Help Center/ Security Technologies and Applications/ Best Practices/ Host Security Checks/ Security Hardening Suggestions for Servers
Updated on 2026-02-25 GMT+08:00
Security Hardening Suggestions for Servers
Security Hardening Suggestions for Servers
- Set strong passwords of OS accounts (including administrators and common users), database accounts, and application (web) system management accounts. The passwords must contain at least 12 characters.
- Use key pair login for servers. For details about how to set key pair login for ECSs, see Key Pair Application Scenarios.
- Improve password security.
- Do not use empty or default passwords because these are weak credentials that attackers can easily exploit.
- Set long, complex passwords.
- Do not use consecutive identical characters (for example, AAAAAAAA) or repeating patterns (for example, 123123).
- Use a combination of character types, including at least one character of each type: uppercase (A-Z), lowercase (a-z), numbers (0-9), and special characters.
- Do not use dictionary words and personal information, including names, dates of birth, significant dates, usernames, and email addresses.
- Do not use acronyms or abbreviations, for example, passwd.
- Change the password periodically.
- Do not use company names (for example, huawei), keyboard patterns (for example, 123qwe!@#), or common strings (for example, passwd).
- For more information, see Using HSS to Prevent Weak Passwords.
- Configure ACL access control policies to block logins from non-customer service IP address segments. Configure API access control policies to block non-customer API access requests. For more information about ACL, see Network ACL Overview.
- Do not run applications using the administrator account. Ensure applications (such as web services) use non-privileged accounts rather than database administrator accounts to interact with databases. Configure security groups and open only necessary ports to the public network. Do not expose web console ports or internal LAN communication ports to the public network. Use security products (such as WAF), restrict the source IP addresses that can access ports, or use VPNs or bastion hosts to establish O&M channels to mitigate risks.
- Periodically back up service data remotely to avoid data loss caused by server intrusions.
- Periodically check for security vulnerabilities in the system and software, update system security patches in time, and upgrade software to the latest official version.
- Download and install the software only from official channels. For the software downloaded from non-official channels, use antivirus software to scan it before running.
- Do not open suspicious email links or web page links.
Recommended Huawei Cloud Security Products
- To protect data, use Huawei Cloud Cloud Backup and Recovery (CBR).
- To protect servers, use Huawei Cloud Host Security Service (HSS).
- To scan for security vulnerabilities, use Huawei Cloud CodeArts Inspector.
- To protect web applications, use Huawei Cloud Web Application Firewall (WAF).
Parent topic: Host Security Checks
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
The system is busy. Please try again later.
For any further questions, feel free to contact us through the chatbot.
Chatbot