BestHub
Sign in
Information Security 5 min read

How to Harden a CentOS 7.7 Server: Essential Security Steps

This guide walks you through essential CentOS 7.7 server hardening steps—including setting complex passwords, configuring password policies, enforcing password strength, limiting login attempts, disabling root SSH access, changing SSH ports, tightening firewall rules, managing command history, monitoring logs, and scheduling regular backups—to improve system security.

Open Source Linux
Open Source Linux
Open Source Linux
How to Harden a CentOS 7.7 Server: Essential Security Steps

Set Complex Password

Configure a 12‑16 character password containing uppercase, lowercase, digits and special symbols, or use a password generator (e.g., https://suijimimashengcheng.51240.com/).

echo "root:wgr1TDs2Mnx0XuAv" | chpasswd

Configure Password Policy

Edit /etc/login.defs and set:

PASS_MAX_DAYS      90   # maximum password age
PASS_MIN_DAYS      10   # minimum days between changes
PASS_MIN_LEN       8    # minimum length
PASS_WARN_AGE      7    # days before expiration to warn

Enforce Password Strength

Modify /etc/pam.d/password-auth with the following settings:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1

Explanation: difok – number of characters that must differ from the old password; minlen – minimum length; ucredit, lcredit, dcredit – maximum number of uppercase, lowercase, and digit characters (negative values require at least one).

Note: These settings apply only to regular users; the root user can bypass them.

Limit User Login Attempts

Edit /etc/pam.d/sshd to add:

auth required pam_tally2.so deny=3 unlock_time=150 even_deny_root root_unlock_time=300

After multiple failed attempts, the system will lock the account. Use pam_tally2 --reset -u username to unlock.

Disable Root Remote Login

Comment out or set PermitRootLogin no in /etc/ssh/sshd_config and restart the sshd service.

Change SSH Port

Edit /etc/ssh/sshd_config and modify or add the Port directive, then restart sshd.

Close Unnecessary Ports in Security Group

On Tencent Cloud, configure the security group to allow only required protocols and ports; avoid opening all ports.

Set Command History and Session Timeout

Update /etc/profile:

HISTSIZE=1000
TMOUT=600   # 5 minutes of inactivity will terminate the session

Regularly Review System Logs

Check logs such as /var/log/messages and /var/log/secure. Critical servers may forward logs to a centralized log server for analysis.

Regular Data Backup

Plan directory structures and schedule periodic backups to a remote server, e.g., application data in /data1/app/, logs in /data1/logs/, and important data in /data1/data/.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

linuxCentOSServer HardeningPassword policySSH Security
Open Source Linux
Written by

Open Source Linux

Focused on sharing Linux/Unix content, covering fundamentals, system development, network programming, automation/operations, cloud computing, and related professional knowledge.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment