I harden all my RHEL servers with SELinux and Firewalld. Here is a crash course.

SELinux

SELinux (Security-Enhanced Linux) is a security architecture that enforces mandatory access controls to restrict applications, processes, and users to the least privileges necessary. For instance, if a web server tries to read files in /home/user/private (even if the file permissions allow it), SELinux will block the access unless explicitly configured to allow it.

If SELinux is Disabled, I recommend first setting it to Permissive, which means SELinux is not enforcing but will print warnings.

$ getenforce
Disabled
$ setenforce 0
$ getenforce
Permissive

You can then check these warnings and fix potential problems before setting SELinux to state Enforcing.

$ journalctl -t setroubleshoot
-- No entries --

Once the relevant warnings are managed, you can set SELinux to the enforcing state. To make it permanent, you also have to edit the /etc/selinux/config file.

$ setenforce 1
$ getenforce
Enforcing
$ cat /etc/selinux/config
SELINUX=enforcing
SELINUXTYPE=targeted

Firewalld

Firewalld is a dynamic firewall management tool that allows you to control network traffic entering your system.

Install, enable, and start Firewalld with these commands:

$ dnf install firewalld
$ systemctl enable firewalld
$ systemctl start firewalld

By default, all incoming traffic is rejected except SSH and DHCP if Firewalld is enabled and running in the default public zone.

$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work
$ firewall-cmd --get-default-zone
public

Add service and port to Firewalld:

$ firewall-cmd --add-service=zabbix-agent --permanent
$ firewall-cmd --add-port=8080/tcp --permanent
$ firewall-cmd reload

View rules:

$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens192
  sources:
  services: dhcpv6-client ssh zabbix-agent
  ports: 8080/tcp
  protocols:
  forward: yes
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules: