The Security Center agent is a local plug-in provided by Security Center. Before you use Security Center to protect your server, you must install the Security Center agent on your server. This topic describes how to install the Security Center agent.

Background information

Your server is protected by Security Center and the information about the server is displayed in the Security Center console only after your server has the Security Center agent installed. The information includes vulnerabilities, alerts, baseline risks, and asset fingerprints.

After you install the Security Center agent, the installation path of the agent varies based on the operating system:

  • Windows: C:\Program Files (x86)\Alibaba\Aegis
  • Linux: /usr/local/aegis

View the servers where the Security Center agent is not installed

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Overview.
  3. In the Unprotected assets (ECS) section on the Overview tab, you can view the number of unprotected servers that do not have the Security Center agent installed.
    Note You must install the Security Center agent on each server that requires protection from Security Center.
    Install the Security Center agent
  4. Click Install now to go to the Settings page. Click the Agent tab and then the Client to be installed tab. On the tab that appears, you can view the total number and list of servers that do not have the Security Center agent installed.
    Client to be installed
    Note You can also check whether your server has the Security Center agent installed on the Server(s) tab of the Assets page. The following list describes the status of the Security Center agent:
    • If the status of the Agent is Enable, the Security Center agent is installed and running as expected.
    • If the status of the Agent is Close, the Security Center agent is disconnected from Alibaba Cloud or not installed.
  5. Click the Client Installation Guide tab to choose automatic installation, or download the installation package and run commands to install the Security Center agent.
    Client Installation Guide

    You can use the following installation methods:

    • Automatic installation

      In the Automatically Install section, click Go to install the client now to go to the Client to be installed tab where you can install the Security Center agent.

      Automatic installation does not require you to download the installation package of the Security Center agent. For more information, see Initiate automatic installation on ECS instances.

    • Manual installation

      The Client Installation Guide tab displays the servers that do not support automatic installation. You must manually install the Security Center agent on these servers. For more information, see Manually install the Security Center agent.

      Manual installation

      Manual installation is suitable for Elastic Compute Service (ECS) instances and servers that are not deployed on Alibaba Cloud.

Initiate automatic installation on ECS instances

Before you initiate automatic installation, make sure that your server meets the following requirements:
  • Your server must be an ECS instance. You must manually install the Security Center agent on servers that are not deployed on Alibaba Cloud.
  • The ECS instance must be deployed in a region that supports automatic installation. For more information, see Regions that support automatic installation.
  • Your server is running.
  • The network of your server is working as expected.
  • Cloud Assistant is installed on your server. For more information, see Cloud Assistant.
  • If third-party security software such as SafeDog or Yunsuo is installed on your server, you may fail to install the Security Center agent. Before you install the Security Center agent, we recommend that you check whether such software is installed on your server. If third-party security software is installed on your server, we recommend that you disable or uninstall the software before you install the agent.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Agent tab.
  4. On the Agent > Client to be installed tab, find the required server and click Install the client in the Actions column. You can also select multiple servers and click One-click installation in the lower-left corner.
    Install the agent
    Approximately 5 minutes after the agent is installed, you can view the status of the Security Center agent on the Assets page. The status in the Agent column changes from Close to Enable.
    Note If the status in the Agent column is Failed and a message appears indicating that Cloud Assistant is not installed, install Cloud Assistant before you install the Security Center agent. For more information about how to install Cloud Assistant, see Cloud Assistant.

Manually install the Security Center agent

In the following scenarios, you must manually install the Security Center agent:
  • Your server is not deployed on Alibaba Cloud.
  • Your server is deployed in the classic network.
  • Your ECS instance is deployed in a region that does not support automatic installation. For more information, see Regions that support automatic installation.
  • Your server runs one of the following operating systems: Windows Server 2019, Windows Server 2016, Windows Server 2012, Windows Server 2008, or Windows Server 2003.
  • Cloud Assistant is not installed on your server. For more information, see Cloud Assistant.
  • If your server is not deployed on Alibaba Cloud and is deployed in an on-premises network by using Express Connect circuits, you must add the Domain Name System (DNS) records of Security Center to the host file on your server. You must add the DNS records to allow automatic installation.

    Perform the following steps to add the DNS records of Security Center:

    1. Find the host file in your server based on the operating system that your server runs:
      • Linux: /etc/hosts
      • Windows: C:\windows\system32\drivers\etc\hosts
    2. Add the following DNS records to the host file.
      • 106.11.248.209 jsrv.aegis.aliyun.com
      • 106.11.248.90 update.aegis.aliyun.com
Note
  • Do not install the Security Center agent on the servers that do not require protection from Security Center. The servers include on-premises debugging servers and your PC.
  • Before you manually install the Security Center agent, make sure that the server is running and the network is working as expected.
  • We recommend that you do not run the installation command in a subdirectory of the /usr/local/aegis/ directory. If you run the installation command in a subdirectory of the /usr/local/aegis/ directory, the directory is cleared. We recommend that you run the installation command in the root directory of the server.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings.
  3. On the Settings page, click the Agent tab.
  4. Click the Client Installation Guide tab.
  5. Scroll down on the Client Installation Guide tab and download the latest Security Center agent based on the operating system that your server runs.
    Manual installation
    • Windows

      1. In the Windows OS section, select Alibaba Cloud Server or Non-Alibaba Server based on your server type.
      2. Set the Key Validity Period parameter.
        Note You can customize this parameter to specify the validity period of the command that is used to install the agent. By default, the validity period of the command is 1 hour. You must install the Security Center agent within the validity period.
      3. Select an installation method based on your business requirements. You can use one of the following installation methods:
        • Run a command
          1. Click Copy next to Applicable to Windows 2008 and later.
          2. Log on to your Windows server as an administrator.
          3. Open Command Prompt in Windows and run the command that you copied. This allows you to download and install the Security Center agent.
        • Download the Security Center agent when you select Alibaba Cloud Server
          1. Click Download Agent.
          2. Upload the installation package to your Windows server. You can use an FTP tool to upload the package.
          3. Run the installer of the Security Center agent on your Windows server as an administrator.
        • Download the Security Center agent when you select Non-Alibaba Server
          1. Click Download Agent.
          2. Click Copy next to Step 2: run the following command in the directory where the client is located.
          3. Upload the installation package to your Windows server. You can use an FTP tool to upload the package.
          4. Run the installer of the Security Center agent on your Windows server as an administrator.
          5. Run the command that you copied in the directory where the Security Center agent resides.

            This command is used to associate the servers that are not deployed on Alibaba Cloud with your Alibaba Cloud account.

        Notice If you install the Security Center agent on servers that run Windows Server 2008 or later, we recommend that you run a command. If you install the Security Center agent on servers that run Windows Server 2003, we recommend that you download the Security Center agent.
    • Linux

      1. On the Agent tab, select Alibaba Cloud Server or Non-Alibaba Server based on your server type.
      2. Set the Key Validity Period parameter.
        Note You can customize this parameter to specify the validity period of the command that is used to install the agent. By default, the validity period of the command is 1 hour. You must install the Security Center agent within the validity period.
      3. Log on to your Linux server as an administrator.
      4. Copy the installation command for 32-bit Linux or 64-bit Linux to your server based on the operating system that your server runs.
      5. Run the installation command on your server to download and install the Security Center agent.
      Notice After you run the installation command, the latest Security Center agent is downloaded from Alibaba Cloud. If you use a server that is not deployed on Alibaba Cloud, make sure that the server is connected to the Internet before you run the installation command.
    Approximately 5 minutes after the installation is complete, you can view the status of the agent on the Assets page.
    • The status in the Agent column changes from Close to Enable.
    • Servers that are not deployed on Alibaba Cloud are added to the server list on the Assets page.
      Notice Due to network latency, servers that are not deployed on Alibaba Cloud and have the Security Center agent installed may not be immediately displayed on the Assets page. In this case, you must click Synchronize Asset on the Server(s) tab of the Assets page to update the relevant information.

Install the Security Center agent on the servers that are not deployed on Alibaba Cloud

For a Windows server that is not deployed on Alibaba Cloud, you can download the installer to install the Security Center agent. For a Linux server that is not deployed on Alibaba Cloud, you can run the installation command to install the Security Center agent. For more information, see Manually install the Security Center agent.

If you have installed the Security Center agent on a server that is not deployed on Alibaba Cloud in the following ways, delete the directory of the Security Center agent. Then, follow the manual installation instructions to reinstall the Security Center agent.
  • Use an image to install the Security Center agent on multiple servers at a time.
  • If the Security Center agent has been installed on a server, you can copy the installation package from this server.

What to do next

We recommend that you perform the following steps to check whether the Security Center agent is installed.

  1. Check whether the AliYunDun and AliYunDunUpdate processes of the Security Center agent are running as expected on your server. For more information about the processes of the Security Center agent, see Security Center agent.
  2. Run the following telnet commands to check whether your server can connect to the Security Center server.
    Note Make sure that your server can connect to at least one of the following JSRV domain names and one of the following update domain names. JSRV domain names are used to issue instructions such as vulnerability detection and virus detection. Update domain names are used to download and update the Security Center agent.
    • telnet jsrv.aegis.aliyun.com 443/80
    • telnet jsrv2.aegis.aliyun.com 443/80
    • telnet jsrv3.aegis.aliyun.com 443/80
    • telnet update.aegis.aliyun.com 443/80
    • telnet update2.aegis.aliyun.com 443/80
    • telnet update3.aegis.aliyun.com 443/80

For more information about installation failures, see Identify why the agent is offline.

Regions that support automatic installation

District Region
Asia Pacific China (Hangzhou)
China (Shanghai)
China East 2 Finance
China (Qingdao)
China (Beijing)
China (Zhangjiakou)
China (Hohhot)
China (Shenzhen)
China (Hong Kong)
Singapore (Singapore)
Australia (Sydney)
Malaysia (Kuala Lumpur)
Indonesia (Jakarta)
Japan (Tokyo)
Europe & Americas Germany (Frankfurt)
UK (London)
US (Silicon Valley)
US (Virginia)
Middle East & India India (Mumbai)
UAE (Dubai)

References

Install the Security Center agent on multiple ECS instances at a time

Install the Security Center agent on servers not deployed on Alibaba Cloud