Initial Server Setup with RHEL 7

Setting up a fresh Red Hat Enterprise Linux 7 server correctly from the start is one of the most important steps you can take to ensure long-term security and stability. Whether you have just provisioned a bare-metal machine or a cloud instance, this guide walks you through every essential configuration step: updating the system, creating a non-root administrative user, hardening SSH, configuring the firewall, and setting the system hostname. Following these steps will give you a solid, secure foundation for whatever workloads you plan to deploy.

Prerequisites

  • A freshly installed RHEL 7 system (physical, virtual, or cloud instance)
  • Root access via the console, SSH, or an out-of-band management interface
  • An active Red Hat subscription (required for yum to reach official repositories)
  • A local machine with an SSH client to connect remotely

Step 1: Log In as Root and Update the System

Your first action after gaining access to a new server should be to apply all available security and bug-fix patches. On RHEL 7, package management is handled by yum. Log in as root and run a full system update:

yum update -y

This command fetches the latest package metadata from your subscribed repositories and upgrades every installed package to its newest available version. The -y flag automatically answers “yes” to all confirmation prompts. Depending on how old the base image is, this may download several hundred megabytes of updates. Once complete, reboot if the kernel was updated:

reboot

After the system comes back online, verify the running kernel version:

uname -r

Step 2: Create a Non-Root Administrative User

Operating as root full-time is dangerous — a single typo can cause irreversible damage. Create a dedicated administrative user and grant it sudo privileges via the wheel group, which is RHEL 7’s standard mechanism for delegated administration.

Create the new user account:

adduser adminuser

Set a strong password for the account:

passwd adminuser

Add the user to the wheel group so they can run commands with sudo:

usermod -aG wheel adminuser

On RHEL 7, the wheel group is already configured in /etc/sudoers via the %wheel ALL=(ALL) ALL entry. You can verify this is uncommented:

grep wheel /etc/sudoers

You should see the line without a leading #. Switch to the new user and confirm sudo works:

su - adminuser
sudo whoami

The output should be root, confirming privilege escalation is working correctly.

Step 3: Harden SSH Configuration

The SSH daemon configuration file is located at /etc/ssh/sshd_config. Before editing it, make a backup:

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

Open the file with your preferred editor and make the following critical changes:

Disable direct root login — forces all administrative work to go through a named account:

PermitRootLogin no

Disable password authentication — once you have configured SSH key-based authentication (covered in a separate tutorial), disable password logins entirely to eliminate brute-force risk:

PasswordAuthentication no

Limit the authentication window — reduce the time a client has to complete a login:

LoginGraceTime 30

Restrict to SSH protocol version 2 — protocol 1 has known vulnerabilities and should never be used:

Protocol 2

Optionally, change the default SSH port from 22 to a high-numbered port to reduce automated scanning noise (this is security-through-obscurity, not a replacement for proper hardening):

Port 2222

After saving your changes, test the configuration for syntax errors before restarting the service:

sshd -t

If no errors are reported, restart the SSH daemon:

systemctl restart sshd

Verify the service came back up cleanly:

systemctl status sshd

Important: Do not close your current SSH session until you have verified you can successfully open a new connection with your new settings.

Step 4: Configure the Firewall with firewall-cmd

RHEL 7 uses firewalld as its default firewall management layer. It should already be running, but verify its status:

systemctl status firewalld

If it is not running, start and enable it:

systemctl start firewalld
systemctl enable firewalld

Check which zone is the default (typically public on server installs):

firewall-cmd --get-default-zone

Allow SSH through the firewall permanently (if you changed the port, open that instead):

# Default port 22 (ssh service):
firewall-cmd --permanent --add-service=ssh

# Or a custom port, e.g. 2222/tcp:
firewall-cmd --permanent --add-port=2222/tcp

If you changed the SSH port to a non-standard value, you must also update the SELinux port label so SELinux permits the daemon to bind to it:

semanage port -a -t ssh_port_t -p tcp 2222

Apply all permanent changes by reloading the firewall rule set:

firewall-cmd --reload

List all currently active rules in the default zone to confirm your settings took effect:

firewall-cmd --list-all

Step 5: Set the System Hostname

A meaningful, consistent hostname makes log analysis and server identification far easier. On RHEL 7, hostnamectl is the canonical tool for hostname management.

Set the static hostname:

hostnamectl set-hostname web01.example.com

Verify the change took effect:

hostnamectl status

You should see output similar to:

   Static hostname: web01.example.com
         Icon name: computer-server
           Chassis: server
        Machine ID: a1b2c3d4e5f6...
           Boot ID: ...
  Operating System: Red Hat Enterprise Linux Server 7.9 (Maipo)
       CPE OS Name: cpe:/o:redhat:enterprise_linux:7.9:GA:server
            Kernel: Linux 3.10.0-1160.el7.x86_64
      Architecture: x86-64

Also update /etc/hosts so the system can resolve its own hostname locally:

echo "127.0.0.1   web01.example.com web01" >> /etc/hosts

Step 6: Verify SELinux Status

SELinux is a mandatory access control system built into RHEL 7. It should always be left in enforcing mode on production servers. Check the current mode:

getenforce

If the output is not Enforcing, check the configuration file:

cat /etc/selinux/config

Ensure SELINUX=enforcing is set. If you changed it, a reboot is required for the change to take full effect. Never set SELinux to disabled in production — use permissive mode temporarily for troubleshooting if absolutely necessary.

With these six steps completed, your RHEL 7 server has a clean, secure baseline configuration. You have applied all available updates, established a safe administrative user workflow, hardened the SSH daemon, configured firewall rules to permit only necessary traffic, set a meaningful hostname, and confirmed that SELinux is enforcing mandatory access controls. From this foundation you can confidently proceed with installing and configuring your application stack, knowing that the underlying system security posture is sound.