Which intrusions can Security Center detect? How does Security Center detect these intrusions?

Security Center detects half of the intrusions by scanning your servers. The other half of the intrusions are detected by Alibaba Cloud security engineers through user traffic analysis and verification.

Common intrusions include webshells and bot activities, such as DDoS and brute-force attacks.

Does Security Center detect weak passwords of RDP and SSH services only?

Security Center detects weak passwords of RDP and SSH services and the weak passwords that are used to log on to the administrator back-end of content management systems (CMS).

How do I handle a remote logon failure based on SSH or RDP?

If the current IP address cannot remotely log on to a cloud server through SSH or RDP, go to the Alibaba Cloud Security Control console to whitelist this IP address.

To whitelist a logon IP address, take the following steps:
  1. Log on to the Alibaba Cloud Security Control console.
    Note In the Alibaba Cloud console, move the pointer to the account icon in the upper-right corner, and choose Security Console to go to the Alibaba Cloud Security Control console.
  2. Choose Whitelist > Access Whitelist. On the page that is displayed, click Add.
  3. In the Source IP area, enter the IP address to be whitelisted. Select the servers that allow logons from the specified IP address. Specifically, select one or multiple servers from the box on the left, and click the right arrow in the middle of the boxes to add the selected servers to the Selected box on the right.
  4. Click OK.

Why do I still receive brute-force attack alerts after I change the default port of the SSH service?

After you change the default port of the SSH service on a Linux server from 22 to another port, you may still receive the brute-force attack alerts from Security Center.

Security Center detects brute-force attacks based on the frequency of SSH logon attempts rather than the SSH port. Therefore, even if you have changed the default port of the SSH service, Security Center still sends you alerts on brute-force attacks on the SSH service.

We recommend that you enhance the server security in case of successful brute-force attacks. For more information, see How do I handle a successful brute-force attack?.

Why are RDP brute-force attacks detected after the RDP requests on port 3389 have already been blocked by security group rules or firewall rules?

In a Windows system, due to the special logon audit mechanism, the audit activities of logons based on IPC, RDP, and Samba are recorded in one log without specifying the logon service. If records on RDP brute-force attacks are found after the requests to the RDP service port have been blocked, check whether IPC or Samba is activated.

Check whether the server has enabled port 135, port 139, or port 445 and whether these ports can be accessed by public IP addresses. Check whether the Window security logs contain logon records within the attack time period.

How do I handle a successful brute-force attack?

If the password of your server is cracked by a brute-force attack, the attacker may have logged on to your server and have uploaded malicious processes. We recommend that you perform the following operations to enhance server security:
  • Change the server password.

    Change the cracked password as soon as possible. We recommend that you use a complex password.

  • Use the baseline check feature of Security Center to detect risks.
    Use the baseline check feature of Security Center to detect risks on your servers, and handle the risks based on the suggestions.
    Note Baseline check is available only in Security Center Enterprise Edition.
  • Reset your server, and enhance the server security.

    For more information about how to enhance the server security, see Secure ECS deployment.