Security Center provides various features to protect your cloud assets and on-premises servers. These features include alert notifications, antivirus, webshell detection, client protection, and container image scan. This topic describes how to configure these features.

Background information

The following sections are arranged based on the read habits of users.

Alert notifications

If Security Center detects exceptions in your assets, it sends alerts based on the severity levels, notification periods, and notification methods that you specify. This allows you to monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots. For more information, see Use the notification feature.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings. On the page that appears, click the Notifications tab. Then, select the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.2

    Notification items refer to the threat events and security risks that Security Center detects in your assets. By default, Security Center provides the following notification items: Vulnerabilities, Baseline Risks, Alerts, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, and Anti-Tampering of web pages.

Proactive defense, webshell detection, and client protection

If you want to enable the proactive defense, webshell detection, or client protection feature, go to the Settings page and select the servers for which you want to enable the features.
Note If you do not turn on the switches in the Proactive Defense section, Security Center only detects related threats but does not automatically process detected common viruses or malicious network behavior.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings. On the page that appears, turn on or turn off the switches in the Proactive Defense section.
    Click Manage for Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention to select the servers for which you want to turn on the switches.
    After you enable the proactive defense feature, Security Center automatically quarantines the common viruses or abnormal connections that it detects. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precise Defense type.Precise Defense
  3. Enable the webshell detection feature.
    In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
  4. Enable the client protection feature.
    In the Client Protection section, turn on Defense Mode and click Manage to select the servers for which you want to enable the client protection feature.
Note For more information, see Overview.

Container image scan

The container image scan feature is in public preview. Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. Optional:Click Authorize Now.
    If this is your first time to use the container image scan feature, you must obtain the required permissions.
  4. On the Image Security page, click Scan Now.
    Security Center takes about one minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
  5. Open the Image System Vul, Image Application Vul, or Mirror Malicious Sample tab to view the detected vulnerabilities or malicious samples.
    You can perform the following operations:
    • Search for specific vulnerabilities or malicious samples

      Select a vulnerability severity (high, medium, or low) or a malicious sample severity (urgent, warning, or notice). Alternatively, enter an instance ID, repository name, namespace, or digest to search for a specific vulnerability or malicious sample.

    • View the details of a vulnerability or a malicious sample

      Click the name of a vulnerability or a malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 value, last scan time, and first scan time. On these details pages, you can also view a list of affected images.

    • View the details of affected images

      Click the name of a vulnerability or a malicious sample. On the vulnerability or malicious sample details page, find the image whose details you want to view and click Details in the Operation column. Then, you can view the details of the detected vulnerability or malicious sample.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual and automated checks.
  • Manual checks: On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services.
  • Automatic checks: By default, Security Center automatically runs configuration checks during 00:00:00 - 06:00:00 every two days. You can also customize a detection cycle to periodically check for security risks in the configurations of your cloud services. This helps you detect and handle configuration risks at the earliest opportunity.

Manual check

  1. Log on to the Security Center console.
  2. On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services. After you run a check, the number of affected assets appears on this page.
    Note Do not perform other operations until the check is complete.
    After the check is complete, the results are listed in descending order based on the severity of risks detected.

Automated check

  1. Log on to the Security Center console.
  2. In the upper-right corner of the Cloud Platform Configuration Assessment page, click Settings.
  3. In the Settings dialog box, specify Detection Cycle and Detection Time.
    Parameters
    • Detection Cycle: Monday to Sunday. You can select multiple values.
    • Detection Time: 24:00 - 06:00, 06:00 - 12:00, 12:00 -18:00, and 18:00 - 24:00. You can select one value.
  4. Click OK.
    During the selected period, Security Center automatically runs checks on all check items.

We recommend that you handle the detected security risks in a timely manner. For more information, see View and manage configuration risks.

Security group check

The security group check feature detects high-risk rules in Elastic Compute Service (ECS) security groups and provides suggestions for fixing. This helps protect your network.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Application market > Security group check.
  3. Optional:On the Security Check page, click Obtain Latest Check Results.
    The check requires 1 to 5 minutes.Security Check
    Note The latest check results are obtained based on the static analysis of security group rules and may not cover all port risks. You can view complete check results about port exposure on the Internet Access page. For more information, see Internet access.
  4. Find the required rule and click View Details in the Actions column. The Details page provides suggestions for fixing.
  5. Manage weak security group rules.
    1. Find the rule that you want to manage and click View Details in the Actions column.
      Alternatively, click the number in the Risky Security Groups/Servers column to go to the Details page.
    2. On the Details page, find the security group for which you want to fix an issue and click Fix Issue in the Actions column.Details
      Improper security group configurations may lead to security incidents. The Details page provides a Suggestion to manage the security group risk. You can manage the risk based on the Suggestion.
      If you are using Cloud Firewall Premium, Enterprise, or Ultimate edition, you are redirected to the Security Groups page. You must manage security group risks based on the Suggestion. For more information, see Modify security group rules. If you are using the Cloud Firewall Basic edition, you must perform substep c.
    3. Optional:In the Cloud Firewall Premium Edition dialog box, click Upgrade Now or Fix Issue.
      You can use one of the following methods to manage security group risks:
      • Upgrade Now: You can purchase the Cloud Firewall Premium edition and use the security group check function. This function is provided by Cloud Firewall to manage security group risks. We recommend that you select this method. You can use Cloud Firewall to centrally manage security groups and access control policies of public IP addresses. This reduces assets exposure and improves efficiency of security management.
      • Fix Issue: You can go to the Security Groups page to manually manage the risk. For more information, see Modify security group rules.

Defense rules against brute-force attacks

Security Center allows you to configure defense rules to protect your assets against brute-force attacks.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. Click Settings in the upper-right corner.
  4. In the Settings panel, click the Anti-brute Force Cracking tab.
  5. Optional:Complete authorization.
    1. In the Anti-brute Force Cracking section, move the pointer over Management and click Authorize.
    2. Click Confirm Authorization Policy.
    Note If this is your first time to configure a defense rule against brute-force attacks, you must obtain the required permissions. If you have obtained permissions, skip this step.
  6. Click Management to the right of Anti-brute Force Cracking.
  7. In the Add panel, configure a defense rule.Add a defense rule

    Security Center provides the default defense rule Alibaba Cloud best practices against brute-force attacks. The default rule defines that if the number of failed logon attempts exceeds 80 within 10 minutes, the IP address is blocked for six hours. You can use the default rule and select servers to which the default rule applies. You can also configure a custom defense rule. The following table describes the parameters.

    Parameter Description
    Defense Rule Name The name of the defense rule.
    Defense Rule Specifies the defense rule conditions, including the maximum number of failed logon attempts from a specific IP address and the time period during which requests from the IP address are blocked. The maximum number of failed logon attempts can be 2, 3, 4, 5, 10, 50, 80, or 100. The time period during which failed logon attempts are counted can be 1, 2, 5, 10, or 15 minutes. The time period for blocking the IP address can be 5 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 6 hours, 12 hours, 24 hours, or 7 days. If you select Permanent, Security Center does not block the IP address.

    For example, you can configure a custom rule that has the following conditions: If the number of failed logon attempts exceeds three within one minute, the specific IP address is blocked for 30 minutes.

    Select Server(s) The servers to which the defense rule applies. You can select servers from the server list, or filter servers by server name or server IP address.
    Set As Default Policy Specifies whether to set the defense rule as the default rule. By default, servers that have no defense rule attached use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all the servers that have no defense rule attached, regardless of whether you select the servers in the Select Server(s) section.
  8. Click OK.
    Note You can configure only one defense rule for each server.
    • If a server has an existing defense rule, the Confirm Changes dialog box appears. Click OK.Confirm Changes
    • If a server has no defense rule, the configuration of the current defense rule succeeds.
  9. In the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates.
    After you configure a defense rule on the Anti-brute Force Cracking tab of the Settings panel, the rule triggers IP blocking, and Security Center generates an IP blocking rule. To view the IP blocking rules, perform the following steps:
    1. On the Alerts page, click the number below IP blocking / All.
      Click the number under IP blocking. You are redirected to the page of the enabled system built-in IP blocking policies. Click the number under All. You are redirected to the page of all IP blocking policies including those enabled and disabled.
    2. On the System Rules tab of the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates.System Rules
      For more information about IP blocking rules, see Configure IP blocking policy.

Web tamper proofing

The web tamper proofing feature allows you to monitor web directories in real time. This feature also allows you to restore files or directories that have been tampered with based on the backup files. This protects important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Enable tamper protection.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Tamper Protection page, click the Management tab.
  4. On the Management tab, click Add Server to enable the web tamper proofing feature for a server. Enable the feature for a server
  5. In the Add Servers step of the Add Servers for Protection wizard, select a server that you want to protect.Add Servers for Protection
    Note If no licenses are available, you cannot enable the web tamper proofing feature for a new server. If a server no longer requires this feature, you can turn off Protection to release the license. You can use the released license to enable this feature for a new server.
  6. Click Next to go to the Add Directory step.
  7. In the Add Directory step, configure the parameters.Add Directory
    Select a protection mode. You can select Whitelist Mode or Blacklist Mode. In whitelist mode, this feature is enabled for the specified directory and file formats. In blacklist mode, this feature is enabled for the subdirectories, file formats, and files that are not excluded. By default, the whitelist mode is used.
    • Whitelist mode
      Parameter Description
      Protected Directory Enter the path of the directory that you want to protect.
      Note Servers that run Linux and Windows operating systems use different path formats. Enter the correct directory path based on your operating system.
      Protected File Formats Select file formats that you want to protect from the drop-down list, such as js, html, xml, and jpg.
      Local Backup Directory The default path where the backup files of the protected directory are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

    • Blacklist mode
      Parameter Description
      Protected Directory Enter the path of the directory that you want to protect.
      Excluded Sub-Directories Enter the path of the subdirectory for which you do not need to enable this feature.

      You can click Add Sub-Directory to add multiple subdirectories.

      The files under the excluded subdirectories are not protected by Security Center.

      Excluded File Formats Select the formats of files for which you do not need to enable this feature.

      Valid values: log, txt, and ldb.

      The files of the specified formats are not protected by Security Center.

      Excluded Files Enter the path of the file for which you do not need to enable this feature.

      You can click Add File to add multiple paths.

      The files in the specified paths are not protected by Security Center.

      Local Backup Directory The default path where the backup files of the protected directory are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

  8. Click Enable Protection.
    After you enable this feature for a server, the server is displayed in the server list on the Management tab of the Tamper Protection page.
    Note By default, Protection is turned off for the new server. To use the web tamper proofing feature, you must turn on Protection of the server on the Management tab of the Tamper Protection page.
    Server list
  9. In the server list, turn on Protection to enable this feature for the new server.Protection state
    Note By default, Protection is turned off for the new server. To use the web tamper proofing feature, you must turn on Protection of the server on the Management tab of the Tamper Protection page.
    If this is the first time you enable this feature for a server, the status of the server is Initializing, and a progress bar appears. It requires a few seconds to enable this feature. After this feature is enabled, the status changes to Running.Initializing
    If the status of a server is Exception, move the pointer over Exception in the Status column. A message that indicates the causes appears. Click Retry in the message. For more information, see t141310.html#abnormal.Exception

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your servers. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable anti-ransomware for specific servers. For more information, see Enable the anti-ransomware feature.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-ransomware.
  3. On the General Anti-ransomware Solutions page, click Authorize Now.
  4. On the General Anti-ransomware Solutions page, click Create Policies.
    You can also click the number below Unprotected Server(s) to go to the Create Policies panel.Entry for unprotected servers
  5. In the Create Policies panel, configure the parameters.
    ProcedureThe following table describes the parameters.
    Parameter Description
    Policy Name The name of the protection policy.
    Select Assets The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets to which you want to apply the protection policy, perform the following operations as needed:
    • In the Asset Group section, select an asset group. The system automatically selects all assets in the group. You can clear assets that no longer require protection in the Assets section.
    • In the Assets section, enter an asset name in the search box to search for the specific asset. Fuzzy match is supported.
    Note
    • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy. You can add a maximum of 100 servers to each protection policy.
    • The anti-ransomware feature supports data backup only for ECS instances. It does not support data backup for servers that are not deployed on Alibaba Cloud. You can create protection policies only for your ECS instance.
    • The anti-ransomware data backup feature is available in the following regions: China (Chengdu), China East 2 Finance, China North 2 Ali Gov, China (Shanghai), China (Hangzhou), China (Beijing), China (Shenzhen), China (Zhangjiakou), China (Hohhot), China (Qingdao), China (Hong Kong), Singapore (Singapore), Indonesia (Jakarta), Australia (Sydney), US (Silicon Valley), US (Virginia), Germany (Frankfurt), Japan (Tokyo), and India (Mumbai). This feature is not supported in other regions. You can select only ECS instances that reside in the supported regions.
    Protection Policies Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the following parameter settings are used by default:
      • Protected Directories: All Directories (excluding system directories)
      • Protected File Types: All File Types
      • Start Time: a point in time within the range of 00:00:00 to 03:00:00
      • Backup policy execution interval: One Day
      • Backup data retention period: Seven Days
      • Backup Network Bandwidth Limit(MByte/s): 5MB
    • Custom policy

      If you select Custom policy, you must configure the following parameters: Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and Backup Network Bandwidth Limit(MByte/s).

    Protected Directories The directories that you want to protect. Valid values:
    • Specified directory: Only specified directories of the specific assets are protected. Enter the addresses of the specified directories in the Directory address field.
    • All directories: All directories of the specific assets are protected. You must set Whether to exclude system directories.
      Note If you select All directories, we recommend that you select Excluded for Whether to exclude system directories. This prevents system conflicts.
    Whether to exclude system directories Valid values: Excluded and Not Excluded. If you select Excluded, the following directories in Windows and Linux operating systems are excluded:
    • Windows:
      • Windows\
      • python27\
      • Program Files (x86)\
      • Program Files\
      • ProgramData\
      • Boot\
      • $RECYCLE.BIN\
      • System Volume Information\
      • Users\Administrator\NTUSER.DAT
      • pagefile.sys
    • Linux:
      • /bin/
      • /usr/bin/
      • /sbin/
      • /boot/
      • /proc/
      • /sys/
      • /srv/
      • /lib/
      • /selinux/
      • /usr/sbin/
      • /run/
      • /lib32/
      • /lib64/
      • /lost+found/
      • /var/lib/kubelet/
    Directory address The address of the directory that you want to protect. If you want to protect more than one directory, click Add to add more directory addresses. If you want to delete a directory address, click Delete.
    Note
    • You must set this parameter only when you select Specified directory for Protected Directories.
    • Security Center starts a data backup task for each directory specified in the protection policy. Security Center allows multiple data backup tasks to run at the same time. These tasks may consume a large number of CPU and memory resources. We recommend that you configure an appropriate number of backup directories based on your requirements.
    Protected File Types The file types that you want to protect. Valid values:
    • Specify file type: Only the files of the specified types are protected. You must select a file type from the Select file type drop-down list.
    • All File Types: All files are protected.
    Select file type Valid values:
    • Document
    • Picture
    • Compressed
    • Database
    • Audio and video
    • Script code
    Note
    • You must set this parameter only when you select Specify file type for Protected File Types.
    • You can select multiple file types. Security Center protects only the files of the selected file types.
    Start Time The time at which you want to start a data backup task. Data backup may consume a small number of CPU and memory resources. We recommend that you set this parameter to a point in time during off-peak hours, such as 00:00:00.
    Note If this is the first time you back up all data in protected directories based on a protection policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up your data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: One Day. Valid values:
    • Half a day
    • One Day
    • Three days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days. Valid values:
    • 7 Days
    • 30 Days
    • Half a year
    • One year
    • Permanent
    Backup Network Bandwidth Limit(MByte/s) The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 Mbit/s to unlimited.
    Note We recommend that you configure an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures business stability.
  6. Click OK.
    After you create and enable a protection policy, Security Center installs the anti-ransomware client on your ECS instance. Then, Security Center backs up data in the protected directories of your ECS instance based on the backup settings that you specified in the protection policy.
  7. Enable a protection policy in the policy list.

    After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up server files based on the file directories that you specify in the policy.

    Enable a protection policy