You can configure blocking policies based on IP addresses to defend against brute-force attacks. This topic describes how to enable and disable blocking policies based on IP addresses, and how to create and edit custom blocking policies based on IP addresses. The blocking policies based on IP addresses are referred to as policies for short.

Background information

Security Center offers two types of policies: system policies and custom policeis.

  • System policies: If you configure a defense rule, and the rule is triggered to block specific IP addresses, Security Center automatically creates a system policy. To configure a defense rule, you can perform the following steps: In the left-side navigation pane, click Alerts. On the page that appears, click Settings in the upper-right corner. In the panel that appears, click the brute-force attacks protection tab. Find the Anti-brute Force Cracking section and click Management. In the brute-force attacks protection panel, create a defense rule. System policies are enabled by default. If the number of logon failures exceeds the value of the Failure Exceeds parameter that you configured for the defense rule, Security Center creates a system policy. The system policy blocks specific IP addresses. The value of the Disable logon parameter determines the validity period of the system policy. For more information, see Configure security alerts.
  • Custom policies: If you want to create a custom policy, click Alerts in the left-side navigation pane. On the page that appears, click the number under IP blocking/All. In the IP Policy Library panel, click the Custom Rules tab and then click New Virus File Interception Features Released. In the New IP Blocking Policy panel, create a custom policy. You can create custom policies to prevent malicious IP addresses from accessing assets in the cloud. You can create custom policies to block the IP addresses and the servers that the malicious IP addresses access. Custom policies are disabled by default. You must manually enable a custom policy based on your business requirements. For more information, see Enable or disable a policy.
IP Policy Library

Create a custom policy

If the brute-force attacks protection does not block the access from malicious IP addresses to your servers, you can create a custom policy to block the IP addresses.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All. Enabled policies/all policies
    If you click the number under IP blocking, you are redirected to the page that contains enabled system policies. If you click the number under All, you are redirected to the page that contains both enabled and disabled system rules.
  4. Click the Custom Rules tab.
  5. Optional:
  6. Optional:On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. The Custom Rules tab of the IP Policy Library panel appears.
  7. On the Custom Rules tab, click New Virus File Interception Features Released.
  8. In the New IP Blocking Policy panel, configure the parameters. Create a policy
    The following table describes the parameters in the New IP Blocking Policy panel.
    Parameter Description
    Intercepted object The IP address that you want to block.
    All Assets The servers on which you want to apply the policy. You can select more than one server. You can also enter the server name or server IP address in the search box to search for the server.
    Note Only Alibaba Cloud Elastic Compute Service (ECS) instances are supported.
    Rule Direction The direction of the traffic that you want to block. Valid values: Inbound and Outbound.
    Security Group The security group that is associated with the IP address blocking policy. Default value: Cloud Security Center Block Group. When a policy is enabled, a blocking rule is automatically created in the security group. If the policy expires or is disabled, the rule in the security group is automatically deleted.
    Expire Date The validity period of the policy. When the policy expires, the status of the policy changes to Disabled.
  9. Click OK.
    The policy is disabled by default. You must manually enable the policy. For more information, see Enable or disable a policy.

Enable or disable a policy

Based on the actual scenarios, you can enable specific policies to block malicious IP addresses. If normal traffic is blocked, you can disable the policy. After you disable the policy, Security Center no longer blocks the requests from the IP addresses that are specified in this policy.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All. Enabled policies/all policies
    If you click the number under IP blocking, you are redirected to the page that contains enabled system policies. If you click the number under All, you are redirected to the page that contains both enabled and disabled system rules.
  4. Enable or disable a policy in the IP Policy Library panel. IP Policy Library
    If you want to enable or disable a custom policy, click Custom Rules.
    • Enable: Turn on Policy Status. In the Enable IP Policies message, click OK. Then, the IP address blocking policy takes effect, and the status of the policy changes to Enabled. Security Center blocks requests from the malicious IP addresses specified in the policy. Enable a policy
      Note If you enable a custom policy but the policy expires, the policy is valid for two hours after the point in time when you enable the policy. We recommend that you modify the validity period of the policy before you enable the policy. For more information, see Edit a policy.
    • Disable: Turn off Policy Status. In the Disable IP Policies message, click OK. After a policy is disabled, the policy becomes invalid, and the status of the policy changes to Disabled. Security Center no longer blocks requests from the IP addresses specified in the policy.

Edit a policy

You can edit only a custom policy.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. On the Alerts page, click the number under IP blocking/All. Enabled policies/all policies
    If you click the number under IP blocking, you are redirected to the page that contains enabled system policies. If you click the number under All, you are redirected to the page that contains both enabled and disabled system rules.
  4. Click the Custom Rules tab.
  5. Notice You can edit only a policy that is in the Disabled state. If you want to edit a policy that is in the Enabled state., you must disable the policy first.
    Find the policy that you want to edit and click Edit in the Actions column.
  6. In the Edit IP Blocking Policy panel, modify the assets to which the policy applies and the expiration time of the policy. Edit a policy
  7. Click OK.