This topic describes how to configure security alerts in the Security Center console to set approved logon locations, customize scan targets, manage advanced logon settings, and add defense rules to protect your assets against brute-force attacks.

Background information

  • Security Center Advanced and Enterprise support advanced logon settings and security alerts. You can configure more fine-grained logon detection rules. For example, you can specify valid logon IP addresses, logon time, and logon accounts to block unauthorized requests sent to your assets.
  • Security Center allows you to create defense rules to protect your assets against brute-force attacks. You can configure more fine-grained defense rules to protect your assets.

Procedure

  1. Login Cloud security center console.
  2. In the left-side navigation pane, click Detection > Alerts.
  3. Click Settings in the upper-right corner.
    Select the target tab and set the following parameters:
    • Add an approved logon location
      1. On the right side of Login Location, click Add.
      2. Select the logon location that you want to approve, and select the servers that are allowed to be logged on to from the approved location.
      3. Click OK.

      Security Center allows you to edit and delete approved logon locations.

      • Find the target logon location, and click Edit on the right side to change the servers that are allowed to be logged on to from this location.
      • Find the target logon location, and click Delete on the right side to delete the logon location.
    • Configure advanced logon settings
      Note After you configure advanced logon settings, alerts are triggered if your assets receive requests from unapproved locations. You can specify the IP addresses, accounts, and time periods that are allowed to log on to your assets. After the advanced logon settings are configured, Security Center sends you alerts if your assets receive unauthorized logon requests. The procedure of configuring advanced logon settings is similar to configuring approved logon locations. You can follow the preceding procedure to add, edit, and delete advanced logon settings.
      • On the right side of Valid Login IPs, turn on or turn off logon IP address detection. Alerts are triggered if your assets receive requests from unauthorized IP addresses.
      • On the right side of Valid Login Time, turn on or turn off logon time detection. Alerts are triggered if your assets receive requests at unauthorized times.
      • On the right side of Valid Login Accounts, turn on or turn logon account detection. Alerts are triggered if your assets receive requests from unauthorized accounts.
    • Add a defense rule against brute-force attacks

      Security Center allows you to create defense rules to protect your assets against brute-force attacks.

      1. Place the pointer over Add on the right side of Anti-brute Force Cracking, and click Authorize now.
        Note If it is the first time that you have created a defense rule against brute-force attacks, you must log on to Resource Access Management (RAM) and authorize Security Center to access your cloud resources. If you have already created defense rules, skip step 1 and 2. Proceed to step 3 to add a defense rule.
      2. Click Confirm Authorization Policy.

        After Security Center is authorized, you can add defense rules.

      3. Navigate to the Settings > Anti-brute Force Crackingtab, and click Add on the right side of Anti-brute Force Cracking.
      4. On the Add page that appears, set the following parameters:
        Parameter Description
        Defense Rule Name Specify a name for the defense rule.
        Defense Rule Set the defense rule parameters. If the number of times that an IP address fails to log on to the specified servers exceeds the upper limit (2,3, 4, 5, or 10 times) within the specified time period (1, 2, 5, 10, or 15 minutes), the IP address is blocked for a specified time period (5, 15, or 30 minutes, or 1, 2, 6, or 12 hours).

        For example, if the number of logon failures exceeds 3 times within 1 minute, the IP address is blocked for 30 minutes.

        Select Server Select the servers where you want to apply the defense rule. You can directly select servers that are added to Security Center, or search servers by name or IP address.
        Set As Default Policy Specify the defense rule as the default rule.
      5. Click OK.
        Note You can apply only one defense rule to each server.
        • If the server already has a defense rule applied, read and confirm the information in the Confirm Changes message that appears, and click OK.
        • If the server does not have any defense rule applied, the current defense rule is applied.
        You can view defense rules that you have created and the servers where the rules are applied on the Settings page.
        Note
        • If a server already has a defense rule applied, the newly applied defense rule overrides the previous defense rule. The number of servers that have the previous defense rule applied changes accordingly.
        • Security Center allows you to edit and delete defense rules that you have created.
        • You can change the defense rule applied to a specific asset on the Assets page. For more information, see Manage individual assets.
    • Add a scan target

      Security Center automatically scans directories of your servers and runs dynamic and static scan tasks. You can also manually add directories to servers.

      1. On the right side of Add Scan Targets, click Add.
      2. Specify a valid directory, and select the servers on which the specified directory is scanned.
        Note To ensure the performance and efficiency, do not specify a root directory.
      3. Click OK.

Related topics

How can I detect unusual logons and receive alerts in the Security Center console?