not need to log in
sudo passwd -l <service-account>

Password and Login Policies

# Password complexity (edit /etc/security/pwquality.conf)
#   minlen = 12
#   minclass = 3

# Password expiration (edit /etc/login.defs)
#   PASS_MAX_DAYS   90
#   PASS_MIN_DAYS   1
#   PASS_WARN_AGE   7

# Failed-login lockout is provided by faillock (the default mechanism on EL8+)
faillock --user <username>

6. Intrusion Prevention (fail2ban)

Automatically ban source IPs that perform brute-force attacks.

sudo dnf install -y epel-release
sudo dnf install -y fail2ban

sudo tee /etc/fail2ban/jail.local >/dev/null <<'EOF'
[DEFAULT]
bantime  = 1h
findtime = 10m
maxretry = 5
backend  = systemd

[sshd]
enabled = true
EOF

sudo systemctl enable --now fail2ban
sudo fail2ban-client status sshd

7. Auditing and File Integrity

# auditd is installed by default; confirm it is running
sudo systemctl enable --now auditd

# File integrity baseline (AIDE)
sudo dnf install -y aide
sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz
# Compare against the baseline periodically afterward
sudo aide --check

8. Kernel and Network Hardening (sysctl)

Add the entries you need to /etc/sysctl.d/99-hardening.conf, then apply with sudo sysctl --system:

# Prevent IP spoofing / reverse path filtering
net.ipv4.conf.all.rp_filter = 1
# Ignore ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
# Do not accept source routing
net.ipv4.conf.all.accept_source_route = 0
# Log suspicious packets
net.ipv4.conf.all.log_martians = 1
# Enable SYN cookies to defend against SYN floods
net.ipv4.tcp_syncookies = 1

9. Minimize the Attack Surface

# List and disable unneeded services
systemctl list-unit-files --type=service --state=enabled
sudo systemctl disable --now <unneeded-service>

# Check listening ports with ss (netstat is deprecated)
sudo ss -tulpn

10. Compliance Baseline Scanning (OpenSCAP)

Use official security baselines (such as CIS or PCI-DSS) to assess the system and generate a report.

sudo dnf install -y openscap-scanner scap-security-guide

# List the profiles applicable to this system
oscap info /usr/share/xml/scap/ssg/content/ssg-almalinux*-ds.xml

# Evaluate and generate an HTML report (use the profile ID from the previous step's output)
sudo oscap xccdf eval \
  --profile <profile-id> \
  --report scan-report.html \
  /usr/share/xml/scap/ssg/content/ssg-almalinux*-ds.xml

Hardening Checklist

• [ ] System is updated, and automatic security updates are enabled
• [ ] SELinux is in Enforcing mode
• [ ] Firewall allows only necessary services, and management ports are source-restricted
• [ ] SSH disables root login and uses key-based authentication
• [ ] Use sudo, lock unused accounts, and enable password and lockout policies
• [ ] fail2ban is deployed
• [ ] auditd and AIDE are enabled with a baseline established
• [ ] sysctl network hardening parameters are applied
• [ ] Unused services are disabled, and listening ports are verified
• [ ] A compliance baseline scan has been completed via OpenSCAP

---

Further Reading

• For firewall details, see the Firewall Configuration Tutorial
• For software and patch management, see the Software Management Guide