Security Center provides various features to protect your cloud assets and on-premises servers. These features include alert notifications, antivirus, webshell detection, client protection, and image security scanning. This topic describes how to configure these features.

Background information

Configure alert notifications

Security Center sends alert notifications by using internal messages, text messages, emails, and DingTalk chatbots. For more information, see Notifications.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Notifications tab.
  4. On the Notifications tab, specify the notification method (Notify By), time (Notify At), and the severity of security events (Severity) for Vulnerabilities, Baseline Risks, Alerts, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, and Anti-Tampering of web pages.2
  5. Optional:Add a DingTalk chatbot.

    If you have installed DingTalk and created a DingTalk group, you can add a DingTalk chatbot to receive notifications from Security Center.
    Note You must create a DingTalk group before you can add a DingTalk chatbot. Before you create a DingTalk group, ensure that you have installed DingTalk.
    1. Find the DingTalk group to which you want to add a chatbot, and choose Group Settings > Group Assistant > Add Robot > Custom > Add in the upper-right corner.Add a DingTalk chatbot
    2. Configure the DingTalk chatbot.
      Note When you add the chatbot, select Custom Keywords in the Security Settings section, and enter Security Center in the Custom Keywords field. Do not select Additional Signature or IP Address.
      Set the parameters
    3. Copy the Webhook URL and click Finished.Finished
    4. In the Security Center console, choose Settings > Notifications and click Add Chatbot in the DingTalk Chatbot Notification Settings section.3
    5. On the Add DingTalk Chatbot page, set the following parameters.4
      Parameter Description Configuration method
      Chatbot Name The chatbot name. We recommend that you enter an identifiable name.
      Webhook URL The webhook URL of the chatbot. Find the webhook URL of the chatbot in the corresponding DingTalk group, copy the webhook URL, and then paste it in the Webhook URL field.
      Notice Keep the webhook URL confidential and do not disclose it on external websites. If the webhook URL is leaked, security risks may arise.
      Asset Groups You can select one or more asset groups that are created on the Assets page. After you specify the asset groups, the DingTalk chatbot will send you alert notifications that are related to the assets in the asset group. Select one or more asset groups from the drop-down list.
      Notify On The types of alerts for which you want to receive notifications. Select the alert types from the drop-down list.
      Note Supported alert types include vulnerabilities, baseline risks, security alerts, and AccessKey pair leakage.
      Notification Interval The time interval at which the DingTalk chatbot sends notifications. Valid values: 1 Minute, 5 Minutes, 10 Minutes, 30 Minutes, and No Limit. If you select No Limit, each alert notification is sent in real time.
      Note If you select No Limit, a webhook can send a maximum of 20 notifications in one minute.
      Select the time interval from the drop-down list.
      Language The language of the notifications. Supported languages include English and Chinese. Select a language from the drop-down list.
    6. Click Add to complete the process.

      By default, the status of a newly created DingTalk chatbot is Enabled.

      8
      Note
      • After you add the DingTalk chatbot, you can click Test in the Actions column to test whether the chatbot is associated with the DingTalk group.
      • You can Edit or Delete the DingTalk chatbot. If you delete the chatbot, you can no longer receive notifications from the DingTalk group. However, you can still receive notification by other methods that you specify, such as text messages, emails, or internal messages.

Configure proactive defense, webshell detection, and client protection

Security Center supports the antivirus, webshell detection, and client protection features. For more information, see Settings.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. Configure proactive defense.

    The anti-virus feature can automatically quarantine common Internet viruses, such as ransomware, DDoS Trojans, mining programs, Trojans, malicious programs, webshells, and computer worms. Alibaba Cloud security specialists test and verify all automatically quarantined viruses to guarantee a minimum false positive rate. For more information, see Cloud threat detection.

    1. On the General tab of the Settings page, turn on Anti-Virus, Anti-ransomware (Bait Capture), and Webshell Protection in the Proactive Defense section.
    2. Click Manage for Anti-Virus, Anti-ransomware (Bait Capture), or Webshell Protection.
    3. In the Proactive Defense-Anti-Virus, Proactive Defense-Anti-ransomware (Bait Capture), or Proactive Defense-Webshell Protection dialog box, select the servers for which you want to enable the feature.

      Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. The anti-virus feature is enabled for the servers in the Detection Enabled list. To disable the anti-virus feature for a server, move the server from the Detection Enabled list to the Detection Disabled list.

    4. Click OK.
    5. After you turn on these switches, Security Center automatically quarantines the mainstream viruses or abnormal connections that are detected. To view viruses that are detected and quarantined by proactive defense, go to the Alerts page and set the alert type to Precision defense.Precision defense
  4. Configure webshell detection.

    Webshell detection periodically scans servers and web page directories for webshells and Trojans.

    1. In the Webshell Detection section, click Manage.
    2. Select the servers for which you want to enable webshell detection.

      Select servers from the Detection Disabled list on the left side of the tab and click the right arrow to move them to the Detection Enabled list on the right side. Webshell detection is enabled for the servers in the Detection Enabled list. To disable webshell detection for a server, move the server from the Detection Enabled list to the Detection Disabled list.

    3. Click OK.
  5. Configure client protection.
    After client protection is enabled, Security Center provides default security protection for the process files under the directory of the Security Center agent. In addition, Security Center blocks malicious activities that attempt to uninstall the Security Center agent. This prevents attackers from intruding into the servers to uninstall the Security Center agent or other processes from mistakenly terminating the Security Center agent. If the Security Center agent is uninstalled or terminated, Security Center will fail to protect your servers. We recommend that you enable client protection.
    Note To ensure the security of your servers, you cannot uninstall the Security Center agent in the Security Center console after you enable client protection. You must disable client protection before you can uninstall the Security Center agent. For more information about how to uninstall the Security Center agent, see Uninstall the Security Center agent.
    1. In the Client Protection section, turn on Defense Mode.
    2. Click Manage for Protection Scope.
    3. In the Client Protection dialog box, select the servers for which you want to enable client protection.
    4. Click OK.

Configure image security scanning

Only the Security Center Enterprise edition supports the image security scanning feature. If you use the Security Center Basic, Basic Anti-Virus, or Advanced edition, you must upgrade Security Center to the Enterprise edition to use the image security scanning feature.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. Optional:Click Authorize Now.
    If this is the first time you use the image security scanning feature, obtain the required permissions. If you have obtained permissions, skip this step.
  4. Optional:On the Image Security page, click Scan now.
    To view the results of the latest image security scan, perform this step. The scan requires about 1 minute. After the scan is complete, you can refresh the current page to view the results.
  5. On the Image System Vul, Image Application Vul, or Mirror Malicious Sample tab, view the scanned vulnerabilities or malicious samples.
    You can perform the following operations:
    • Search for specified vulnerabilities or malicious samples

      Select a vulnerability severity (high, medium, or low) or malicious sample severity (urgent, warning, or notice). In the search box, enter an instance ID, repository name, namespace, or digest to search for the specified vulnerability or malicious sample.

    • View the details of a vulnerability or malicious sample

      Click the name of a vulnerability or malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 value, last scan time, and first scan time. On these details pages, you can also view the list of affected images.

    • View the details of affected images

      Click the name of a vulnerability or malicious sample. On the vulnerability or malicious sample details page, find the image that you want to view its details and click Details in the Operation column. View the details of the scanned vulnerability or malicious sample.

Check cloud service configurations

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual and automated checks to scan for configuration risks in cloud services.
  • Manual checks: On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services.
  • Automatic checks: By default, Security Center automatically runs configuration checks during 00:00:00 - 06:00:00 every two days. You can also customize a detection cycle to periodically check for security risks in the configurations of your cloud services. This helps you detect and handle configuration risks at the earliest opportunity.

Manual check

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Config Assessment.
  3. On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services. After you run a check, the number of affected assets appears on this page.
    Note Do not perform other operations until the check is complete.
    After the check is complete, the results are listed in descending order based on the severity of risks detected.

Automated check

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Config Assessment.
  3. In the upper-right corner of the Config Assessment page, click Settings.
  4. In the Settings dialog box, specify Detection Cycle and Detection Time.
    Parameters
    • Detection Cycle: Monday to Sunday. You can select multiple values.
    • Detection Time: 24:00 - 06:00, 06:00 - 12:00, 12:00 -18:00, and 18:00 - 24:00. You can select one value.
  5. Click OK.
    During the selected period, Security Center automatically runs checks on all check items.

Perform security group checks

The security group check feature detects weak rules in Elastic Compute Service (ECS) security groups and provides solutions. This allows you to use the security group feature in a more secure and efficient way.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Security group check.
  3. Optional:On the Security Check page, click Obtain Latest Check Results.
    The check requires 1 to 5 minutes.Security Check
    Note The latest check results are obtained based on the static analysis of security group rules and may not cover all port risks. You can view complete check results about port exposure on the Internet Access page. For more information, see Internet access.
  4. In the Check Result Details section, view the details of rules that are used in detecting security risks.List of security risk rules
    You can view the Risk Level, Check Item, Risky Security Groups/Servers, and Check Item Status of a rule.
    Note Each check item is enabled by default. If you want to disable a check item, you can click Status icon below the Check Item Status column. After the check item is disabled, Cloud Firewall does not check the security risks in the check item.
  5. Manage weak security group rules.
    1. Find the rule that you want to manage and click View Details in the Actions column.
      Alternatively, click the number in the Risky Security Groups/Servers column to go to the Details page.
    2. On the Details page, find the security group for which you want to fix an issue and click Fix Issue in the Actions column.Details
      Improper security group configurations may lead to security incidents. The Details page provides a Suggestion to manage the security group risk. You can manage the risk based on the Suggestion.
      If you are using Cloud Firewall Premium, Enterprise, or Ultimate edition, you are redirected to the Security Groups page. You must manage security group risks based on the Suggestion. For more information, see Modify security group rules. If you are using the Cloud Firewall Basic edition, you must perform substep c.
    3. Optional:In the Cloud Firewall Premium Edition dialog box, click Upgrade Now or Fix Issue.
      You can use one of the following methods to manage security group risks:
      • Upgrade Now: You can purchase the Cloud Firewall Premium edition and use the security group check function. This function is provided by Cloud Firewall to manage security group risks. We recommend that you select this method. You can use Cloud Firewall to centrally manage security groups and access control policies of public IP addresses. This reduces assets exposure and improves efficiency of security management.
      • Fix Issue: You can go to the Security Groups page to manually manage the risk. For more information, see Modify security group rules.

Configure defense rules against brute-force attacks

Security Center allows you to configure defense rules to protect your assets against brute-force attacks.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. Click Settings in the upper-right corner.
  4. In the Settings pane, click the Anti-brute Force Cracking tab.
  5. Optional:Complete authorization.
    1. In the Anti-brute Force Cracking section, move the pointer over Management and click Authorize.
    2. Click Confirm Authorization Policy.
    Note If this is the first time you configure a defense rule against brute-force attacks, obtain the required permissions. If you have obtained permissions, skip this step.
  6. Click Management to the right of Anti-brute Force Cracking.
  7. In the Add pane, configure a defense rule.Add a defense rule

    Security Center provides the default defense rule Alibaba Cloud best practices against brute-force attacks. The default rule defines that if the number of failed logon attempts exceeds 80 within 10 minutes, the IP address is blocked for six hours. You can use the default rule and select servers to which the default rule applies. You can also configure a custom defense rule. The following table describes the parameters.

    Parameter Description
    Defense Rule Name The name of the defense rule.
    Defense Rule Specifies the defense rule conditions, including the maximum number of failed logon attempts from a specific IP address and the time period during which requests from the IP address are blocked. The maximum number of failed logon attempts can be 2, 3, 4, 5, 10, 50, 80, or 100. The time period during which failed logon attempts are counted can be 1, 2, 5, 10, or 15 minutes. The time period for blocking the IP address can be 5 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 6 hours, 12 hours, 24 hours, or 7 days. If you select Permanent, Security Center does not block the IP address.

    For example, you can configure a custom rule that has the following conditions: If the number of failed logon attempts exceeds three within one minute, the specific IP address is blocked for 30 minutes.

    Select Server(s) The servers to which the defense rule applies. You can select servers from the server list, or filter servers by server name or server IP address.
    Set As Default Policy Specifies whether to set the defense rule as the default rule. By default, servers that have no defense rule attached use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all the servers that have no defense rule attached, regardless of whether you select the servers in the Select Server(s) section.
  8. Click OK.
    Note You can configure only one defense rule for each server.
    • If a server has an existing defense rule, the Confirm Changes dialog box appears. Click OK.Confirm Changes
    • If a server has no defense rule, the configuration of the current defense rule succeeds.
  9. On the IP Policy Library pane, view the IP blocking rules that Security Center automatically generates.
    After you configure a defense rule on the Anti-brute Force Cracking tab of the Settings pane, the rule triggers IP blocking, and Security Center generates an IP blocking rule. To view the IP blocking rules, perform the following steps:
    1. On the Alerts page, click the number under IP blocking / All.
      Click the number under IP blocking. You are redirected to the page of the enabled system built-in IP blocking policies. Click the number under All. You are redirected to the page of all IP blocking policies including those enabled and disabled.
    2. On the System Rules tab of the IP Policy Library pane, view the IP blocking rules that Security Center automatically generates.System Rules
      For more information, see Configure IP blocking policy.

Configure web tamper proofing

The web tamper proofing feature allows you to monitor web directories in real time. This feature also allows you to restore tampered files or directories based on the backup files. This protects important website information from being tampered with. Before you use this feature, you must purchase licenses. For more information, see Enable tamper protection.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Tamper Protection page, click the Management tab.
  4. On the Tamper Protection page, click Add Server to enable tamper protection for the server. Enable tamper protection for a server
  5. On the Add Servers for Protection page that appears, select the server that needs to be protected.The Add Servers for Protection page
    Note If no license is available, you cannot enable tamper protection for a server. If a server does not require protection, you can turn off the Protection switch. After tamper protection is disabled for the server, the license consumed by this server is released. You can use the released license to enable tamper protection for another server.
  6. Click Next to go to the Add Directory tab.
  7. On the Add Directory tab, set the following parameters:Add a directory
    Select the protection mode. You can select the Whitelist Mode or Blacklist Mode. In whitelist mode, tamper protection is enabled for the specified directories and file formats. In blacklist mode, tamper protection is enabled for the sub-directories, file formats, and files that are not specified. By default, the whitelist mode is selected.
    • In whitelist mode, set the following parameters:
      Parameter Description
      Protected Directory Enter the path of the directory to be protected.
      Note Servers that run Linux and Windows operating systems use different path formats. Enter the correct directory path based on your operating system.
      Protected File Formats Select the file formats from the drop-down list, such as JS, HTML, XML, JPG.
      Local Backup Directory Displays the default path where backup files of the protected directories are stored.

      By default, Security Center respectively assigns /usr/local/aegis/bak and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup path for servers that run Linux and Windows operating systems. You can change the default path as needed.

    • In blacklist mode, set the following parameters:
      Parameter Description
      Protected Directory Enter the path of the directory to be protected.
      Excluded Sub-Directories Enter the path of the sub-directory that does not require tamper protection.

      You can click Add Sub-Directory to add multiple sub-directories.

      The files under the excluded sub-directories are not protected by Security Center.

      Excluded File Formats Select the formats of files that do not require tamper protection.

      You can select from log, txt, and ldb.

      The specified formats of files are not protected by Security Center.

      Excluded Files Enter the path of the file that does not require tamper protection.

      You can click Add File to add multiple files.

      The specified files are not protected by Security Center.

      Local Backup Directory Displays the default path where backup files of the protected directories are stored.

      By default, Security Center respectively assigns /usr/local/aegis/bak and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup path for servers that run Linux and Windows operating systems. You can change the default path as needed.

  8. Click Enable Protection.
    After you enable tamper protection for a server, it is displayed in the server list on the Tamper Protection page.
    Note By default, tamper protection is Disabled for newly added servers. To enable tamper protection, you must turn on the switch on the Tamper Protection page for the server.
    Server list
  9. In the server list of the Tamper Protection page, turn on the Protection switch to enable tamper protection for the server.Protection
    Note By default, tamper protection is Disabled for newly added servers. To enable tamper protection, you must turn on the switch on the Tamper Protection page for the server.
    If this is your first time enabling tamper protection for a server, the protection state changes to Initializing and a progress bar appears. It may take a few seconds to enable tamper protection. After tamper protection is enabled, the protection state changes to Running.Initializing
    If the protection state of a server is Exception, move the pointer over Exception in the Protection column. A message that indicates the causes appears. Click Retry in the message. For more information, see Handle protection service exceptions.Exception

Configure anti-ransomware

Security Center provides the protection, alerting, and data backup features to prevent ransomware from compromising your core servers. Before you use this feature, you must purchase a specific amount of anti-ransomware capacity. For more information, see Enable the anti-ransomware feature.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-Virus.
  3. On the Anti-Virus page, click Add anti-ransomware policies.
  4. On the General Anti-ransomware Solutions page, click Authorize Now.
  5. On the General Anti-ransomware Solutions page, click Create Policies.
    You can also click the number under Unprotected Server(s) to go to the Create Policies pane.Entry for unprotected servers
  6. In the Create Policies pane, configure the parameters.
    Create a protection policyThe following table describes the parameters.
    Parameter Description
    Policy Name The name of the protection policy.
    Select Assets Select asset groups or select assets from asset groups. To select the assets to which you want to apply the protection policy, perform the following steps:
    • In the Asset Group section, select an asset group. The system automatically selects all assets in the group. You can clear assets that no longer require protection in the Assets section.
    • You can also enter an asset name in the search box in the Assets section to search for the specific asset. Fuzzy match is supported.
    Note
    • To ensure that the anti-ransomware protection capacity is effectively utilized, you can apply only one protection policy to each ECS instance. You can add a maximum of 100 ECS instances to each protection policy.
    • The anti-virus feature supports data backup for only Alibaba Cloud Elastic Compute Service (ECS) instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies for only your ECS instances.
    • The anti-ransomware data backup function is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou-Beijing Winter Olympics), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai). This function is not supported in other regions. You can select only ECS instances that reside in the supported regions.
    Protection Policies Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the following parameter settings are used by default:
      • Protected Directories: All Directories (excluding system directories)
      • Protected File Types: All File Types
      • Start Time: a point in time within the range of 00:00:00 to 03:00:00
      • Backup policy execution interval: One Day
      • Backup data retention period: Seven Days
      • Backup Network Bandwidth Limit(MByte/s): 5 MB/s
    • Custom policy

      If you select Custom policy, you must configure the parameters, including Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and Backup Network Bandwidth Limit(MByte/s).

    Protected Directories The directories that you want to protect. Valid values:
    • Specified directory: Specify one or more directories that you want to protect. Enter the addresses of the specified directories in the Directory address field.
    • All directories: All directories of the specified assets are protected. You must specify Whether to exclude system directories.
      Note If you select All directories, we recommend that you select Excluded for Whether to exclude system directories. This allows you to prevent system conflicts.
    Whether to exclude system directories Select Excluded or Not Excluded. If you select Excluded, the following directories in Windows and Linux operating systems are excluded:
    • Windows:
      • Windows\
      • python27\
      • Program Files (x86)\
      • Program Files\
      • ProgramData\
      • Boot\
      • $RECYCLE.BIN\
      • System Volume Information\
      • Users\Administrator\NTUSER.DAT
      • pagefile.sys
    • Linux:
      • /bin/
      • /usr/bin/
      • /sbin/
      • /boot/
      • /proc/
      • /sys/
      • /srv/
      • /lib/
      • /selinux/
      • /usr/sbin/
      • /run/
      • /lib32/
      • /lib64/
      • /lost+found/
    Directory address The address of the directory that you want to protect. If you want to protect more than one directory, click Add to add more directory addresses. If you want to delete an existing directory address, click Delete.
    Note
    • You must set this parameter only if you select Specified directory for Protected Directories.
    • Security Center starts a data backup task for each directory. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large amount of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your business requirements.
    Protected File Types The file types that you want to protect. Valid values:
    • Specify file type: Specify the file types that you want to protect. You must select a file type from the Select file type drop-down list.
    • All File Types: All file types are protected.
    Select file type Valid values:
    • Document
    • Picture
    • Compressed
    • Database
    • Audio and video
    • Script code
    Note
    • You must set this parameter only if you select Specify file type for Protected File Types.
    • You can select more than one file type. Security Center protects only the files of the selected file types.
    Start Time The time when you want to start a data backup task. Data backup may consume a small amount of CPU and memory resources. We recommend that you set this parameter to a point in time during off-peak hours, such as 00:00:00.
    Note After a protection policy is created, a large amount of CPU and memory resources are consumed when you back up all data in the protected directories for the first time. To avoid interruptions to your business, we recommend that you back up your data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: 1 Day. Valid values:
    • Half a day
    • One Day
    • Three days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days. Valid values:
    • 7 Days
    • 30 days
    • Half a year
    • One year
    • Permanent
    Backup Network Bandwidth Limit(MByte/s) The maximum bandwidth that can be consumed by a data backup task. Value range: 1 MB/s to unlimited.
    Note We recommend that you set an appropriate bandwidth limit based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures business stability.
  7. Click OK.
    After you create and enable a protection policy, Security Center installs the anti-ransomware client on your ECS instance. Then, Security Center backs up the data in the protected directories of your ECS instance based on the backup settings that you specified in the protection policy.
  8. Enable a protection policy in the policy list.

    After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up files based on the file directories that you specify in the policy.

    Enable a protection policy