Learn how we harden AlmaLinux 10 for public hosting using enterprise-grade security practices, SELinux, SSH hardening, firewall rules, and system audits.
When operating public hosting infrastructure, system hardening is a foundational requirement. AlmaLinux 10 provides a stable enterprise-grade base, but a default installation is not designed for direct internet exposure. Proper hardening reduces risk, limits attack surfaces, and improves long-term operational reliability.
This guide outlines a practical, production-ready approach to securing AlmaLinux 10 for public hosting environments.
Prerequisites
Before we begin, ensure we have the following:
- An Almalinux 10 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
A Guide Harden AlmaLinux 10 for Public Hosting
1. Apply System Updates and Enable Automatic Patching
Security hardening begins with maintaining an up-to-date system. AlmaLinux follows Red Hat Enterprise Linux security advisories, making timely updates critical.
dnf clean all
dnf update -y
reboot
To ensure ongoing protection, enable automatic security updates:
dnf install -y dnf-automatic
systemctl enable --now dnf-automatic.timer
This ensures critical security patches are applied consistently without manual intervention.
2. Create a Dedicated Administrative User
Direct root access increases risk and should be avoided in public environments. Administrative access should be delegated through a controlled user account.
useradd adminuser
passwd adminuser
usermod -aG wheel adminuser
This approach provides accountability while preserving full administrative control through sudo.
3. Secure SSH Configuration
SSH is the primary management interface and must be tightly controlled.
Edit the SSH configuration file:
nano /etc/ssh/sshd_config
Apply the following settings:
Protocol 2
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
PermitEmptyPasswords no
X11Forwarding no
AllowUsers adminuser
MaxAuthTries 3
LoginGraceTime 30
Validate and restart SSH:
sshd -t
systemctl restart sshd
This configuration ensures secure, key-based access while eliminating common attack vectors such as password brute-force attempts.
4. Enforce SSH Key-Based Authentication
Generate an SSH key pair on the administrative workstation:
ssh-keygen -t ed25519
Deploy the public key to the server:
ssh-copy-id adminuser@server_ip
Key-based authentication provides stronger cryptographic protection and is the recommended standard for hosting infrastructure.
5. Configure Firewall Rules With Minimal Exposure
Firewalld provides dynamic firewall management and should be enabled by default.
systemctl enable --now firewalld
Allow only essential services:
firewall-cmd --permanent --add-service=ssh
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
firewall-cmd --reload
All other services should remain inaccessible unless explicitly required.
6. Enable SELinux in Enforcing Mode
SELinux provides mandatory access control and significantly reduces the impact of potential compromises.
Verify the current status:
getenforce
If required, enable enforcing mode:
nano /etc/selinux/config
Set:
SELINUX=enforcing
SELINUXTYPE=targeted
Reboot the system to apply changes.
SELinux is a critical security layer in enterprise Linux environments and should remain enabled.
7. Minimize Installed Services and Packages
Reducing installed components lowers the system’s attack surface.
List enabled services:
systemctl list-unit-files --type=service | grep enabled
Disable or remove services that are not required for hosting workloads:
systemctl disable service_name
systemctl stop service_name
dnf remove package_name
Public hosting servers should remain purpose-driven and minimal.
8. Protect Against Brute Force Attempts
Fail2Ban helps mitigate automated attacks by blocking abusive IP addresses.
dnf install -y fail2ban
systemctl enable --now fail2ban
Create a local jail configuration:
nano /etc/fail2ban/jail.local
Example configuration:
[sshd]
enabled = true
maxretry = 3
bantime = 3600
findtime = 600
Fail2Ban operates automatically and significantly reduces repeated intrusion attempts.
9. Apply Kernel and Network Hardening Parameters
Kernel-level tuning strengthens network behavior and memory protection.
Create a custom sysctl configuration:
nano /etc/sysctl.d/99-hardening.conf
Add:
net.ipv4.ip_forward = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.tcp_syncookies = 1
kernel.randomize_va_space = 2
Apply changes:
sysctl --system
These settings enhance protection against spoofing, scanning, and memory-based attacks.
10. Enable System Auditing
Auditing provides visibility into system activity and supports compliance and forensic analysis.
dnf install -y audit
systemctl enable --now auditd
Verify status:
auditctl -s
Audit logs should be retained and reviewed regularly.
11. Secure File Permissions and Mount Options
Ensure sensitive system files are properly restricted:
chmod 600 /etc/ssh/sshd_config
chmod 600 /etc/shadow
chmod 644 /etc/passwd
Where applicable, apply restrictive mount options such as noexec, nosuid, and nodev to temporary and upload directories.
12. Configure Log Rotation and Monitoring
Proper log management ensures long-term observability without excessive disk usage.
dnf install -y logrotate
Verify rotation behavior:
logrotate --debug /etc/logrotate.conf
Logs should be actively monitored to detect anomalies and security events.
13. Maintain Ongoing Security Practices
System hardening is a continuous process. Recommended practices include:
- Regular security updates
- Periodic access reviews
- Routine service audits
- Continuous log monitoring
- Consistency is essential for maintaining a secure hosting environment.
Conclusion
A hardened AlmaLinux 10 server provides a stable and secure foundation for public hosting. By applying layered security controls, limiting exposure, and maintaining operational discipline, hosting environments remain resilient against common threats while supporting reliable service delivery.
This approach reflects industry best practices and aligns with modern enterprise Linux security standards.
