RHCSA(26A): Locking Down Your RHCSA Linode Lab Server

 Executive Summary

To secure and maintain your RHCSA practice environment, this guide outlines a three-pronged approach: 1. network-level security, 2. instant system resets, and 3. automated cleanup. This approach was chosen after local virtualization attempts with Gnome-Boxes, virt-manager, and VirtualBox on a PopOS 24.04 desktop failed, likely due to the experimental Cosmic desktop. By using Linode, a cost-effective alternative, you can still protect your lab from threats, recover from errors quickly, and practice critical skills in a clean, repeatable environment.

The foundational strategy is to lock down network access using the Linode Cloud Firewall. This is done by setting the Default Inbound Policy to Drop, which blocks all incoming connections and effectively makes your Linode invisible to bots and scanners. You then add specific "Accept" rules for SSH (TCP port 22) from your home IP addresses. While you can use single-address rules with /32 for IPv4 and /128 for IPv6, the recommended and more stable approach for dynamic IPv6 is to whitelist the entire IPv6 network prefix (/64), as this block remains consistent. A placeholder example is 2001:db8:a0b:12f0::/64. Should your IP change and you get locked out, Linode's LISH Console serves as a vital safety net, providing direct, out-of-band access.

For major system changes or mistakes, a master snapshot provides a powerful solution. After configuring your lab's perfect starting point, you power down the Linode and take a snapshot. This creates a point-in-time image of the disk, allowing you to instantly revert the server to a clean state rather than rebuilding it from scratch.

Finally, for minor adjustments, a simple Bash script can automate cleanup tasks. This script can be written to undo common practice tasks such as stopping services (httpd, nfs), removing practice users, and resetting firewall rules (firewalld). This saves time and reinforces the valuable skill of automation, which is critical for the exam.

By combining these three techniques, you create a professional-grade, secure lab environment perfect for focused RHCSA study!!!

Keywords: RHCSA, Red Hat Certified System Administrator, Linode, firewall, network security, IPv6, IPv4, network prefix, /64, /32, /128, SSH, Cloud Manager, LISH Console, snapshots, instant resets, Bash script, automated cleanup, virtual machines, virtualization, Gnome-Boxes, virt-manager, VirtualBox, PopOS 24.04, Cosmic desktop, lab environment, brute-force attacks, security hardening, automation

````
 Abbreviations
├─ Cosmic desktop: An experimental desktop environment being developed by System76 for Pop!_OS
├─ Firewalld: A firewall management tool for Linux systems
├─ Gnome-Boxes: A simple application for creating and managing virtual machines
├─ HTTPD: Hypertext Transfer Protocol Daemon
├─ IPv4: Internet Protocol version 4
├─ IPv6: Internet Protocol version 6
├─ LISH Console: Linode Shell Console
├─ NFS: Network File System
├─ Pop!_OS (PopOS): An open-source, Linux-based operating system developed by System76
├─ RHCSA: Red Hat Certified System Administrator
├─ SSH: Secure Shell
├─ TCP: Transmission Control Protocol
├─ Virt-manager: A desktop tool for managing virtual machines via libvirt
└─ VirtualBox: A free and open-source hypervisor for virtualization, developed by Oracle
````
Hardening RHCSA Practice Linode
├── Introduction
│   ├── Goal: Secure lab server on internet from bots/threats
│   ├── Methods: Linode Firewall, Snapshots, Cleanup Script
│   ├── Background: Noticed bots trying to login right away, used research to harden it
│   └── VM Issues: Gnome-Boxes, virt-manager, and VirtualBox failed on PopOS 24.04
│       └── Solution: Switched to using Linode due to local virtualization problems
│
├── 1. Lock Down Access with Linode Cloud Firewall
│   ├── Core Strategy: Set Inbound Policy to DROP
│   │   ├── Action: In Linode Cloud Manager, create a firewall
│   │   ├── Benefit: Makes Linode invisible to the public internet
│   │   └── Effect: Prevents automated bots from reaching SSH login screen
│   ├── Rules:
│   │   ├── Add ACCEPT rule for TCP port 22 (SSH)
│   │   ├── Source IPv4: specific address with /32
│   │   └── Source IPv6:
│   │       ├── Option 1: single address with /128
│   │       ├── Option 2 (Smarter): entire network prefix with /64
│   │       │   ├── Reason: More stable for dynamic IPs
│   │       │   └── Example: `2001:db8:a0b:12f0::/64`
│   └── Safety Net:
│       ├── Problem: Home IP address might change
│       └── Solution: Use Linode’s LISH Console for emergency access
│
├── 2. Take a Master Snapshot for Instant Resets
│   ├── Concept: A point-in-time image of the server's disk
│   ├── Process:
│   │   ├── Get Linode to a perfect starting point
│   │   ├── Power down the server
│   │   └── Take a snapshot
│   └── Benefit: Revert to a clean state in minutes, no full rebuild needed
│
└── 3. Automate Cleanup with a Bash Script
    ├── Purpose: Efficiently reset common practice tasks
    ├── Example Tasks:
    │   ├── Stop and disable services (`httpd`, `nfs`, etc.)
    │   ├── Remove user accounts (`userdel -r`)
    │   ├── Reset firewall rules (`firewall-cmd`)
    │   └── Clear log files
    └── Benefit: Saves time and enforces valuable real-world automation skills
````