Basic Security Guide for AlmaLinux 9

Almalinux Security
Almalinux Security

Securing your server is a critical task for any system administrator, developer, or business owner. AlmaLinux 9, as a stable and robust RHEL-based distribution, offers great tools and features that make it an excellent choice for hosting websites, applications, or services. In this tutorial, we’ll walk you through basic security measures you can implement to keep your AlmaLinux 9 server secure.

1. Update Your System

The first and foremost step in securing your system is ensuring that it’s up-to-date with the latest security patches.

Command:

sudo dnf update -y

This command updates all installed packages to their latest versions, closing any known vulnerabilities.

2. Create a Non-Root User

Running your system as the root user is risky, as any command executed with root privileges can make sweeping changes to the system. Instead, create a non-root user and use sudo for administrative tasks.

Command:

sudo adduser yourusername
sudo passwd yourusername
sudo usermod -aG wheel yourusername

Now you can switch to this new user with:

su - yourusername

3. Configure a Firewall Using firewalld

AlmaLinux 9 comes with firewalld, a dynamic firewall management tool that provides a simple way to manage firewall rules.

Start and enable firewalld:

sudo systemctl start firewalld
sudo systemctl enable firewalld

Check the status of the firewall:

sudo firewall-cmd --state

Allow or deny services/ports:
For example, to allow SSH (port 22):

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

4. Enable SELinux (Security-Enhanced Linux)

SELinux provides an additional layer of security by controlling access to files, processes, and ports.

Check SELinux status:

sestatus

If it’s disabled, enable it by editing /etc/selinux/config:

sudo nano /etc/selinux/config

Set SELINUX=enforcing, then reboot the server:

sudo reboot

5. Install and Configure Fail2Ban

fail2ban is a service that helps protect your server from brute-force attacks by banning IP addresses that show malicious signs.

Install fail2ban:

sudo dnf install fail2ban -y

Start and enable the service:

sudo systemctl start fail2ban
sudo systemctl enable fail2ban

Configure fail2ban:
Create a local configuration file:

sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local

Edit the file to enable the SSH jail:

sudo nano /etc/fail2ban/jail.local

Set [sshd] parameters like:

[sshd]
enabled = true

6. Disable Root Login via SSH

To further secure SSH access, prevent direct root logins.

Edit the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Find and set:

PermitRootLogin no

Restart the SSH service:

sudo systemctl restart sshd

7. Set Up Automatic Updates

You can automate security updates with the dnf-automatic tool.

Install dnf-automatic:

sudo dnf install dnf-automatic -y

Configure automatic updates:
Edit the configuration file /etc/dnf/automatic.conf to set:

apply_updates = yes

Enable the service:

sudo systemctl enable --now dnf-automatic.timer

8. Install and Configure an Intrusion Detection System (IDS)

For added security, consider installing an IDS like AIDE (Advanced Intrusion Detection Environment).

Install AIDE:

sudo dnf install aide -y

Initialize the AIDE database:

sudo aide --init
sudo mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz

Run a manual check with:

sudo aide --check

Conclusion

By following these basic security steps, you’re well on your way to securing your AlmaLinux 9 server. These measures provide a solid foundation for system hardening and mitigating potential threats. As always, security is an ongoing process, and regular audits and updates are crucial for long-term protection.

Feel free to share your own security tips or ask questions in the comments!