Community

Blog Events Webinars Tutorials Forum
  1. Blog
  2. Events
  3. Webinars
  4. Tutorials
  5. Forum
Create Account
×
Community Blog How to Prevent Cyber Threats Using Alibaba Cloud Firewall

How to Prevent Cyber Threats Using Alibaba Cloud Firewall

Protect your cloud environment by preventing attacks on exposed RDP and SSH ports. Alibaba Cloud Firewall helps secure access with strict allow-lists, traffic monitoring, and layered controls.

Disclaimer: The views expressed herein are for reference only and don't necessarily represent the official views of Alibaba Cloud.

Cyber threats targeting cloud systems often begin with exposed remote access ports such as RDP (3389) and SSH (22).

When these services are open to the public, automated scanners and password-spray tools continuously attempt to exploit them.

Alibaba Cloud Firewall provides a centralized protection layer at the VPC boundary.

By enforcing strict allow-lists, blocking suspicious sources, and monitoring all inbound traffic, it reduces the likelihood of unauthorized access.

This guide outlines seven practical steps to improve cloud security using Alibaba Cloud Firewall.

1. How Attackers Exploit Exposed Ports

Attackers follow a predictable sequence:

  • Scan IP ranges for open ports
  • Attempt password sprays
  • Reuse stolen credentials
  • Move laterally to internal systems

Attack Flow Diagram

Internet Attackers
Scan for open ports (22/3389)
Public ECS Instance
Password sprays / stolen creds
+----------------------+
Initial Access Gained
+----------------------+
v
+----------------------------+
Lateral Movement Attempted
+----------------------------+

2. Restrict Access Using Alibaba Cloud Firewall

Cloud Firewall acts as the first enforcement point.

Recommended Rules

  • Allow only your trusted static IP range
  • Deny all other public access
  • Enable IPS to block exploit payloads

Firewall Flow

Allowed Source Only

      |
      v

3. Use a Static-IP VPN for All Admin Access

Routing administrator access through a single static outbound IP removes the need for broad “allow-all” rules and ensures that every login attempt maps back to a known, trusted source. This approach improves traceability and reduces the attack surface significantly.

In practice, this can be achieved using a VPN service that provides a fixed, non-rotating IP address.

For example, some teams use a dedicated-IP model (such as TorGuard’s dedicated-IP) to ensure that the same address is always presented when administrators connect.

The key requirement is simply that the IP remains consistent so it can be safely allow-listed in Alibaba Cloud Firewall.

Access Flow

Admin PC
VPN Tunnel
Static Public IP
v
Alibaba Cloud Firewall
+------------------------+
v
+------------------------+
Bastion Host / ECS
+------------------------+

4. Harden Security Groups and OS-Level Firewalls

Security Groups

  • Remove default rules allowing 0.0.0.0/0
  • Allow only static VPN IP
  • Restrict egress traffic

OS-Specific Hardening

  • Windows: Enable NLA, restrict RDP to VPC CIDR
  • Linux: Limit SSH attempts and restrict to bastion subnet

5. Deploy a Bastion Host in a Management VPC

A bastion host centralizes all administrative access.

Recommended Bastion Architecture

Alibaba Cloud Firewall
v
+------------------+
v
+--------------------------+
Private ECS Instances
+--------------------------+

This ensures workloads remain private and inaccessible directly from the internet.

6. Link Access to Identity and Logs

Use Alibaba Cloud Security Center to:

  • Detect brute-force attempts
  • Monitor login anomalies
  • Correlate Cloud Firewall events
  • Trigger automatic blocking

When an alert fires:

  1. Remove offending IP from allow-list
  2. Disable the associated VPN identity
  3. Rotate affected instance credentials

7. Apply Zero-Trust and Network Segmentation

Segmentation Guidelines

  • Use separate VPCs (web, app, data, management)
  • Allow only necessary east-west traffic
  • Use Cloud Firewall to control inter-VPC paths

Zero-Trust Access Flow

Admin PC
MFA + Identity Check
Zero-Trust Gate
v
+------------------------+
v
+------------------+
Bastion Host
+------------------+
v
+------------------+
Private ECS
+------------------+

Conclusion

Alibaba Cloud Firewall, combined with strict source controls, bastion architecture, strong identity enforcement, and segmented networks, creates a secure environment where only verified and authorized traffic can reach critical workloads.

By focusing on a single controlled entry point and a layered defense strategy, organizations significantly reduce the risk of unauthorized access and lateral movement.

Linux CDN Architecture Storage Service Natural Language Processing
0 2 0
Share on

Read previous post:

3 Cloud Email Verification Methods on Alibaba Cloud

Kalpesh Parmar

6 posts | 2 followers

You may also like

Comments

Kalpesh Parmar

6 posts | 2 followers

Related Products

  • Alibaba Cloud Linux

    Alibaba Cloud Linux is a free-to-use, native operating system that provides a stable, reliable, and high-performance environment for your applications.

    Learn More

  • Storage Capacity Unit

    Plan and optimize your storage budget with flexible storage services

    Learn More

  • Edge Node Service

    An all-in-one service that provides elastic, stable, and widely distributed computing, network, and storage resources to help you deploy businesses on the edge nodes of Internet Service Providers (ISPs).

    Learn More

  • CDN(Alibaba Cloud CDN)

    A scalable and high-performance content delivery service for accelerated distribution of content to users across the globe

    Learn More

More Posts by Kalpesh Parmar

See All