How to Set Up Your First CentOS 7 Server on Alibaba Cloud

By Francis Ndungu, Alibaba Cloud Tech Share Author. Tech Share is Alibaba Cloud’s incentive program to encourage the sharing of technical knowledge and best practices within the cloud community.

Alibaba Cloud Elastic Compute Service (ECS) provides a faster and more powerful way to run your cloud applications as compared with traditional physical servers. You can achieve great results on your cloud needs. With ECS, you can achieve more with the latest generation of CPUs as well as protect your instance from DDoS and Trojan attacks.

In this guide, we will talk about the best practices for provisioning your CentOS 7 server hosted on an Alibaba Cloud Elastic Compute Service (ECS) instance.


  1. A valid Alibaba Cloud account. If you don’t have one already, sign up to the Free Trialto enjoy up to $300 worth in Alibaba Cloud products.
  2. An ECS instance running CentOS 7. You can select your preferred region and configurations; this will not affect the outcome of the server setup.
  3. A root password for your server.

Step 1: Connect to your Alibaba Cloud CentOS 7 Server

Locate the Internet IP address (Public IP address) associated with your Alibaba Cloud ECS Instance.

If you are running Linux or Mac, use a terminal application to connect to the instance via SSH. If you are on Windows, you can use PuTTy (download here) to connect to your server. You will have to provide the IP address, username and password that you set up when creating your Alibaba Cloud ECS instance to log in via SSH.

There are other ways to connect to your ECS instance as well. Visit the official ECS documentation to learn more.

Step 2: Change the Hostname on Your CentOS 7 Server

The hostname is a default identifier when you communicate to a Linux server. It is like a computer name that is associated with your home PC or laptop. Naming your CentOS 7 server with a descriptive hostname helps you to differentiate your machines especially if you are running a bunch of them.

To begin, ensure your CentOS 7 system is up-to-date by typing the command below:

To check your hostname, type the command below on a terminal window:

To change your hostname, we need to install nano text editor using the command below:

Then, edit the /etc/cloud/cloud.cfg file and find the entry preserve_hostname. Change its value from false to true.

Press CTRL + X, Y then Enter to exit and save the changes.

Then, edit the /etc/hostname file using a nano editor by typing the command below:

Overwrite the current hostname written at the very top of the file and press CTRL + X, Ythen Enter to save the changes.

You will also need to add some entries on the Linux hosts file. Open the file using a text editor:

You will need to add two entries on this file just below the localhost entry. The first entry you are adding uses the loopback interface address Please note that this is different from the address which have a ‘localhost’ value in the same file.

So assuming your server’s public IP address is and your hostname is miami, your /etc/hosts file should have the below entries at the very top:

Reboot your Alibaba Cloud ECS instance for the changes to take effect by typing the command below:

Step 3: Configure Time Zone on Your CentOS 7 Server

You can check the default date and time zone on your Alibaba Cloud CentOS 7 server by typing the command below:

You must set the correct time zone especially if you are running cron jobs on your CentOS 7 server because they rely heavily on date/time. To change the time zone, use the command below:

For instance, to set your server time zone to London, use the command below:

You can run the date command to check if the changes are successful:

Step 4: Create a Non-Root User with Sudo Privileges on CentOS 7

Logging into your CentOS 7 server using a root user can cause a lot of problems. For instance, a simple ‘rm’ command with incorrectly typed parameters can wipe your entire production’s server data.

Therefore, you need to create a non-root user with sudo privileges. You can then temporary elevate privileges by using the sudo command where necessary.

To create the user, use the command below:

For instance, to add a user identified as james on your server, use the command below:

Next, we assign a password to the user we have created above:

You will be prompted to enter the password for the user.

Then, we need to add the user to the wheel group to assign the ability to run administrative tasks with the sudo command by typing the following:

Remember to replace james with the correct username of your choice.

Step 5: Create Authentication Key Pair for Logging onto Your CentOS 7 Server

Logging in to your CentOS 7 server using a private/public key pair is more secure than using a password. In this mode, you keep the private key on your local computer and the public key under the .ssh/authorized_keys file on your Alibaba Cloud server.

This technology encrypts data sent from your server via the public key and users can only decrypt it using the correct private key, which is only known to you. Keys used in this manner can’t be guessed even by the most resourceful hackers. You can also add another layer of security by protecting your private key with a passphrase in case it falls to the wrong hands.

You can generate a private/public key pair with a tool like PuTTY key Generator (download here).

Make sure you are logged in as the user who you are generating keys for. Also, the below commands should NOT be run using ‘sudo’.

Copy the public key part to your CentOS 7 server using the commands below:

Then, use a nano editor to paste your public key on the authorized_keys file by typing:

Protect the file by typing the commands below

Once the keys are created, you can now login on your CentOS 7 server using your username and the private key that you have created via a SSH connection.

Step 6: Disable Password Authentication on Your CentOS 7 Server

Once you set up the private/public key pair, you should disable password based logins. This will ensure that only a person with the correct private key can gain access to your CentOS 7 server.

To do this, edit the SSH configuration file via the command below:

Find the line PasswordAuthentication and change it value from yes to no.

Restart the SSH daemon:

Step 7: Disable SSH Root Access on Your CentOS 7 Server

Once you have created non-root user with sudo privileges and password logins disabled, you can go ahead and disable root login over SSH. This will make sure that no one can login to your CentOS 7 server over SSH using the root username.

Any administrative tasks from this point forward will be done by the non-root user with sudo privileges.

To disable root access over SSH, edit the SSH configuration file on more time using a nano editor and look for the directive PermitRootLogin and change its value from yes to no.


Restart the SSH daemon by typing the command below for the changes to take effect:

Step 8: Install a Firewall on Your CentOS 7 server

With your CentOS 7 you can utilize the power of interacting with IP tables via a tool known as UFW (Uncomplicated Firewall). UFW is a simplified tool which aims towards simplifying the process of setting up IP tables especially for beginners who are new to the Linux environment.

UFW is a right choice for adding another security to your CentOS 7 server running on Alibaba Cloud.

You can use the command below to install it:

Then, type the command below to allow all outgoing calls and deny or incoming calls.

You can use the UFW command below to allow traffic to a particular port or service.

To avoid completely locking yourself from your CentOS 7 server, the first port/service that you should allow on UFW is port 22 which listens for SSH connections.

To do this, type the command below to add the rule:


Also if you are running a web server, you should enable the http and https ports:

Once you have whitelisted the services, run the command below to start UFW

You can delete any rule that you have created by first checking its number and then deleting it using the commands below:


Where <rule number> is the value that you obtained above from the list of rules available.

Make sure UFW is enabled before checking the list of rules.

You can disable UFW at any time by typing the command below:

Or just reset all rules by typing:

Step 9: Install Fail2Ban on Your CentOS 7 Server

Fail2Ban is a tool that adds another layer of security to your CentOS 7 server by utilizing IP tables. It simply bans users trying to access your server based on the number of failed logged in attempts.

You can Install Fail2Ban by typing the command below.

You can use your server with the default Fail2Ban settings but when need arises, you can edit the configuration file to make changes. All Fail2Ban configuration files are located on the ‘/etc/fail2ban/’ directory

By default .conf files are read first followed by .local files. So if you want to override settings, you should make changes to .local files and leave .conf files intact.

For instance, you can create your own copy of jail.conf file and create a local file for editing using the commands below:

You can then change any Fail2Ban settings by editing the new file with the command below:

In most cases, you will be setting the ban time, find time and max retries for SSH connections. This will all depend on the level of security that you need on your CentOS 7 server.


That’s it! You have successfully provisioned your CentOS 7 server running on Alibaba Cloud Elastic Compute Service (ECS). Although this is not a conclusive list of all Linux security measures that you should take when setting up your server, it can keep hackers away especially if you are just starting out with ECS. You can now install a web server and database server to run your website or web application. I hope you enjoyed reading the tutorial!

New to Alibaba Cloud? Sign up for an account and try over 40 products for free worth up to $1200. Or visit Getting Started with Alibaba Cloud to learn more.


Follow me to keep abreast with the latest technology news, industry insights, and developer trends.