How do I enable protection against brute-force attacks?

The following procedure shows how to enable protection against brute-force attacks. For more information, see Add a defense rule against brute-force attacks.
  1. On the Security Risk page, click Process Now on the right side to go to the Settings > Anti-brute Force Cracking tab.The Security Risk page
  2. On the Anti-brute Force Cracking tab, place the pointer over the dimmed button Add. A message appears indicating that authorization is required. Follow the instructions to complete the authorization.Authorize anti-brute force cracking
  3. After the authorization is complete, click Add to add a defense rule.Add a defense rule against brute-force attacks
  4. The following table shows how to set the parameters.Parameters of the defense rule
    Parameter Description
    Defense Rule Name Specify a name for the defense rule.
    Defense Rule Set the defense rule parameters. If the number of times that an IP address fails to log on to the specified servers exceeds the upper limit (2,3, 4, 5, or 10 times) within the specified time period (1, 2, 5, 10, or 15 minutes), the IP address is blocked for a specified time period (5, 15, or 30 minutes, or 1, 2, 6, or 12 hours).

    For example, if the number of logon failures exceeds 3 times within 1 minute, the IP address is blocked for 30 minutes.

    Select Server Select the servers where you want to apply the defense rule. You can directly select servers that are added to Security Center, or search servers by name or IP address.
    Set As Default Policy Specify the defense rule as the default rule.
  5. Click OK.

How do I handle a successful brute-force attack?

If the password of your server is cracked by a brute-force attack, the attacker may have already logged on to your server and uploaded malicious processes. We recommend that you perform the following operations to enhance server security:
  • Change the server password

    Change the cracked password as soon as possible. We recommend that you use a complex password.

  • Run baseline checks to detect risks
    Use the baseline check feature of Security Center to detect risks on your servers, and handle the detected risks based on the suggestions.
    Note Baseline check is only supported by the Enterprise Edition.
  • Reset your server, and enhance server security

    For more information about how to enhance server security, see Secure ECS deployment.

Why do I still receive brute-force attack alerts after I change the default port of the SSH service?

After you change the default port of the SSH service on a Linux server from 22 to another port, you may still receive brute-force attack alerts from Security Center.

Security Center identifies brute-force attacks based on the frequency of SSH logon attempts rather than the SSH port. Therefore, even if you have changed the default port of the SSH service, Security Center still sends you alerts triggered by brute-force attacks on the SSH service.

If your server has been cracked by brute-force attacks, we recommend that you reinforce protection for your server. For more information, see How do I handle a successful brute-force attack?.

Why are RDP brute-force attacks detected after RDP requests on port 3389 have already been blocked by security group rules or firewall rules?

Due to the special logon audit mechanism in Windows operating systems, the audit activities of logons based on IPC, RDP, and Samba are recorded in the same log without specifying the logon methods. If records of RDP brute-force attacks are found after the requests to the RDP service port have been blocked, check whether IPC or Samba is enabled.

Check whether the ECS instance has enabled port 135, port 139, or port 445 and whether these ports can be accessed by public IP addresses. Check whether the Window security logs contain logon records within the attack time period.

Does Security Center detect weak passwords of RDP and SSH services only?

Security Center detects weak passwords of RDP and SSH services and weak passwords that are used by administrators to log on to content management systems (CMS).

How do I handle an SSH or RDP remote logon failure?

If the current IP address cannot remotely log on to a cloud server through SSH or RDP, log on to the Alibaba Cloud Security Control console to add this IP address to the whitelist.

To add a logon IP address to the whitelist, take the following steps:
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Settings. On the General tab, find the Security Control section, and then click Configuration to go to the Security Control console.Go to the Security Control console
    Note Alternatively, place the pointer over the avatar in the upper-right corner of the Alibaba Cloud console, and select Security Console to go to the Alibaba Cloud Security Control console.Go to the Security Control console
  3. In the Alibaba Cloud Security Control console, choose Whitelist > Access Whitelist in the left-side navigation pane, and then click Add.
  4. Enter the IP address in the Source IP field, and select the servers to which logons from the IP address are allowed. Select one or more servers from the box on the left, and click the right arrow to add the selected servers to the Selected box on the right.Add an IP address
  5. Click OK after you complete the configurations.