Rocky Linux Security Hardening

SELinux Access Decision

Subject Process requesting access (e.g., httpd)

Object Resource being accessed (file, port, socket)

Policy Rules that allow/deny the action

AVC Log Denial logged to /var/log/audit/audit.log

Enforce Action blocked; denial logged

# Check enforcing status
$ getenforce → Enforcing
$ sestatus → full status

Security · SELinux

SELinux — Mandatory Access Control

SELinux is baked into Rocky Linux from day one, running in Enforcing mode by default. Every process and file has a security context label — the kernel checks these labels before every file access, network socket open, or process fork.

Rather than disabling SELinux (a common but dangerous shortcut), learn the key tools to work with it effectively.

Essential SELinux commands

# Check current mode

[root@rocky ~]$ getenforce

Enforcing

# View SELinux context of files

[root@rocky ~]$ ls -Z /var/www/html/

# Fix incorrect context after restorecon

[root@rocky ~]$ restorecon -Rv /var/www/html/

# Allow httpd to connect to network

[root@rocky ~]$ setsebool -P httpd_can_network_connect 1

# Diagnose a denial with audit2why

[root@rocky ~]$ ausearch -m avc -ts recent | audit2why

🚫

Never do this in production: setenforce 0 or SELINUX=disabled in /etc/selinux/config eliminates your MAC layer entirely. Use audit2allow to create targeted policies instead.

Security · SSH

OpenSSH — Hardened Remote Access

OpenSSH is pre-installed on Rocky Linux. The default config is functional but not maximally hardened. These changes eliminate the most common attack vectors: brute-force password attacks, root login abuse, and weak cipher negotiation.

Generate Ed25519 keypair (on client)

user@client:~$ ssh-keygen -t ed25519 -C "admin@company.com"

user@client:~$ ssh-copy-id -i ~/.ssh/id_ed25519.pub admin@192.168.1.10

/etc/ssh/sshd_config — hardened settings

PermitRootLogin no

PasswordAuthentication no

ChallengeResponseAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

Protocol 2

MaxAuthTries 3

LoginGraceTime 30

X11Forwarding no

AllowUsers admin deploy

Ciphers aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

KexAlgorithms curve25519-sha256,diffie-hellman-group16-sha512

Reload SSH service

[root@rocky ~]$ sshd -t && systemctl reload sshd

OpenSSH hardening and key-based authentication on Rocky Linux

💡

Audit your SSH config: Run ssh-audit 192.168.1.10 (install via pip) to detect weak ciphers, MACs, and key exchange algorithms with a full report.

FreeIPA LDAP identity management on Rocky Linux 9

Security · Identity

FreeIPA — Centralised Identity Management

FreeIPA bundles Kerberos, LDAP (389 Directory Server), DNS, NTP, and a web-based CA into a single integrated identity platform. Enrol all your Rocky Linux machines and manage users, groups, SSH keys, sudo rules, and HBAC from one place.

Install FreeIPA server

[root@rocky ~]$ dnf install -y ipa-server ipa-server-dns

[root@rocky ~]$ ipa-server-install --domain=example.local --realm=EXAMPLE.LOCAL --ds-password=DS_PASS --admin-password=ADMIN_PASS --setup-dns --forwarder=8.8.8.8

Enrol a client machine

[root@client ~]$ dnf install -y ipa-client

[root@client ~]$ ipa-client-install --domain=example.local --realm=EXAMPLE.LOCAL --principal=admin --password=ADMIN_PASS

Manage users and HBAC

[root@rocky ~]$ ipa user-add jdoe --first=John --last=Doe --password

[root@rocky ~]$ ipa group-add-member sysadmins --users=jdoe

[root@rocky ~]$ ipa hbacrule-add allow_sysadmins --hostcat=all --servicecat=all

[root@rocky ~]$ ipa hbacrule-add-user allow_sysadmins --groups=sysadmins

Security · Brute-Force Protection

Fail2Ban — Adaptive IP Banning

Fail2Ban monitors log files and temporarily bans IPs that show malicious patterns — failed SSH logins, repeated web 404s, or SMTP AUTH failures. It writes ban rules directly into firewalld on Rocky Linux.

Install and configure Fail2Ban

[root@rocky ~]$ dnf install -y epel-release && dnf install -y fail2ban

[root@rocky ~]$ systemctl enable --now fail2ban

/etc/fail2ban/jail.local — SSH jail

[sshd]

enabled = true

port = ssh

filter = sshd

logpath = /var/log/secure

maxretry = 5

findtime = 10m

bantime = 24h

backend = systemd

Monitor bans

[root@rocky ~]$ fail2ban-client status sshd

[root@rocky ~]$ fail2ban-client unban 1.2.3.4

Common Jails Available

sshd Failed SSH login attempts

nginx-http-auth Nginx auth failures

postfix SMTP brute-force

dovecot IMAP/POP3 failures

vsftpd FTP login failures

apache-auth Apache 401 responses

mysqld-auth MySQL auth failures

# Sample audit.log entries
type=SYSCALL msg=audit(1714500000.123:456): arch=c000003e syscall=openat success=yes exe="/usr/bin/cat"
→ File opened by 'cat' binary
type=AVC msg=audit(1714500100.456:789): avc: denied { read } for pid=1234 comm="httpd"
→ SELinux denied httpd read access
type=USER_LOGIN msg=audit(1714500200.789:012): pid=1111 uid=0 auid=1000 ses=5 msg='op=login id=jdoe exe="/usr/sbin/sshd" hostname=client.local'
→ Successful SSH login recorded

Security · Audit

Auditd — System Call Auditing

The Linux Audit daemon (auditd) records system calls, file access, and user actions to /var/log/audit/audit.log. Combined with ausearch and aureport, it provides a complete forensic trail for compliance and incident response.

Auditd setup and key rules

# auditd ships with Rocky Linux, ensure it's running

[root@rocky ~]$ systemctl enable --now auditd

# Watch /etc/passwd for writes (user modification)

[root@rocky ~]$ auditctl -w /etc/passwd -p wa -k user-modify

# Watch sudo usage

[root@rocky ~]$ auditctl -w /usr/bin/sudo -p x -k sudo-use

# Search recent failures

[root@rocky ~]$ ausearch -m LOGIN --success no -ts today

# Summary report

[root@rocky ~]$ aureport --summary

💡

CIS Benchmark: Rocky Linux can be hardened to CIS Level 1 and Level 2 profiles. The openscap-scanner package provides automated compliance scanning against these benchmarks.