AlmaLinux 9 Security – Complete Guide

AlmaLinux 9 Security: Complete guide for Linux server protection.

What is AlmaLinux 9?

AlmaLinux 9 is an open-source operating system, binary compatible with Red Hat Enterprise Linux 9 (RHEL), frequently used for servers in enterprise environments. It offers stability, long-term support, and a wide range of security and administration features.

1. Enabling Secure Boot

Secure Boot is a UEFI feature that ensures the operating system boots only with verified and authorized software. AlmaLinux 9 provides Secure Boot support through the officially signed shim.

To check if Secure Boot is active, run:

mokutil --sb-state

Activation is done from BIOS/UEFI by enabling the “Secure Boot” option and saving the configuration.

2. Configuring the firewall with Firewalld

Firewalld is the default firewall solution in AlmaLinux 9. For installation and activation:

sudo dnf install firewalld
sudo systemctl enable --now firewalld

To allow SSH access:

sudo firewall-cmd --permanent --add-service=ssh
sudo firewall-cmd --reload

3. Securing SSH access

For enhanced security, SSH key authentication is recommended with password authentication disabled. Generate a key locally:

ssh-keygen -t rsa -b 4096

Copy the key to the server:

ssh-copy-id user@server_ip

Edit the /etc/ssh/sshd_config file and modify:

PermitRootLogin no
PasswordAuthentication no

Apply changes with:

sudo systemctl restart sshd

4. Enabling and configuring SELinux

SELinux provides an advanced level of access control. To check if it’s active:

getenforce

To enable enforcing mode:

sudo nano /etc/selinux/config

Ensure the line reads:

SELINUX=enforcing

Reboot the system to apply changes.

5. Regular updates and security patches

Keeping the system up to date is essential:

sudo dnf update

For automatic updates:

sudo dnf install dnf-automatic

6. Implementing STIG guides

AlmaLinux offers support for applying Security Technical Implementation Guides (STIG), particularly useful for organizations that need to comply with strict standards (e.g., DoD).

7. Monitoring and auditing with auditd

Auditd records system events for later analysis:

sudo dnf install audit
sudo systemctl enable --now auditd

8. Protection against brute-force attacks with Fail2ban

Fail2ban blocks IPs that generate too many failed attempts:

sudo dnf install fail2ban
sudo systemctl enable --now fail2ban

9. Other best practices

• • Disable unused services:

sudo systemctl disable --now service

• Use complex passwords and change them regularly.
• Implement automated backups and test them periodically.

Security in AlmaLinux 9 involves a combination of proper system component configuration, constant updates, restrictive policies, and continuous monitoring.

By applying the above recommendations, you can ensure a high level of protection for your Linux servers.