If you have followed instructions in Install the Security Center agent and successfully installed the Security Center agent on your server, but the security status of the server is still Unprotected, then the agent goes doffline. This article describes how to resolve this issue.
Background information
Procedure
- Log on to your server and check whether the Security Center agent processes (AliYunDun and AliYunDunUpdate) are running.
If the Security Center agent processes are not running, we recommend that you restart your server or reinstall the Security Center agent. For more information, see Install the Security Center agent.
- Windows
Open the Task Manager and check whether the following processes are running.
- Linux
Run the
top
command to check whether the following processes are running.
- Windows
- If you have installed the Security Center agent on a server for the first time and
the security status of the server is Unprotected after installation, you can restart the Security Center agent using the following
methods:
- Linux: Run the following command:
killall AliYunDun && killall AliYunDunUpdate && /usr/local/aegis/aegis_client/aegis_10_xx/AliYunDun
.Note You must replacexx
with the largest number in the directory. - Windows: Restart the two services displayed in the following screenshot by right-clicking
and selecting Restart.
- Linux: Run the following command:
- Check whether the network connection on your server is normal.
- Servers with public IP addresses (for example, servers connected to classic networks,
EIPs, or external hosts)
- Windows: Run the following command:
ping jsrv.aegis.aliyun.com -l 1000
- Linux: Run the following command:
ping jsrv.aegis.aliyun.com -s 1000
- Windows: Run the following command:
- Servers without public IP addresses (for example, servers connected to the Financial
Cloud, or VPCs)
- Windows: Run the following command:
ping jsrv3.aegis.aliyun.com -l 1000
- Linux: Run the following command:
ping jsrv3.aegis.aliyun.com -s 1000
- Windows: Run the following command:
- Servers with public IP addresses (for example, servers connected to classic networks,
EIPs, or external hosts)
- If the ping command does not work, try the following methods:
- Make sure that the DNS service is running on your server. If the DNS service is not running, restart your server or check whether a DNS error has occurred.
- Check whether firewall ACL rules or Alibaba Cloud security group rules have been configured
on your server. If firewall rules or security group rules have been configured, make
sure that the IP address of the Security Center server is added to the whitelist (both
in the inbound and outbound directions).
Note Allow the following network segments to access your server on port 80. For the last network segment, both port 80 and 443 must be enabled.
- 140.205.140.0/24 80
- 106.11.68.0/24 80
- 110.173.196.0/24 80
- 106.11.68.0/24 80
- 100.100.25.0/24 80 443
- Check whether the public network bandwidth on your server is zero. If the public network
bandwidth on your server is zero, try the following methods:
- Add the following name resolution rules to the hosts file on your server:
- Domestic classic websites:
100.100.110.61 jsrv.aegis.aliyun.com
,100.100.45.131 jsrv.aegis.aliyun.com
,100.100.110.62 update.aegis.aliyun.com
and100.100.45.29 update.aegis.aliyun.com
- International classic websites:
100.100.103.52 jsrv.aegis.aliyun.com
,100.100.30.54 jsrv.aegis.aliyun.com
,100.100.30.55 update.aegis.aliyun.com
and100.100.103.54 update.aegis.aliyun.com
- Domestic classic websites:
- After changing the hosts file, run the following command:
ping jsrv.aegis.aliyun.com
.Note If100.100.25.3
is not returned, restart your server or check whether a DNS error has occurred. - If the ping command does not return expected results, change the values of
t_srv_domain
andh_srv_domain
in thenetwork_config
file under the Security Center agent installation directory (conf) to100.100.25.3
and100.100.25.4
respectively. After making the changes, restart the Security Center agent.Note You must create a copy of thenetwork_config
file before making the changes.This method only applies when the public network bandwidth on the server is zero and the Security Center agent is offline.
- Add the following name resolution rules to the hosts file on your server:
- If the ping command returns the correct IP address, run the following telnet command
to verify connectivity:
telnet 140.205.140.205 80
. If no connectivity is found, check firewall restrictions.
- Check whether high CPU or memory usage (maintained at 95% or higher for a long period) has occurred. High CPU or memory usage may prevent the Security Center agent from running properly.
- Check whether third-party security products (such as Fortinet FortiGate) have been
installed on your server. Some third-party security software may prevent the Security
Center agent from accessing the network.
If security software is installed on your servers, we recommend that you temporarily disable or uninstall the software before reinstalling the Security Center agent.