This topic answers frequently asked questions about the detection feature of Security Center.

How do I view the protection features that I have enabled?

Security Center provides an overview of the protection features that are on or off.

On the Alerts page of the Security Center console, you can view the protection features that are enabled and disabled.The Alerts page
By default, enabled protection features are not displayed. You can click The Hide/Show icon on the Alerts page to view the enabled protection features.Click the Hide/Show icon
By default, all supported protection features of the current Security Center edition are enabled, except the application whitelist and tamper protection features.
Note
  • To use them, you must upgrade Security Center to the Advanced or Enterprise edition. For more information about upgrading Security Center, see Renewal and upgrade.
  • The application whitelist and tamper protection are value-added services of Security Center. To use these services, you must purchase and activate them. To use tamper protection, you must upgrade Security Center to the Advanced or Enterprise edition. For more information about the application whitelist, see Application control. For more information about tamper protection, see Activate service.
  • Cloud threat detection is only supported and automatically enabled by the Enterprise edition of Security Center. To use cloud threat detection, you must upgrade Security Center to the Enterprise edition.

How do I know whether my assets contain mining programs?

If the CPU usage of a server increases significantly, for example, to 80% or higher, and an unknown process keeps transmitting packets, a mining program is running on the server.

After Security Center detects mining programs on protected assets, it alerts you through SMS messages or emails. You can log on to the Security Center console and go to the Detection > Alerts page to manage relevant alerts. Mining programs are related to other alert events, such as communication activities with mine pools and visiting malicious domains. We recommend that you also manage alerts related tomining programs. For more information about how to view and manage related alerts, see Automatic alert correlation analysis.

Alerts generated on mining programs

How does Security Center detect intrusions?

Among the attacks detected by Security Center, half of them are detected when Security Center scans your assets, and the other half are analyzed and verified by Alibaba Cloud security engineers based on your network traffic patterns.

Common intrusions include webshells and bot activities, such as DDoS and brute-force attacks.

What alerts can I add to the whitelist?

You can add the alerts generated on malicious processes to the whitelist. If you add a malicious process alert to the whitelist, only the malicious source is added to the whitelist. The following table describes the alert types that you can add to the whitelist.

Alert type Description
Malicious processes Adds the MD5 hash value to the whitelist.
Unusual logons Adds the source IP addresses to the whitelist.
Access to malicious IP addresses or communication activities with mine pools Adds the source IP addresses to the whitelist.
Visiting malicious domains Adds the source IP addresses to the whitelist.
Access or connection to malicious download sources Adds the source URLs to the whitelist.
WebShell Adds the web directory configurations to the whitelist.
Malicious scripts Adds the MD5 hash value and path to the whitelist.
Cloud threat detection You can configure whitelist rules in the Security Center console.
Unusual process activities Adds the command lines to the whitelist.
Persistent webshells Adds the MD5 hash and characteristic values to the whitelist.
Sensitive file tampering Adds the file path to the whitelist.
Application intrusion Adds the command lines to the whitelist.
Web application threats Adds the source URLs to the whitelist.
Unusual network connections Adds the command lines, target IP addresses, and target ports to the whitelist. If some fields are missing, only the existing fields are added to the whitelist.

How do I manage common alerts?

This section describes how to manage common alerts.
  • Manage an unusual process activity
    View the alert and check whether the process activity is a normal workload activity. If it is a normal workload activity, click Processing in the Actions column, and select Whitelist. If not, check and manage other relevant alerts. After the alerts are managed, click Processing in the Actions column, and select Ignore.An unusual process activitySolutions
  • Manage a webshell
    Check whether the source file is a normal workload file. If it is a normal workload file, click Processing and select Whitelist. If not, click Processing and select Isolation.WebshellsSolutions
  • Manage a malicious process
    We recommend that you use the anti-virus feature to terminate a malicious process and quarantine the source file. Alternatively, you can log on to the server and manually manage the malicious process. A malicious process may automatically delete itself, or disguise itself as a system process to pass detection. If no source file exists, check for an unusual process, a scheduled task, or a startup program.Manage a malicious processSolutions
  • Manage an abnormal data transmission
    If network connections are established by trusted workloads, click Processing and select Whitelist. If not, use Cloud Firewall or Web Application Firewall (WAF) to block requests based on the alert. After the alert is managed, select Ignore to add the event to the Handled list.Abnormal network connectionsSolutions

How do I enable protection against brute-force attacks?

The following procedure shows how to enable protection against brute-force attacks. For more information, see Add a defense rule against brute-force attacks.
  1. On the Security Risk page, click Process Now on the right side to go to the Settings > Anti-brute Force Cracking tab.The Security Risk page
  2. On the Anti-brute Force Cracking tab, place the pointer over the dimmed Add button. A message appears indicating that authorization is required. Follow the instructions to complete the authorization.Authorize
  3. After the authorization is complete, click Add to add a defense rule.Add a defense rule against brute-force attacks
  4. The following table describes the parameters.Parameters
    Parameter Description
    Defense Rule Name Specify a name for the defense rule.
    Defense Rule Set the defense rule parameters. If the number of times that an IP address fails to log on to the specified servers exceeds the upper limit (2,3, 4, 5, or 10 times) within the specified time period (1, 2, 5, 10, or 15 minutes), the IP address is blocked for a specified time period (5, 15, or 30 minutes, or 1, 2, 6, or 12 hours).

    For example, if the number of logon failures exceeds 3 times within 1 minute, the IP address is blocked for 30 minutes.

    Select Server Select the servers where you want to apply the defense rule. You can directly select servers that are added to Security Center, or search servers by name or IP address.
    Set As Default Policy Specify the defense rule as the default rule.
  5. Click OK.

What should I do if my server passwords are cracked?

If your server passwords have been cracked, the attacker may have intruded into your servers and implanted malicious programs. You can log on to the Security Center console, and go to the Detection > Alerts page to view whether your server passwords are cracked.

If your assets contain alerts such as ECS was successfully brute-forced, the passwords of relevant servers have been cracked. We recommend that you follow these steps to reinforce your assets security:
  • Handle relevant alerts

    Log on to the Security Center console, go to the Detection > Alerts page, and then click Processing in the Actions column. On the page that appears, select Block and click Process Now. Security Center generates defense rules for the security group to block access requests from malicious IP addresses. For more information, see View and handle alert events.

  • Reset server passwords

    Reset the cracked passwords at the earliest opportunity. We recommend that you use complex passwords.

  • Run baseline checks to detect risks
    Use the baseline check feature of Security Center to detect risks on your servers, and manage the detected risks based on the suggestions.
    Note Baseline check is only supported by the Enterprise edition.
  • Reset your servers and enhance the server security

    To enhance the server security, see How to deploy secure ECS instances.

Why do I still receive brute-force attack alerts after I change the default port of the SSH service?

After you change the default port of the Secure Shell (SSH) service on a Linux server from port 22 to another port, you may still receive brute-force attack alerts from Security Center.

Security Center identifies brute-force attacks based on the frequency of SSH logon attempts rather than the SSH port. Therefore, even if you have changed the default port of the SSH service, Security Center still sends you alerts triggered by brute-force attacks on the SSH service.

If your server passwords have been cracked by brute-force attacks, we recommend that you enhance the server security. For more information, see What should I do if my server passwords are cracked?.

Why are RDP brute-force attacks detected after RDP requests on port 3389 have already been blocked by security group rules or firewall rules?

Due to the special logon audit mechanism in Windows operating systems, the audit activities of logons based on Inter-Process Communication (IPC), Remote Desktop Protocol (RDP), and Samba are recorded in the same log without specifying the logon methods. If records of RDP brute-force attacks are found after the requests to the RDP service port have been blocked, check whether IPC or Samba is enabled.

Check whether the ECS instance has enabled port 135, port 139, or port 445 and whether these ports can be accessed by public IP addresses. Check whether the Window security logs contain logon records within the attack time period.

Does Security Center detect only weak passwords of RDP and SSH services?

Security Center detects weak passwords of RDP and SSH services and weak passwords that are used by administrators to log on to content management systems (CMS).

How do I handle an SSH or RDP remote logon failure?

If the current IP address cannot remotely log on to a cloud server through SSH or RDP, log on to the Alibaba Cloud Security Control console to add this IP address to the whitelist.

To add an IP address to the whitelist, follow these steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Settings. On the General tab, find the Security Control section, and click Configuration to go to the Security Control console.Go to the Security Control console
    Note Alternatively, place the pointer over the avatar in the upper-right corner of the Alibaba Cloud console, and select Security Console to go to the Security Control console.Go to the Security Control console
  3. In the Security Control console, choose Whitelist > Access Whitelist in the left-side navigation pane, and then click Add.
  4. Enter an IP address in the Source IP field, and select the servers to which logons from the IP address are allowed. Select one or more servers from the box on the left, and click the right arrow to add the selected servers to the Selected box on the right.Add an IP address
  5. Click OK after you complete the configurations.

Handle sensitive information leakage

GitHub is a global company that provides hosting for software development version control using Git. Though GitHub brings convenience to developers, it also causes a lot of security risks. The public code hosting library that developers use may leak source code, which leads to sensitive information leakage, such as accounts and passwords of database configuration files, AccessKey pair information, and email accounts and passwords.

When enterprises or individuals use GitHub, Gitee, or other platforms to manage source code, the source code contains or may contain the following sensitive information: Alibaba Cloud account AccessKey pair information, accounts and passwords of RDS databases, accounts and passwords of emails, or accounts and passwords of user-created databases based on Elastic Compute Service (ECS). If the preceding account information is leaked, attackers may use the information to access the Alibaba Cloud resources and data of enterprises or individual users.

After an enterprise uses ECS to create a cloud database, developers may write sensitive information in the database connection configuration file, such as the database connection password and email password. Attackers may obtain the leaked passwords from GitHub and steal the enterprise data. This may cause major security risks to the enterprise.

Solutions:
  • We recommend that you use a private GitHub code base or build an internal code management system to prevent source code or sensitive information leakage.
  • If you find sensitive information such as an Alibaba Cloud AccessKey pair is leaked, log on to the Alibaba Cloud console, disable and reset the leaked AccessKey pair, or delete it. In addition, delete the hosting code in GitHub at the earliest opportunity.
  • Regularly log on to the Log Service console to view the server access logs. Check whether data leakage has occurred. For example, open the web access log, and specify the URI field to locate the paths that contain files related to AccessKey pairs.
  • Set internal standards on security operations and management, and restricted development operations. Provide training for IT administrators to improve information security.