An instance is a virtual machine. Security protection is generally implemented at the instance level to protect the virtual machine against attacks and intrusions. ECS instances also need security protection. You must implement effective security measures in conjunction with the inherent protection of Alibaba Cloud.
Prerequisites
You must have registered an Alibaba Cloud account before you follow the instructions provided in the tutorial. If not, create a new Alibaba Cloud account first.
Background information
- DDoS attacks interrupt your business.
- Trojans tamper or attack your webpages.
- Data leak caused by injection affects the normal operation of ECS.
Configure security groups
- Control access to one or more ECS instances. Security group rules can allow or deny inbound or outbound traffic for ECS instances associated with security groups.
- If security groups are not planned properly or do not contain strict enough rules, they will be at a much greater risk of attack.
To add a rule to the security group to which the ECS instance is bound, perform the following operations:
Enable Anti-DDoS Basic
Distributed denial of service (DDoS) attacks use client or server technologies to combine multiple computers into an attack platform and attack one or more targets simultaneously so that the impact of the denial-of-service (DoS) attack is multiplied.
Alibaba Cloud Security can defend against Layer 3 to Layer 7 DDoS attacks, including SYN Flood, UDP Flood, ACK Flood, ICMP Flood, DNS Flood, and HTTP Flood attacks. Anti-DDoS Basic provides up to 5 Gbit/s default DDoS protection free of charge. By default, Anti-DDoS Basic is enabled for ECS. Anti-DDoS eliminates the need to purchase expensive traffic scrubbing devices, while allowing you to maintain the access speed during DDoS attacks. With Anti-DDoS, your bandwidth is guaranteed regardless of other affected users, ensuring the availability and stability of your business. After an ECS instance is created, you can set the scrubbing thresholds. For more information, see Configure a cleaning threshold.
Alibaba Cloud has also launched the Security Credibility program, which provides improved DDoS protection based on a security credit score. Users that meet the criteria can obtain free protection against DDoS attacks up to 100 Gbit/s. In the Anti-DDoS Basic console, you can check your current security credibility score and details, as well as scoring criteria. For more information, see Security Credibility.
Access Security Center
Security Center is a unified security management system that recognizes, analyzes, and warns of security threats in real-time. With security capabilities such as ransomware protection, anti-virus protection, web tamper protection, and compliance assessments, users can automate security operations, responses, and threat tracing to secure cloud and local servers and meet regulatory compliance requirements.
The Basic edition of Security Center is available by default. The Basic edition only scans for the following risks: unusual logons to servers, vulnerabilities, and configuration risks in cloud services. To use advanced features such as vulnerability fixing and virus detection and removal, you must log on to the Security Center console.
Access Web Application Firewall
Web Application Firewall (WAF) is implemented based on the big data capabilities of Apsara Stack Security. This module protects web applications against common attacks reported by OWASP, such as SQL injections, XSS, vulnerability exploits in web server plugins, trojan attacks, and unauthorized access. WAF blocks malicious visits to avoid data from being compromised and ensure the security and availability of your websites.
- WAF can handle various web application attacks to ensure web security and availability of a website without installing any software or hardware or modifying website configuration and code. In addition to powerful web protection capabilities, WAF can customize protection for specific websites. WAF is used to protect web applications in fields such as finance, e-commerce, O2O, Internet Plus, gaming, governments, and insurance.
- Without WAF, you may be vulnerable to web intrusions such as data leaks, HTTP floods, and trojans.
For more information about how to access WAF, see Deploy WAF.
Alibaba Cloud provides multiple security services to safeguard ECS instances. You can choose appropriate methods as needed to enhance systems and data protection, prevent intrusion into ECS instances, and ensure stability and reliability.