This topic describes how to configure security alerts in the Security Center console. Security Center supports advanced logon settings and alerting. You can set common logon locations, add web directories, and create defense rules against brute-force attacks.

Background information

  • Security Center Basic Anti-virus, Advanced, and Enterprise editions support advanced logon settings and alerting. For example, you can set common logon IP addresses, common logon time, and common logon accounts. This enables fine-grained logon detection.
  • Security Center allows you to create defense rules to protect your assets against brute-force attacks. This prevents unauthorized access requests and enables fine-grained asset protection.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. Click Settings in the upper-right corner.
  4. On the Settings page, perform the following steps based on your needs:
    • Manage common logon locations

      Perform the following steps to add a common logon location:

      1. In the Login Location section, click Management on the right.
      2. Select the logon location that you want to add, and select the servers that are allowed to be logged on to from the location.

        All regions around the globe are available. Select a region based on your needs.

      3. Click Ok.

      Security Center allows you to edit or delete common logon locations.

      • To edit a common logon location, find the specific logon location, and click Edit on the right. You can change the servers that are allowed to be logged on to from this location.
      • To delete a common logon location, find the specific logon location, and click Delete on the right.
    • Configure common logon IP addresses, common logon time, and common logon accounts
      Note Security Center allows you to configure common logon IP addresses, common logon time, and common logon accounts. After you configure the logon settings, Security Center generates alerts on unauthorized access requests. The procedures for configuring common logon IP addresses, common logon time, and common logon accounts are similar to those for configuring common logon locations. To add, edit, or delete common logon settings, refer to the steps described in Manage common logon locations.
      • In the Common Login IPs section, turn on or turn off the Uncommon IP Alert switch. If you turn on the Uncommon IP Alert switch, Security Center generates alerts on access requests from unauthorized IP addresses. You can view alerts on the Alerts page.
      • In the Common Login Time section, turn on or turn off the Uncommon Time Alert switch. If you turn on the Uncommon Time Alert switch, Security Center generates alerts on access requests during unusual hours. You can view alerts on the Alerts page.
      • In the Common Login Accounts section, turn on or turn off the Uncommon Account Alert switch. If you turn on the Uncommon Account Alert switch, Security Center generates alerts on access requests from unauthorized accounts. You can view alerts on the Alerts page.
    • Configure defense rules against brute-force attacks

      Security Center allows you to configure defense rules to protect your assets against brute-force attacks.

      1. Optional. Perform the following steps to authorize Security Center.
        Note If you configure a defense rule against brute-force attacks for the first time, you must authorize Security Center. If you have added a defense rule before, skip this step.
        1. In the Anti-brute Force Cracking section, move the pointer over Management, and click Authorize now.
        2. Click Confirm Authorization Policy.

        After you authorize Security Center, choose Settings > Anti-brute Force Cracking. Then, you can add a defense rule against brute-force attacks.

      2. In the Anti-brute Force Cracking section, click Management on the right.
      3. On the Add page, configure a defense rule.Add a defense rule

        Security Center provides the default defense rule Alibaba Cloud best practices against brute-force attacks. The default rule defines that if the number of failed logon attempts exceeds 80 within 10 minutes, the IP address is blocked for six hours. You can use the default rule and select servers to which the default rule applies. You can also configure a custom defense rule. The following table describes the parameters.

        Parameter Description
        Defense Rule Name The name of the defense rule.
        Defense Rule Specifies the defense rule conditions, including the maximum number of failed logon attempts from a specific IP address and the time period during which requests from the IP address are blocked. The maximum number of failed logon attempts can be 2, 3, 4, 5, 10, 50, 80, or 100. The time period during which failed logon attempts are counted can be 1, 2, 5, 10, or 15 minutes. The time period for blocking the IP address can be 5 minutes, 15 minutes, 30 minutes, 1 hour, 2 hours, 6 hours, 12 hours, 24 hours, or 7 days. If you select Permanent, Security Center does not block the IP address.

        For example, you can configure a custom rule that has the following conditions: If the number of failed logon attempts exceeds three within one minute, the specific IP address is blocked for 30 minutes.

        Select Server(s) The servers to which the defense rule applies. You can select servers from the server list, or filter servers by server name or server IP address.
        Set As Default Policy Specifies whether to set the defense rule as the default rule. By default, servers that have no defense rule attached use the default defense rule.
        Note If you select Set As Default Policy, the defense rule takes effect on all the servers that have no defense rule attached, regardless of whether you select the servers in the Select Server(s) section.
      4. Click Ok.
        Note You can configure only one defense rule for each server.
        • If a server has an existing defense rule, the Confirm Changes dialog box appears. Click OK.Confirm Changes
        • If a server has no defense rule, the configuration of the current defense rule succeeds.
        On the Settings page, you can view defense rules that you have created and the number of servers to which each rule applies.
        Note
        • If a server has an existing defense rule, the new defense rule overwrites the existing one. In this case, the number of servers to which the original rule applies decreases.
        • You can edit or delete defense rules that you have created.
        • On the Assets page, you can modify the defense rule for each server. For more information, see View the details of an asset.
      5. On the IP Policy Library page, view the IP blocking rules that Security Center automatically generates.

        After you configure a defense rule by choosing Settings > Anti-brute Force Cracking, Security Center automatically generates an IP blocking rule. The following steps describe how to view IP blocking rules.

        1. On the Alerts page, click a number under IP blocking / All.

          If you click the number under IP blocking, the IP Policy Library page appears. You can view the enabled system rules. If you click the number under All, the IP Policy Library page appears. You can view all system rules, including the enabled and disabled system rules.

        2. On the System Rules tab of the IP Policy Library page, view the IP blocking rules that Security Center automatically generates.System Rules

          For more information, see Configure IP blocking policy.

    • Add Scan Targets

      Security Center automatically scans directories of your servers and runs dynamic and static scan tasks. You can also manually add directories of servers for security scan.

      1. In the Add Scan Targets section, click Management on the right.
      2. Enter a common web directory and select the desired servers. Then, the directory of the selected servers is added.
        Note To ensure performance and efficiency, you cannot specify a root directory.
        Select Server(s)
      3. Click Ok.

References

Principles used by Security Center to detect unusual logons and generate alerts