Configure common features of Security Center - Security Center

Security Center provides various features to protect your cloud assets and servers in data centers. The features include alert notification, virus detection and removal, webshell detection, client protection, and container image scan. This topic describes how to configure the features.

Alert notification

If Security Center detects exceptions in your assets, Security Center sends alert notifications based on the severity levels, notification periods, and notification methods that you specify. This way, you can monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose System Configuration > Notification Settings.
On the Notification Settings page, click the Text Message/Email/Internal Message tab. Then, specify the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.
Notification items refer to the threat events and security risks that Security Center can detect in your assets. For more information about the notification items supported by Security Center, see Configure notification settings.

Proactive defense, webshell detection, and client protection

If you want to enable the Malicious Host Behavior Prevention, webshell detection, or client protection feature, you can go to the Feature Settings page and select the servers for which you want to enable the feature.

Note

If you do not turn on the switches in the Proactive Defense section, Security Center only detects related threats and does not automatically block detected common viruses or malicious network behavior.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose System Configuration > Feature Settings.
Enable features in the Proactive Defense section, and enable the webshell detection and client protection features.
Enable features in the Proactive Defense section.
1. Go to the Settings > Host Protection Settings tab.
2. In the Proactive Defense section, click Manage to the right of Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Prevention, or Malicious Network Behavior Prevention.
3. Select the servers for which you want to enable the features and turn on the switches.
After you turn on the switches in the Proactive Defense section, Security Center automatically quarantines the detected common viruses or suspicious connections. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precision defense search condition.
Enable the webshell detection feature.
1. Go to the Settings > Host Protection Settings tab.
2. In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
Enable the client protection feature.
1. Go to the Settings > Agent Settings tab.
2. In the Client Protection section, turn on Defense mode and click Manage to select the servers for which you want to enable the client protection feature.
For more information, see Feature Settings.

Container image scan

The container image scan feature is a value-added feature provided by Security Center. To use this feature, you must purchase a sufficient quota for container image scan. For more information, see Enable container image scan.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
Note
The first time you use container image scan, complete the authorization as prompted.
On the Image Security page, click Immediate Scan.
Security Center requires approximately 1 minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
Click the Image Vulnerability, Image Baseline Check, Image Malicious Sample, or Sensitive Image File tab to view the detected vulnerabilities or malicious samples.
For more information, see View image scan results.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual checks and periodic automatic checks.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.
In the left-side navigation pane, choose Risk Governance > Configuration Assessment.
Click the Configuration Check tab and run a configuration check.
- Full Scanning
  If you want to immediately check whether risks exist in the configurations of your cloud services, you can choose Immediate Scan > Full Scanning on the Configuration Assessment page. The system checks all your cloud services.
- Scan By Policy
  After you configure a policy for the configuration assessment feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.
  1. In the upper-right corner of the Configuration Assessment page, click Check Policy Settings.
  2. In the Check Policy Settings panel, turn on Automatic Configuration Assessment.
  3. Configure the Detection Cycle: and Detection Time: parameters, select the required check items, and then click OK.
  4. Optional. On the Configuration Assessment page, choose Immediate Scan > Scan by Policy.
    Security Center immediately scans the configurations of cloud services based on the policy that you configure.
Note
A full scan requires a long period of time to complete.

We recommend that you handle the detected security risks at the earliest opportunity. For more information, see Use the configuration assessment feature.

Defense rules against brute-force attacks

Security Center provides the feature of protection against brute-force attacks. The feature allows you to configure defense rules to prevent brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. The feature of protection against brute-force attacks can protect the password of your server account from being cracked.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.
On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.
If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.
For more information, see Service-linked roles for Security Center.

On the Defense policy tab, click Create Policy. In the Create Policy panel, configure the parameters.

Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.

Parameter	Description
Policy Name	Enter a name for the defense rule.
Defense Rule:	Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes.
Set as Default Policy	Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule. Note If you select Set as Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.
Select Server(s):	Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address.

Click OK.
Important
You can create only one defense rule against brute-force attacks for each server.
- If a selected server is not protected by a defense rule, the defense rule that you create takes effect.
- If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.
- If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.

Web tamper proofing

The feature of web tamper proofing monitors web directories in real time and can restore tampered files or directories based on the backup files. This prevents important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Step 1: Purchase the quota for web tamper proofing.

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
If this is the first time that you use web tamper proofing, click Add Servers for Protection.
If this is not the first time that you use web tamper proofing, click the Management tab on the Tamper Protection page and click Add Server.
In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.

In the Add Directory step, configure the parameters and click Enable Protection.

By default, the whitelist mode is used. In whitelist mode, you must specify the formats of files that require protection. In blacklist mode, you must specify the formats of files that do not require protection. To switch to the blacklist mode, click Blacklist Mode.

Whitelist Mode

In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.

Parameter	Description
Protected Directory	The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify. Enter a value in the /The name of the directory/ format. Example: `/tmp/`.
Protected File Formats	The formats of the files that you want to protect. You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.
Prevention Mode	Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server. Alert Mode: Security Center identifies suspicious processes and file modifications and generates alerts for the suspicious processes and file modifications. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating system and kernel versions, see Supported versions of operating systems and kernels.
Local Backup Directory	The default directory in which the backup files of the protected directories are stored. By default, Security Center assigns `/usr/local/aegis/bak` as the backup directory for Linux servers and `C:\Program Files (x86)\Alibaba\Aegis\bak` as the backup directory for Windows servers. You can change the default backup directories.

Example

If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

Blacklist Mode

In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.

Parameter	Description
Protected Directory	The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify. Enter a value in the /Directory name/ format. Example: `/tmp/`.
Excluded Sub-Directories	The path to the subdirectories that do not require protection. Enter a value in the Subdirectory name/ format. Example: `dir1/dir0/`.
Excluded File Formats	The formats of the files that do not require protection.
Excluded Files	The files that do not require protection. Enter a value in the Subdirectory name/File name format. Example: `dir2/file3`.
Prevention Mode	Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server. Alert Mode: Security Center identifies suspicious processes and file modifications and generates alerts for the suspicious processes and file modifications. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating system and kernel versions, see Supported versions of operating systems and kernels.
Local Backup Directory	The default directory in which the backup files of the protected directories are stored. By default, Security Center assigns `/usr/local/aegis/bak` as the backup directory for Linux servers and `C:\Program Files (x86)\Alibaba\Aegis\bak` as the backup directory for Windows servers. You can change the default backup directories.

Important

Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.

Example

If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, only the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the icon in the Protection column to enable web tamper proofing for the server.

If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.

The following table describes the statuses that are available in the Status column.

Status	Description	Suggestion
Initializing	Web tamper proofing is being initialized.	The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.
Running	Web tamper proofing is enabled and runs as expected.	None.
Exception	An error occurred during the initialization of web tamper proofing.	Move the pointer over Exception, view the causes, and then click Retry.
Not Initialized	The switch in the Protection column is turned off.	Turn on the switch in the Protection column.

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your core servers. Before you can use the anti-ransomware feature, you must purchase a specific quota. This quota allows you to enable the anti-ransomware feature for specific servers. For more information, see Enable anti-ransomware.

Configure anti-ransomware policies for servers

Purchase the anti-ransomware capacity and authorize your account to use the anti-ransomware feature. For more information, see Enable anti-ransomware.
Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
On the Server extortion virus protection tab of the Anti-ransomware page, click Create Policies.

In the Create Policies panel, configure the following parameters and click OK.

Parameter	Description
Policy Name:	The name of the anti-ransomware policy.
Server Type	The type of the server to which you want to apply the anti-ransomware policy.
Backup Route	If you set Server Type to Server Not Deployed on Alibaba Cloud, you must specify the communication method to back up data. Valid values: Internet: If you select this option, you may be charged for Internet bandwidth resources. Internal Network: If you select this option, you must use Alibaba Cloud virtual private clouds (VPCs), Express Connect circuits, or Cloud Enterprise Network (CEN) instances to establish connections between the servers that are not deployed on Alibaba Cloud and the anti-ransomware endpoint in the selected region.
Region:	If you set Server Type to Server Not Deployed on Alibaba Cloud, you must select the region in which the server resides or a region in which an anti-ransomware endpoint is available. The selected region specifies the endpoint that is used to access anti-ransomware. To successfully back up data, make sure that the server can access the anti-ransomware endpoint in the selected region. For more information, see Anti-ransomware endpoints.
Select Assets:	The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations: In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section. In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported. Note If you want to apply the anti-ransomware policy to Elastic Compute Service (ECS) instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region. To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.
Protection Policies:	The anti-ransomware policy that you want to configure. Valid values: Recommendation Policy If you select Recommendation Policy, the default values of the following parameters are used: Protected Directories: All directories Exclude specified directories: directories that are excluded from the policy Protected File Types: All File Types Start Time: a point in time within the range of 00:00 to 03:00 Backup policy execution interval: One Day Backup data retention period: 7 Days The bandwidth limit of the backup network: 0 MByte/s Note The value 0 indicates that no limits are imposed on the bandwidth. Custom policy If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.
Protected Directories:	The directories that you want to back up. Valid values: Specified directory: Security Center backs up only specified directories of the specified servers. You must enter the addresses of the specified directories for Protect directory address:. Examples: Windows server: `C:\Program Files (x86)\` Linux server: `/usr/bin/` You can enter up to 20 addresses. Security Center runs backup tasks in sequence based on protected directory addresses. If a large number of files are stored at a protected directory address, a large amount of server resources such as CPU and memory resources may be consumed to back up data at the address. In this case, you can split the directory into multiple addresses. Then, backup tasks run in sequence based on the addresses. This helps reduce the server resources that are consumed by each backup task. All directories: Security Center backs up all directories of the specified servers.
Exclude specified directories:	The directories that you do not want to back up. Security Center displays default directories that do not need to be backed up. You can add or delete these directories.
Protected File Types:	The type of the files that you want to protect. Valid values: All File Types: Security Center protects all files. Specify file type: Security Center protects files only of the selected file type. You can select file types such as document and image. Important You can select multiple file types. Security Center protects only the files of the selected file types.
Start Time:	The time at which you want to start a data backup task. Important If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU cores and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.
Backup policy execution interval:	The time interval between two data backup tasks. Default value: One Day. Valid values: Half a day One Day 3 days Seven Days
Backup data retention period:	The retention period of backup data. Default value: 7 Days. Important The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements. Valid values: Permanent: The backup data is retained until Security Center expires, you delete the anti-ransomware policy, or you remove the server from the anti-ransomware policy. Custom: You can specify a retention period. Valid values: 1 to 65535. Unit: days.
The bandwidth limit of the backup network:	The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s. If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. Servers that are not deployed on Alibaba Cloud consume public or internal network bandwidth during data backup. You can configure this parameter to prevent backup tasks from consuming an excessive amount of bandwidth and ensure service stability.

After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.

Configure anti-ransomware policies for databases

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
On the Anti-ransomware page, click the Database extortion virus protection tab and click Create Policies.

In the Database protection strategy panel, create an anti-ransomware policy for a database.

In the Change database step, configure the following parameters and click Next.

Parameter	Description
Policy Name	The name of the anti-ransomware policy.
Type	The method that you want to use to select the database. Valid values: Automatic identification database The system automatically identifies the databases that are deployed on your server. We recommend that you select this option. Manually enter the database If the database that you want to protect is not displayed in the list of databases after you select Automatic identification database, you can select this option and manually specify the database.
Database	The database that you want to protect or the server in which the database resides.
Database type	The type of the database that you want to protect. This parameter is required only if you set the Type parameter to Manually enter the database. Valid values: MYSQL ORACLE MSSQL
Account	The username of the account that you can use to log on to the required database. The account must have the permissions to back up data in the database. If you set the Database type parameter to ORACLE, you do not need to enter the username or the password of the database. Important You must enter the username and password of the database instead of the server.
Password	The password of the account that you can use to log on to the database.

In the Protection Policies step, configure the following parameters and click Finished.

Parameter	Description
Protection Policies	The anti-ransomware policy that you want to use. You can click Use recommendation strategy to use the recommended anti-ransomware policy that is provided by Security Center. If the recommended anti-ransomware policy cannot meet your business requirements, you can modify the policy.
Full backup strategy	The interval at which full backup is performed, the days of a week on which the full backup is performed, and the point in time at which the full backup starts. Full backup indicates that you back up all data that exists at a specific point in time. Full backup is time-consuming and requires a large amount of anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Week. Note The full backup policy and incremental backup policy take effect at the same time and do not affect each other.
Incremental backup strategy	The interval at which incremental backup is performed and the point in time at which the incremental backup starts. Incremental backup indicates that you back up only the data that is newly generated or modified after the last full or incremental backup. Therefore, incremental backup is time-saving and requires less anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Day.
Backup data retention time	The retention period of the backup.
Backup network bandwidth limit	The maximum network bandwidth that is allowed during data backup. If you set this parameter to 0, network bandwidth is unlimited.

After the anti-ransomware policy for your database is created, Security Center automatically installs the anti-ransomware agent on your server, and the policy enters the Initializing state. After the anti-ransomware agent is installed on your server, Security Center backs up data in your database based on the backup policy that is configured in the anti-ransomware policy.

Virus detection and removal

Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.
In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal.
If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.
After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.

On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.

Perform an immediate scan task

On the Virus Detection and Removal page, click Immediate Scan or Scan Again.

In the Scan Settings panel, configure the Scan Mode and Scope parameters.

Parameter

Description

Scan Mode

Select a scan mode. Valid values:

Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.
Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.
Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.

Scope

Select the assets that you want to scan. You can select assets based on the following types:

All Assets: If you select this option, all assets are scanned.
By Asset: If you select this option, you can select the servers that you want to scan.
By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.
By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

Click OK.
Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.

Configure a periodic scan task

On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.

In the Scan Settings panel, configure the Scan Cycle, Scan Mode, and Scope parameters.

Parameter	Description
Scan Cycle	Specify the interval and period for automatic scan.
Scan Mode	Select a scan mode. Valid values: Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks. Custom Directory Scan: In this mode, you can specify the file directories that you want to scan. Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
Scope	Select the assets that you want to scan. You can select assets based on the following types: All Assets: If you select this option, all assets are scanned. By Asset: If you select this option, you can select the servers that you want to scan. By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center. By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

Click OK.
Security Center automatically scans the specified assets based on the configurations.

Optional. On the Virus Detection and Removal page, click Task Management in the upper-right corner to view the status and progress of the scan task.