All Products
Search
Document Center

Security Center:Manage servers

Last Updated:Aug 04, 2023

After you add your servers to Security Center, you can manage the servers on the Server tab of the Host page. For example, you can synchronize the information about the most recent servers that are added to Security Center, view the information about servers, manage servers by server group, and change the protection status of servers. This topic describes how to manage servers.

Synchronize the information about the most recent servers

Security Center automatically synchronizes the information about the servers on which the Security Center agent is installed every minute to the console. After the Security Center agent is installed on a server, you can view the information about the server in the server list. Before you view the information, we recommend that you synchronize the information about the most recent servers in the Security Center console. This ensures that newly added servers are added to the server list.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Server tab of the Host page, click Synchronize Asset.

    Security Center obtains the information about the most recent servers and updates the server list.

    Note

    The system takes 1 minute to update the information. Wait until the information is updated.

Add multi-cloud assets to Security Center

Security Center can protect and manage the servers that are not deployed on Alibaba Cloud. The servers include third-party cloud servers and servers in data centers. Before you can use Security Center to protect servers that are not deployed on Alibaba Cloud, you must add the servers to Security Center. The following table describes the types of servers that can be added to Security Center and the operations that you must perform to add the servers to Security Center.

Server provider or server type

Operation

Server deployed on a third-party cloud such as Tencent Cloud or Amazon Web Services (AWS) Cloud

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. In the Add Multi-cloud Asset section, move the pointer over the icon of the server provider and click Add.

  4. In the Access to assets outside the cloud panel, configure the parameters. For more information, see Add multi-cloud assets to Security Center.

IDC

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. In the Add Multi-cloud Asset section, move the pointer over the IDC接入图标 icon and click Add.

  4. In the Access to assets outside the cloud panel, configure the parameters. For more information, see Manage an IDC probe.

Server outside the cloud

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. In the Add Multi-cloud Asset section, move the pointer over the 云外主机 icon and click Install Agent.

  4. On the Feature Settings page, install the Security Center agent. For more information, see Manually install the Security Center agent.

View the information about servers

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Server tab of the Host page, view the information about servers.

    • View the information about a server

      You can configure the search conditions above the server list to search for the server. The search conditions include Instance name, Internet IP, and Private IP.

      In the Risks Status column of the server, you can view the security status of the server.

      You can click View in the Actions column of the server to go to the details page of the server. The following table describes the details that you can view.

      Tab

      Description

      Basic information

      • Detail

        This tab displays the basic information about the server. The information includes ID, Region, Group, and OS. You can click Group to change the server group for the server. You can click Client Troubleshooting to troubleshoot the issues that cause the abnormal status of the Security Center agent installed on the server.

        Note

        If basic information such as the media access control (MAC) address and kernel version of the server is missing, you can go to the server list, find and select the server, and then choose More Operations > Asset Collection below the server list to collect the basic information about the server.

      • Defensive status

        This tab displays the statuses of Client Protection, Malicious Behavior Prevention, Webshell Prevention, and Malicious Behavior Defense.

      • Vulnerability check

        This tab displays the types of vulnerabilities that can be detected. You can adjust the types of vulnerabilities that you want to detect.

      • Anti-brute Force Cracking

        This tab displays the rule that is used to defend against brute-force attacks and is applied to the server. You can modify the defense rule.

      • Login security setting

        This tab displays the approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts of the server. You can configure alerts based on the information.

      Vulnerabilities

      This tab displays the vulnerabilities that are detected on the server.

      Alerts

      This tab displays the alerts that are generated for the server.

      Baseline Check

      This tab displays the baseline check results of the server.

      Note

      This tab is available only in the Advanced, Enterprise, and Ultimate editions of Security Center. This tab is unavailable in the Basic or Anti-virus edition of Security Center.

      Asset Fingerprints

      This tab displays the details about the fingerprints of the server.

      Note

      This tab is available only in the Enterprise and Ultimate editions of Security Center. This tab is unavailable in the Basic, Anti-virus, or Advanced edition of Security Center.

      Agentless Detection

      This tab displays the vulnerabilities, baseline check results, and alerts that are detected on the server by using the agentless detection feature.

      Cloud platform configuration

      This tab displays the configuration check results of the server on the cloud platform.

      O&M and Monitoring

      • Remote operation and maintenance

        This section displays the O&M commands that are remotely run on the server by Cloud Assistant, the execution results of the commands, and the execution results of file sending tasks that are run on the server.

      • Performance monitoring

        This section displays the information such as the CPU utilization, memory usage, system load, inbound traffic rate, outbound traffic rate, and number of TCP connections of the server.

    • View the information about servers in a category

      On the Server tab, servers are categorized from dimensions such as Risk, Unprotected, and Exposed. This helps you manage servers in an efficient manner.

      Category

      Description

      All Servers

      The servers that are protected by Security Center. The servers include Elastic Compute Service (ECS) instances and servers that are not deployed on Alibaba Cloud and have the Security Center agent installed.

      Risk

      The servers on which vulnerabilities and baseline risks are detected, and the servers for which alerts are generated.

      Unprotected

      The servers on which the Security Center agent is in the Offline or Pause state

      Important

      Security Center cannot protect the servers on which the Security Center agent is in the Offline or Pause state. You can change the agent status to protect the servers. For more information, see Change the protection status of a server.

      Shutdown

      The servers that are shut down.

      Exposed

      The servers that are exposed on the Internet. These servers are accessible over the Internet. For more information about the exposure details, see Asset exposure analysis.

      Note
      • Only the Enterprise and Ultimate editions support asset exposure analysis. If you do not use one of the editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can view the number and list of the servers that are exposed on the Internet.

      • If Unknown is displayed to the right of Exposed, the current edition of Security Center does not support asset exposure analysis. In this case, the number of exposed servers is not displayed in the Security Center console. To use asset exposure analysis, you must upgrade Security Center to the Enterprise or Ultimate edition. For more information, see Upgrade and downgrade Security Center.

      Add

      The ECS instances that you purchased within the last 15 days.

      Server Group

      The servers that are categorized by group. You can click the name of a server group to view the statuses of the servers that belong to the server group of a specific category.

      Note

      Security Center allows you to manage and delete server groups. For more information, see Manage server groups, importance levels, and tags.

      Region

      The servers that are categorized by region. You can click the name of a region to view the statuses of the servers that are deployed in the region.

      VPC

      The servers that are categorized by virtual private cloud (VPC). You can click the name of a VPC to view the statuses of the servers that reside in the VPC.

      Importance

      The servers that are categorized by asset importance level. In the Importance section, you can click Important, Normal, or Test to view the statuses of the servers.

      Note

      Security Center allows you to classify your servers that belong to the current Alibaba Cloud account into three levels by asset importance level. You can determine the asset importance levels based on your business requirements. This way, you can manage multiple servers by asset importance level.

      Tag

      The servers that are categorized by tag. You can click a tag in the Tag section to view the statuses of the servers to which the tag is added.

      Note

      You can manage and delete a tag in the Security Center console. For more information, see Manage server groups, importance levels, and tags.

    • View the information about servers that match one or more search conditions

      After you click one of the items such as Risk and Unprotected in the All Servers section, you can configure one or more search conditions to search for specific servers.

      The following procedure provides an example on how to configure multiple search conditions to search for servers. The search conditions are the Linux operating system, alerts generated, and the China (Hangzhou) region.

      1. On the Server tab of the Assets page, click Unprotected.

      2. In the drop-down list next to the search box, configure the System Type, Alert problems , and Region search conditions.

        • Select Linux for System Type.

        • Select Yes for Alert problems .

        • Select China (Hangzhou) for Region.

        Note

        If you cannot select a value for a search condition in the drop-down list, you can enter keywords for the search condition in the search box.

        After the configuration is complete, the search conditions are displayed above the server list.

      3. Click the switch to the left of search conditions to switch between the AND and OR Boolean operators.

        • AND: specifies the AND logical relation among search conditions.

        • OR: specifies the OR logical relation among search conditions.

        After you specify the search conditions, servers that match all the specified search conditions are displayed in the server list.

      4. Optional. If you want to save the preceding search conditions as frequently used search conditions, click Save to the right of the search conditions.

        After you save frequently used search conditions, you can select the search conditions from the Frequent search conditions drop-down list to search for servers, which is more efficient.

Manage server groups, importance levels, and tags

Security Center allows you to manage server groups, the importance levels of servers, and the tags that are added to servers on the Host page. This way, you can manage servers in different dimensions and use the features provided by Security Center with ease.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Server tab of the Host page, manage server groups, importance levels, and tags.

    • Manage server groups

      You can add servers to server groups in advance. This way, when you use the features of Security Center, you can select servers that you want to protect by server group, which is efficient. The features include anti-ransomware, web tamper proofing, baseline check, and vulnerability scan.

      Click the Server tab. To the left of the server list, click Server Group in the Attribute section to manage server groups.

      • Edit or delete a server group

        Move the pointer over a server group and click the 设置 icon. In the Group dialog box, change the name of the server group, add servers to the server group, or remove servers from the server group.

        Move the pointer over a server group and click the 删除 icon. In the Note message, click Determine.

        Note

        You cannot delete the Default server group.

      • Change the server group for a server

        In the Server Group section, click the name of the server group to which a specified server belongs. In the list of servers that are added to the server group, find and select the server and click Group below the server list. In the Group dialog box, change the server group for the server based on your business requirements.

        • Move to Existing Group

          Select Move to Existing Group for Mode, select a new server group from the New group drop-down list, and then click Determine.

        • Create Group

          Select Create Group for Mode, enter a name for the new server group in the New group field, and then click Determine.

        Alternatively, you can find and select the server in the list of All Servers and click Group below the server list.

    • Manage the importance levels of servers

      The importance level that you specify for a server determines the asset importance score of the server. The asset importance score is used to calculate the score of the priority to fix a vulnerability. You can determine whether to preferentially fix a vulnerability based on the priority score of a vulnerability. We recommend that you set the Importance parameter of core servers to Important. The vulnerabilities of servers whose importance level is set to Important have higher priority scores.

      The following table describes the relationships between importance levels and asset importance scores. For more information about the priorities to fix vulnerabilities, see Priorities to fix vulnerabilities.

      Importance level

      Asset importance score

      Description

      Important

      1.5

      Servers that are used in crucial business or used to store core business data. Virus intrusion into the servers adversely affects the system and causes major loss.

      Normal

      1

      Servers that are used in non-crucial business and are highly replaceable. Virus intrusion into the servers causes less impact on the system.

      Test

      0.5

      Servers that are used for functional or performance tests, or servers that can cause less impact on the system.

      Click the Server tab. To the left of the server list, manage the importance levels of servers in the Importance section.

      • Specify an importance level for servers

        In the Importance section, click Manage. In the Asset Importance Management dialog box, configure the Importance parameter, select servers for which you want to specify the importance level, and then click Determine.

      • Manage the importance levels of servers

        In the Importance section, move the pointer over Important, Normal, or Test, and click the 设置 icon. In the Asset Importance Management dialog box, add servers for which you want to specify the importance level, or remove servers of the importance level. Then, click Determine.

      • Manage the importance level of a server

        In the server list, find the required server and click the 标签 icon in the Server information column. In the Add tag dialog box, configure the Asset Importance parameter and click Determine.

    • Manage the tags that are added to servers

      You can add custom Tag to servers to identify their special attributes. This allows you to filter for servers that have the same attributes.

      Click the Server tab. To the left of the server list, manage the tags that are added to servers in the Tag section.

      • View the servers to which a tag is added

        In the Tag section, click the name of a tag to view the servers to which the tag is added.

      • Create a tag

        In the upper-right corner of the Tag section, click Manage. In the Tag dialog box, enter a name for the tag, select the servers to which you want to add the tag, and then click Determine.

      • Edit or delete a tag

        Move the pointer over the tag that you want to edit and click the 设置 icon. In the Tag dialog box, change the name of the tag, add the servers to which you want to add the tag, or remove the servers to which the tag is added. Then, click Determine.

        Move the pointer over the tag that you want to delete and click the 删除 icon. In the Note message, click Determine.

      • Manage the tags for a server

        In the server list, find the required server and click the 标签 icon in the Server information column. In the Add tag dialog box, configure the Please select a tag parameter and click Determine.

        Note

        You can add multiple tags to a server.

        In the server list, find the required server and click the 删除 icon in the Server information column. In the Note dialog box, click Determine.

Change the protection status of a server

After you install the Security Center agent on a server, Security Center automatically enables protection for the server. You can change the protection status of the server based on your business requirements.

After you install the Security Center agent on a server, the 客户端在线 icon is displayed in the Agent column for the server on the Host page. The icon indicates that the server is protected by Security Center. If the 客户端离线 icon is displayed in the Agent column for a server, the Security Center agent installed on the server is offline. If the Security Center agent is offline, Security Center cannot protect the server on which the agent is installed. You must troubleshoot the issue at the earliest opportunity. For more information, see Troubleshoot why the Security Center agent is offline.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Server tab of the Host page, manage the protection status of a server.

    • Disable protection

      Important

      After you disable protection for a server, Security Center no longer protects the server. For example, Security Center no longer detects vulnerabilities on the server or generates alerts for risks that are detected on the server. Proceed with caution.

      If you confirm that a server does not require protection from Security Center, you can disable protection for the server. To disable protection, select one or more servers for which the 客户端在线 icon is displayed in the Agent column, click More Operations, and then choose More Operations > Disable Protection below the server list.

      After protection is disabled, the 客户端在线 icon in the Agent column of the server is replaced by the 客户端离线 icon, which indicates that the server is no longer protected by Security Center.

    • Enable protection

      Select one or more servers for which the 客户端离线 icon is displayed in the Agent column, click More Operations, and then choose More Operations > Turn on protection below the server list.

      Note

      After you enable protection for the server, the 客户端离线 icon may be still displayed in the Agent column of the server. This issue may be caused by the following reasons:

      • The Security Center agent is not installed on the server. You must install the Security Center agent on the server. After the Security Center agent is installed, Security Center automatically enables protection for the server. For more information about how to install the Security Center agent, see Install the Security Center agent.

      • The Security Center agent that is installed on the server is offline. You must troubleshoot the issue at the earliest opportunity. For more information, see Troubleshoot why the Security Center agent is offline.

Unbind a server not deployed on Alibaba Cloud from Security Center

Security Center can protect servers that are not deployed on Alibaba Cloud and have the Security Center agent installed. If you do not require protection for the servers, you can unbind the servers from Security Center.

If a server that is not deployed on Alibaba Cloud shuts down, the server is disconnected from Alibaba Cloud. If a server shuts down but still has unhandled vulnerabilities or alerts, you can unbind the server from Security Center in the asset list. This prevents the unhandled vulnerabilities and alerts from affecting the security score of your assets in Security Center. If you no longer want Security Center to protect the server, you can directly uninstall the Security Center agent. For more information, see Uninstall the Security Center agent.

Note
  • You can unbind only the servers that are not deployed on Alibaba Cloud from Security Center. If you use an Alibaba Cloud ECS instance, you do not need to unbind the ECS instance. If you uninstall the Security Center agent from an ECS instance, the ECS instance still exists as a disconnected server in the asset list of the Security Center console. The ECS instance is not removed from the asset list.

  • After you unbind a server that is not deployed on Alibaba Cloud from Security Center, the server no longer consumes the quota of protected servers or protected server vCPUs. This way, you can install the Security Center agent on other servers to meet your business requirements.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Assets > Host.

  3. On the Server tab of the Host page, select a server that you want to unbind from Security Center in the asset list and choose More Operations > Unbind below the list.

  4. In the Note message, click Determine.

After the server is unbound from Security Center, Security Center delivers a command to uninstall the Security Center agent from the server, removes the server from the asset list, and no longer protects the server.

If you directly uninstall the Security Center agent, all processes and files in the directory of the Security Center agent are deleted from the server. To protect the server by using Security Center later, you must reinstall the Security Center agent on the server. For more information, see Install the Security Center agent.