Security Center allows you to configure IP blocking policies to avoid brute-force attacks. This topic describes how IP blocking policies are configured, such as enable and disable, and create and edit an IP blocking policy.

Background information

Security Center offers two types of IP blocking policies: the built-in default policies (system rules) and the custom policies (custom rules).

  • System Rules: On the Alerts > Anti-brute Force Cracking page, you can add a defense rule. After the defense rule is set, the corresponding IP blocking policy automatically takes effect . System rules are enabled automatically. The logon failures in a specified period of time defines the condition of a system rule, that is, IP blocking is triggered. The value of the Disable Logon parameter specifies the valid period of a system rule. For more information, see Configure security alerts.
  • Custom Rules: On the IP Policy Library > Custom Rules page, you can create a new IP blocking policy. You can customize IP blocking policies to block the malicious IP addresses to access assets on the cloud. You can add custom rules to block the IP addresses and the servers which the malicious IP addresses access. Custom rules are disabled by default. You need to enable it manually. For more information, see Enable or disable IP blocking policy.
The IP policy library

Create a custom rule

If the brute-force attacks protection does not block the access from malicious IP addresses to your servers, you can create a custom rule to block the IP addresses.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All.Enabled IP blocking policies/all policies
    Click the number under IP blocking. You are redirected to the page of the enabled system built-in IP blocking policies. Click the number under All. You are redirected to the page of all IP blocking policies including those enabled and disabled.
  4. Click Custom Rules.
  5. Optional:Authorization is required to create an IP blocking policy for the first time. Move the pointer over Create Policy and click Authorize Now.
  6. Optional:On the RAM authorization page, click Agree to Authorize and you are redirected to the IP Policy Library > Custom Rules page.
  7. On the Custom Rules tab, click Create Policy.
  8. On the New IP Blocking Policy dialog box, configure the required parameters.Create a new IP blocking policy
    You can configure the parameters on the New IP Blocking Policy page according to the following table.
    Parameter Description
    Interception Object Specifies the IP address to be blocked.
    All Assets Specifies the server to which the IP blocking policy is applied. Multiple servers are supported. You can enter the server name or server IP address in the search box to search for a specific server.
    Note Only Alibaba Cloud Elastic Compute Service (ECS) instances are supported.
    Rule Direction Specifies the direction of the blocked traffic. Valid values: Inbound and Outbound.
    Security Group Specifies the security group that is associated with the IP blocking policy. Default value: Cloud Security Center Block Group. When an IP blocking policy is enabled, the corresponding rule for the security group is automatically created. If the IP blocking policy expires or is disabled, the rule for the security group is deleted automatically.
    Expire Date Specifies the valid period of an IP blocking policy. When an IP blocking policy expires, the status of the policy changes to Disabled.
  9. Click Submit.
    The newly created IP blocking policy is disabled by default. You need to manually enable the policy. For more information, see Enable or disable IP blocking policy.

Enable or disable IP blocking policy

Based on the actual scenarios, you can enable or disable specific anti-brute force rules to block potentially malicious IP addresses. If the normal traffic is blocked, you can disable the policy. After you disable the policy, Security Center no longer blocks the requests from the IP addresses that are blocked by this policy.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All.Enabled IP blocking policies/all policies
    Click the number under IP blocking. You are redirected to the page of the enabled system built-in IP blocking policies. Click the number under All. You are redirected to the page of all IP blocking policies including those enabled and disabled.
  4. On the IP Policy Library page, you can enable or disable an IP blocking policy.IP Policy Library
    If you want to enable or disable custom IP blocking policies, click Custom Rules.
    • Enable: Turn on Policy Status, and in the Enable IP Interception Policy dialog box, click Confirm. The IP blocking policy takes effect and the status changes to Enabled. Security Center blocks the malicious traffic according to the IP blocking policies.Enable IP blocking policy
      Note If you enable an expired custom IP blocking policy, the valid period of the policy is changed to two hours after the activation time. If you need to modify the valid period of the policy, we recommend that you modify the policy before enabling it. For more information, see Edit IP blocking policy.
    • Disable: Turn off Policy Status, and in the Disable IP Interception Policy dialog box, click Confirm. After it is disabled, the IP blocking policy becomes invalid and the status changes to Disabled. Security Center no longer blocks the access from the specified IP addresses.Disable

Edit IP blocking policy

You can only edit custom IP blocking policies. You cannot edit built-in IP blocking policies.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All.Enabled IP blocking policies/all policies
    Click the number under IP blocking. You are redirected to the page of the enabled system built-in IP blocking policies. Click the number under All. You are redirected to the page of all IP blocking policies including those enabled and disabled.
  4. Click Custom Rules.
  5. Notice You can only edit a disabled IP blocking policy. If you want to edit an enabled IP blocking policy, you can disable it first and edit it.
    Select the IP blocking policy that you want to edit and click Edit in the Actions column.
  6. On the Edit IP Blocking Policy page, you can modify the effective assets and expiration time of the policy.Edit an IP blocking policy
  7. Click OK.