How To

How to Secure RHEL 10 | Hardening Best Practices

Securing a server is like locking the doors to your house—you want to make sure only the right people get in, and your valuables stay safe. Red Hat Enterprise Linux (RHEL) 10, released in May 2025, is a robust platform for enterprises, but even the strongest systems need proper defenses. With features like post-quantum cryptography and enhanced SELinux, RHEL 10 offers powerful security tools, but misconfigurations can leave vulnerabilities. Whether you’re a system administrator or a beginner managing a RHEL 10 server, this guide will walk you through practical steps to harden your system against threats. From securing user accounts to configuring firewalls, let’s make your RHEL 10 environment a fortress!

Ishwar Singh SisodiyaIshwar Singh Sisodiya
Aug 28, 2025 - 14:06
Aug 29, 2025 - 12:16
 24
How to Secure RHEL 10 | Hardening Best Practices

Table of Contents

Why Harden RHEL 10?

Hardening a system means reducing its attack surface—think of it as closing all the windows a hacker might try to sneak through. RHEL 10, with its Linux 6.12 kernel and enterprise-grade features, is secure by design, but default settings may not suit every environment. Hardening protects against unauthorized access, malware, and data breaches, especially for servers handling sensitive data in industries like finance or healthcare. By implementing best practices, you ensure compliance with standards like GDPR or HIPAA, minimize downtime, and maintain trust. RHEL 10’s tools, like SELinux and firewalld, make hardening easier, but they need proper configuration to shine.

RHEL 10 Hardening Checklist

Here’s a quick overview of key hardening steps for RHEL 10, which we’ll dive into later.

Category Key Actions Tools/Commands
User Security Strong passwords, disable root login, configure sudo. passwd, sshd_config, visudo
Firewall Enable firewalld, restrict ports. firewall-cmd
SELinux Keep enforcing mode, customize policies. getenforce, audit2allow
System Updates Apply patches, automate updates. dnf update, dnf-automatic
Network Security Secure SSH, disable unused services. sshd_config, systemctl
Monitoring Enable auditing, monitor logs. auditctl, journalctl

Securing User Accounts

User accounts are often the first target for attackers. Here’s how to lock them down on RHEL 10:

  • Enforce Strong Passwords: Use complex passwords with at least 12 characters, mixing letters, numbers, and symbols. Configure password policies in /etc/security/pwquality.conf (e.g., set minlen=12).
  • Disable Root Login: Prevent direct root access via SSH by editing /etc/ssh/sshd_config and setting PermitRootLogin no. Restart SSH: sudo systemctl restart sshd.
  • Use Sudo for Admin Tasks: Grant admin privileges to specific users via sudo visudo. Add users to the wheel group: usermod -aG wheel username.
  • Lock Inactive Accounts: Set account expiration for inactive users: sudo chage -I 30 username (locks after 30 days of inactivity).
  • Limit User Access: Restrict users to specific tasks using setfacl for file permissions or role-based access control.

Tip: Regularly audit user accounts with cat /etc/passwd to remove unnecessary ones.

Configuring Firewalld

Firewalld is RHEL 10’s firewall tool, controlling network traffic to keep your system safe. Here’s how to set it up:

  • Enable Firewalld: Ensure it’s running: sudo systemctl enable --now firewalld.
  • Set Default Zone: Use the public zone for servers: sudo firewall-cmd --set-default-zone=public.
  • Allow Necessary Services: Permit only required services, like SSH: sudo firewall-cmd --permanent --add-service=ssh.
  • Restrict Ports: Open specific ports (e.g., 80 for HTTP): sudo firewall-cmd --permanent --add-port=80/tcp. Apply changes: sudo firewall-cmd --reload.
  • Block Unused Ports: List open ports with firewall-cmd --list-all and remove unnecessary ones: sudo firewall-cmd --permanent --remove-port=port/protocol.
  • Enable Logging: Log denied connections: sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" log prefix="DENIED: " level="warning"'.

Tip: Test firewall rules in a lab to avoid locking yourself out.

Managing SELinux

SELinux (Security-Enhanced Linux) is RHEL 10’s powerful access control system, restricting what processes and users can do. Here’s how to use it effectively:

  • Keep Enforcing Mode: Ensure SELinux is in enforcing mode: getenforce. If not, set it: sudo setenforce 1.
  • Check Policies: Verify contexts for files and services: ls -Z (files) or ps -Z (processes).
  • Fix Policy Issues: If an application fails due to SELinux, check logs in /var/log/audit/audit.log and create custom policies with audit2allow -M mypolicy.
  • Use Booleans: Enable specific features, like allowing HTTPD to access home directories: sudo setsebool -P httpd_read_user_content 1.
  • Label Ports: Assign correct SELinux labels to custom ports: sudo semanage port -a -t http_port_t -p tcp 8080.

Tip: Avoid disabling SELinux; use permissive mode (setenforce 0) temporarily for troubleshooting.

Keeping the System Updated

Regular updates patch vulnerabilities and keep RHEL 10 secure. Here’s how to manage them:

  • Update Packages: Run sudo dnf update -y to install the latest patches.
  • Automate Updates: Install dnf-automatic and configure it to apply security updates: sudo dnf install dnf-automatic, then edit /etc/dnf/automatic.conf.
  • Enable Repositories: Ensure access to RHEL 10 repositories: subscription-manager repos --enable rhel-10-for-x86_64-baseos-rpms.
  • Monitor Advisories: Check Red Hat’s security advisories for critical updates via the Customer Portal.
  • Reboot When Needed: Apply kernel updates with a reboot: sudo reboot.

Tip: Schedule updates during low-traffic periods to minimize downtime.

Network Security Best Practices

Securing network access prevents unauthorized intrusions. Here’s how to harden RHEL 10’s network:

  • Secure SSH: Use key-based authentication. Generate keys: ssh-keygen, then copy to the server: ssh-copy-id user@server. Disable password authentication in /etc/ssh/sshd_config: PasswordAuthentication no.
  • Disable Unused Services: Stop unnecessary services: sudo systemctl disable service-name (e.g., telnet).
  • Use TLS/SSL: Enable HTTPS for web servers with Let’s Encrypt: sudo dnf install certbot.
  • Limit Network Exposure: Use nmcli to configure private IP ranges and avoid exposing services publicly.
  • Enable Post-Quantum Crypto: Configure FIPS-compliant algorithms for services like SSH or Apache: sudo fips-mode-setup --enable.

Monitoring and Auditing

Proactive monitoring catches threats early. Here’s how to set it up on RHEL 10:

  • Enable Auditing: Install audit package: sudo dnf install audit. Configure rules: sudo auditctl -w /etc -p wa to monitor file changes.
  • Monitor Logs: Check system logs with journalctl -xe or tail -f /var/log/secure for login attempts.
  • Use Red Hat Insights: Enable Insights for vulnerability scanning and compliance checks via the Red Hat Customer Portal.
  • Set Up Alerts: Configure logwatch to email daily log summaries: sudo dnf install logwatch.
  • Track Processes: Use top or ps aux to monitor suspicious activity.

Conclusion

Securing RHEL 10 is a critical step to protect your systems from threats and ensure compliance in enterprise environments. By following hardening best practices—securing user accounts, configuring firewalld, leveraging SELinux, keeping systems updated, and monitoring activity—you can build a robust defense. RHEL 10’s advanced features, like post-quantum cryptography and Lightspeed AI, make it a secure platform, but proper configuration is key. Whether you’re running a single server or a cloud fleet, these steps will help you lock down your system. Start hardening your RHEL 10 environment today, test your setup, and stay one step ahead of potential threats!

Frequently Asked Questions

What is system hardening?

Hardening reduces a system’s vulnerabilities by securing configurations, closing unused ports, and enforcing access controls.

Why is hardening RHEL 10 important?

It protects against unauthorized access, data breaches, and ensures compliance with regulations like GDPR or HIPAA.

What is SELinux in RHEL 10?

SELinux is a security module that enforces strict access controls on processes and files to prevent unauthorized actions.

Should I disable SELinux?

No, keep SELinux in enforcing mode for maximum security; use permissive mode only for troubleshooting.

How do I secure SSH on RHEL 10?

Disable root login and password authentication in /etc/ssh/sshd_config and use key-based authentication.

What is firewalld?

Firewalld is RHEL 10’s firewall tool for controlling network traffic and blocking unauthorized access.

How do I check if firewalld is running?

Run sudo systemctl status firewalld to verify it’s active and enabled.

Can I automate RHEL 10 updates?

Yes, use dnf-automatic to schedule security updates automatically.

What is post-quantum cryptography in RHEL 10?

It’s a FIPS-compliant feature to protect data against future quantum computing attacks.

How do I enable FIPS mode in RHEL 10?

Run sudo fips-mode-setup --enable and reboot to enable FIPS-compliant cryptography.

How do I monitor RHEL 10 for security issues?

Use journalctl, auditctl, and Red Hat Insights to monitor logs and vulnerabilities.

What is Red Hat Insights?

It’s a tool for proactive vulnerability scanning and compliance checks, available via the Red Hat Customer Portal.

How do I enforce strong passwords?

Edit /etc/security/pwquality.conf to set minimum length and complexity requirements.

Can I disable unused services?

Yes, stop and disable them with sudo systemctl disable service-name (e.g., telnet).

How do I audit file changes?

Use auditctl -w /path -p wa to monitor file writes and access attempts.

What is the public zone in firewalld?

It’s a default firewalld zone for servers, restricting access to only explicitly allowed services.

How do I fix SELinux policy issues?

Check /var/log/audit/audit.log and create custom policies with audit2allow.

Do I need a Red Hat subscription for hardening?

A subscription ensures access to updates and Red Hat Insights, but basic hardening can be done without one.

How do I secure web servers on RHEL 10?

Enable HTTPS with Let’s Encrypt and set SELinux booleans like httpd_read_user_content.

Where can I learn more about RHEL 10 security?

Visit docs.redhat.com, the Red Hat Customer Portal, or forums like r/redhat on Reddit.

Tags:

Previous Article

RHEL 10 for Cloud Computing | AWS, Azure, and GCP

Next Article

RHEL 10 Storage Administration Tutorial for Beginners

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow

Ishwar Singh Sisodiya
Ishwar Singh Sisodiya I am focused on making a positive difference and helping businesses and people grow. I believe in the power of hard work, continuous learning, and finding creative ways to solve problems. My goal is to lead projects that help others succeed, while always staying up to date with the latest trends. I am dedicated to creating opportunities for growth and helping others reach their full potential.

Related Posts

How Reconnaissance Tools Help in Identifying Cyber Threats

How Reconnaissance Tools Help in Identifying Cyber Threats

Ishwar Singh Sisodiya Sep 9, 2025  27

How To Secure Your Social Media Accounts?

How To Secure Your Social Media Accounts?

Ishwar Singh Sisodiya Nov 20, 2024  219

How Can You Start a Career as a Malware Analyst With No...

Ishwar Singh Sisodiya Oct 8, 2025  14