After provisioning a new RHEL 8 server, taking a few minutes to harden and configure the system goes a long way toward keeping it stable and secure. This guide walks you through the essential post-installation steps: updating packages, setting a hostname and timezone, locking down SSH, creating a non-root administrative user, and confirming that SELinux is enforcing. Following these steps establishes a clean, consistent baseline before you install any workloads. By the end you will have a minimal, hardened RHEL 8 server ready for production use.
Prerequisites
- A freshly installed RHEL 8 (or compatible clone such as AlmaLinux 8 / Rocky Linux 8) system
- Root or initial SSH access to the server
- A valid Red Hat subscription, or EPEL-enabled clone, so that
dnfcan reach repositories
Step 1 — Update the System
Start by refreshing the package metadata and applying all available updates. This ensures you are running the latest security patches before making any other changes.
dnf update -yAfter the update completes, reboot if the kernel was upgraded:
rebootStep 2 — Set the Hostname and Timezone
A descriptive hostname helps you identify the server in logs and SSH prompts. Set it with hostnamectl, then configure the correct timezone so that log timestamps are meaningful.
hostnamectl set-hostname your-server-hostnameList available timezones and apply the one for your region:
timedatectl list-timezones | grep America
timedatectl set-timezone America/New_York
timedatectl statusStep 3 — Create a Non-Root Sudo User
Logging in as root directly is a security risk. Create a regular user and grant it administrative privileges by adding it to the wheel group, which RHEL 8 configures for passwordless sudo by default.
useradd -m -s /bin/bash -G wheel adminuser
passwd adminuserVerify the user is in the wheel group:
groups adminuserStep 4 — Configure firewalld for SSH
RHEL 8 uses firewalld as the default firewall manager. Ensure the SSH service is permanently allowed, then reload the firewall to apply the rules.
systemctl enable --now firewalld
firewall-cmd --permanent --add-service=ssh
firewall-cmd --reload
firewall-cmd --list-allStep 5 — Disable Root SSH Login
Once your sudo user is confirmed working, disable direct root login over SSH. Open /etc/ssh/sshd_config and set the following directives, then restart the SSH daemon.
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
grep PermitRootLogin /etc/ssh/sshd_config
systemctl restart sshdStep 6 — Verify SELinux is Enforcing
RHEL 8 ships with SELinux in enforcing mode, and you should confirm it remains that way. Never disable SELinux on a production server — if a service misbehaves, use audit logs to craft a proper policy instead.
getenforce
sestatusIf the output shows Permissive or Disabled, set it back to enforcing immediately:
# Set enforcing for the current session
setenforce 1
# Make it permanent across reboots
sed -i 's/^SELINUX=.*/SELINUX=enforcing/' /etc/selinux/configConclusion
You now have a freshly updated RHEL 8 server with a descriptive hostname, correct timezone, a non-root sudo user, SSH root login disabled, the firewall allowing SSH traffic, and SELinux confirmed in enforcing mode. This baseline configuration significantly reduces the attack surface before you deploy any applications or services.
Next steps: How to Add and Delete Users on RHEL 8, How to Configure the Firewall on RHEL 8, and How to Set Up SSH Key-Based Authentication on RHEL 8.
