Step-by-Step Guide to Harden CentOS 7.7 Server Security

Set Complex Password

Create a 12‑16 character password that includes uppercase, lowercase, digits, and special symbols. You can generate one automatically or use a password generator. Example command to set the root password:

echo "root:wgr1TDs2Mnx0XuAv" | chpasswd

Configure Password Policy

Edit /etc/login.defs and set the following parameters:

PASS_MAX_DAYS   90   # maximum password age (days)
PASS_MIN_DAYS   10   # minimum days between password changes
PASS_MIN_LEN    8    # minimum password length
PASS_WARN_AGE   7    # days before expiration to warn the user

Set Password Strength

Modify /etc/pam.d/password-auth to include pam_pwquality with these options:

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1

Note: These settings affect only regular users; the root account can bypass them.

Limit User Login Attempts

Add the following line to /etc/pam.d/sshd to lock an account after three failed attempts for 150 seconds (root can also be locked):

auth required pam_tally2.so deny=3 unlock_time=150 even_deny_root root_unlock_time=300

After a lock, you can view locked users with pam_tally2 and unlock an account with:

pam_tally2 --reset -u username

Disable Root Remote Login

Open /etc/ssh/sshd_config and set: #PermitRootLogin no Uncomment the line and change the value to no. Restart the SSH daemon for the change to take effect.

Change SSH Port

Edit /etc/ssh/sshd_config and modify or add the Port directive to the desired non‑standard port, then restart the SSH service.

Close Unnecessary Ports in Security Group

On Tencent Cloud, configure the security group to allow only the required protocols and ports for your business. Avoid opening all ports. See the official documentation for details.

Set Command History Size and Session Timeout

Update /etc/profile with the following settings:

HISTSIZE=1000   # number of commands to retain
TMOUT=600       # idle timeout in seconds (5 minutes)

After five minutes of inactivity, the server will automatically disconnect the client.

Regularly Review System Logs

Check the following log files for suspicious activity:

/var/log/messages
/var/log/secure

For critical servers, forward logs to a centralized log analysis server.

Regular Data Backup

Plan a directory structure and schedule periodic backups (e.g., using tar or rsync) of:

Application files: /data1/app/ Program logs: /data1/logs/ Important data: /data1/data/ Store the backups on a separate server to ensure data durability.