The Ultimate Guide: 10 Steps to Secure Rocky Linux 9

LINUXROCKY LINUX

ITQuickFix

4/19/20253 min read

Hardening your server doesn’t have to be overwhelming. With a few intentional tweaks, you can significantly improve the security of Rocky Linux 9. These steps aim to reduce unnecessary exposure, tighten system controls, and ensure that only essential components are active.

1. Disable squashfs

squashfs is a compressed, read-only filesystem often used in small footprint systems or live environments. If not needed, it should be disabled.

echo "install squashfs /bin/false" >> /etc/modprobe.d/squashfs.conf

echo "blacklist squashfs" >> /etc/modprobe.d/squashfs.conf

modprobe -r squashfs

2. Disable udf

udf (Universal Disk Format) is used for writing to DVDs and optical media. On most servers, it's unnecessary.

echo "install udf /bin/false" >> /etc/modprobe.d/udf.conf

echo "blacklist udf" >> /etc/modprobe.d/udf.conf

modprobe -r udf

3. Disable Other Unused Kernel Modules

Modules like tipc, dccp, or rds are generally not needed unless used for specialized networking.

for mod in tipc dccp rds; do

echo "install $mod /bin/false" >> /etc/modprobe.d/$mod.conf

echo "blacklist $mod" >> /etc/modprobe.d/$mod.conf

modprobe -r $mod

done

4. Secure System Message Files

Files like "/etc/motd", "/etc/issue", and "/etc/issue.net" are displayed before login. These files can be used to display system identification messages but should not provide details that can aid an attacker. Protect them to prevent unauthorized changes.

Secure "/etc/motd"

chown root:root /etc/motd

chmod 644 /etc/motd

Secure "/etc/issue":

chown root:root /etc/issue

chmod 644 /etc/issue

Secure "/etc/issue.net":

chown root:root /etc/issue.net

chmod 644 /etc/issue.net

5. Control Core Dumps

Core dumps can reveal sensitive data. It’s safer to disable or strictly manage them.

Edit "/etc/systemd/coredump.conf":

Storage=none

ProcessSizeMax=0

6. Remove Unnecessary Services

Minimize services to reduce the system's attack surface.

Remove Avahi:

systemctl stop avahi-daemon.socket avahi-daemon.service

dnf remove -y avahi

Remove dnsmasq and telnet:

dnf remove -y dnsmasq telnet

Remove FTP and TFTP:

dnf remove -y vsftpd tftp-server

Disable USB access:

echo "install usb-storage /bin/false" >> /etc/modprobe.d/disable-usb.conf

modprobe -r usb-storage

Disable GNOME or Xorg/X11:

systemctl set-default multi-user.target

dnf remove -y gnome-shell xorg-x11-server-common

Remove DHCP server:

systemctl stop dhcpd

systemctl disable dhcpd

dnf remove -y dhcp-server

7. Harden Audit Logging

Audit logs are critical in high-security environments. You can configure them to retain logs properly:

Option A: Keep logs indefinitely:

sed -i 's/^max_log_file_action.*/max_log_file_action = keep_logs/' /etc/audit/auditd.conf

systemctl restart auditd

Option B: Retain logs for 15 days with rotation:

sed -i 's/^max_log_file.*/max_log_file = 100/' /etc/audit/auditd.conf

sed -i 's/^num_logs.*/num_logs = 15/' /etc/audit/auditd.conf

sed -i 's/^max_log_file_action.*/max_log_file_action = rotate/' /etc/audit/auditd.conf

systemctl restart auditd

8. Protect Audit Tools

Ensure that only root can access and modify audit tools:

chown root:root /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/auditd /sbin/augenrules

chmod 0750 /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/auditd /sbin/augenrules

9. Validate Firewall Installation and Configure SSH Access

Ensure your system has a firewall installed. If not, install and enable firewalld.

Check if firewalld is installed:

rpm -q firewalld || sudo dnf install -y firewalld

sudo systemctl enable --now firewalld

Restrict SSH Access to Specific IP Addresses:

Replace `YOUR_PERMIT_IP` with the actual IP addresses.

sudo firewall-cmd --permanent --remove-service=ssh

sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="YOUR_PERMIT_IP/32" service name="ssh" accept'

sudo firewall-cmd --permanent --add-rich-rule='rule service name="ssh" reject'

sudo firewall-cmd --reload

Disable SSH Root Login:

Edit "/etc/ssh/sshd_config":

PermitRootLogin no

sudo systemctl restart sshd

10. Secure Critical System Files and Directories
Protect "/etc/shadow":

chown root:root /etc/shadow

chmod 000 /etc/shadow

Protect "/etc/modprobe.d":

chown -R root:root /etc/modprobe.d

chmod -R go-wx /etc/modprobe.d

Protect "/etc/rsyslog.conf":

chown root:root /etc/rsyslog.conf

chmod 600 /etc/rsyslog.conf

Protect "/var/log/":

chown root:root /var/log/

chmod 755 /var/log/

Recommendation: Integrate a SIEM and Enable File Integrity Monitoring

  • Install Wazuh Server and Agent or Alienvault Ossim:

  • Enable File Integrity Monitoring:

  • Configure SIEM Rules for unauthorized access, suspicious processes, and configuration changes.

Final Thoughts

By applying these changes, your Rocky Linux 9 server becomes more resilient against common threats. The key is to disable what you don’t need, protect what you do, and monitor everything that matters. Integrating with a SIEM and enabling file integrity monitoring provides an extra layer of visibility and control over your system's security posture.

Get expert solutions for your IT challenges today.

[email protected]

© 2025. All rights reserved.

Privacy Policy