An Elastic Compute Service (ECS) instance serves as a virtual machine. Typically, on-premises virtual machines are protected against attacks and intrusions. ECS instances also need security protection. You must implement effective security measures in conjunction with the inherent protection of Alibaba Cloud.

Prerequisites

An Alibaba Cloud account is created. To create an Alibaba Cloud account, go to the Sign up to Alibaba Cloud page.

Background information

Lack of security protection for ECS instances may cause adverse effects. For example:
  • DDoS attacks interrupt your business.
  • Trojans tamper with or attack your web pages.
  • Data leak caused by injection affects the normal operation of ECS.
You can use the following methods to improve the security of your ECS instances:

Configure security groups

Security groups act as virtual firewalls that provide Stateful Packet Inspection (SPI), also known as dynamic packet filtering. Security groups can serve the following purposes:
  • Control access to one or more ECS instances. Security group rules can allow or deny access to or from the Internet or internal network for ECS instances that are associated with security groups.
  • If security groups are not properly configured or do not contain strict rules, the security groups are at a great risk of attack.

To add rules to the security group to which the ECS instance belong, perform the following operations:

  1. Log on to the ECS console.
  2. In the left-side navigation pane, choose Network & Security > Security Groups.
  3. In the top navigation bar, select a region.
  4. Find the security group to which you want to add rules and click Add Rules in the Actions column.
  5. Select the Inbound tab.
    In this example, a security group that resides in a virtual private cloud (VPC) is used. If the security group resides in the classic network, click the Internet Ingress tab.
  6. Click Add Rule.
  7. Configure the parameters for the security group rules.
    For example, to allow a specific IP address to access the ECS instance, configure an inbound rule for Internet traffic. Assume that the instance runs a Linux operating system and you want to allow only a specific IP address to access the instance over port 22. Configure security groups
    1. Add a public inbound security group rule.
      Configure the following parameters:
      • Set Action to Allow.
      • Use the default value 1 for Priority.
      • Set Protocol Type to Custom TCP.
      • Set Port Range to SSH (22).
      • Set Authorization Object to the CIDR block that you want to allow to access the ECS instance. The CIDR block is in the x.x.x.x/xx (IP address/subnet mask) format. In this example, the CIDR block is 10.x.x.x/32.
    2. Click Save.
    3. Repeat the preceding steps to add another public inbound security group rule.
      Configure the following parameters:
      • Set Action to Forbid.
      • Set Priority to 2.
      • Set Protocol Type to Custom TCP.
      • Set Port Range to SSH (22).
      • Set Authorization Object to 0.0.0.0/0.
After you create the rules, the rules provide the following effects:
  • The allow rule that has a priority of 1 takes precedence for traffic from 10.x.x.x to port 22.
  • The deny rule that has a priority of 2 takes precedence for traffic from other IP addresses to port 22.

Enable Anti-DDoS Basic

Distributed denial of service (DDoS) attacks use client and server technologies to combine multiple computers into an attack platform and attack one or more targets simultaneously so that the impact of the denial-of-service (DoS) attack is multiplied.

Alibaba Cloud Security Center can defend against Layer 3 to Layer 7 DDoS attacks, including SYN flood, UDP flood, ACK flood, ICMP flood, DNS flood, and HTTP flood attacks. Anti-DDoS Basic Origin provides up to 5 Gbit/s default DDoS protection free of charge. By default, Anti-DDoS Basic Origin is enabled on ECS instances. Anti-DDoS Basic Origin allows you to maintain normal access speeds in case of DDoS attacks without the need to purchase expensive traffic scrubbing devices. Anti-DDoS Basic Origin helps ensure the expected bandwidth, availability, and stability of your business regardless of the usage of other users. After an ECS instance is created, you can set the scrubbing thresholds. For more information, see Configure a traffic scrubbing threshold.

To further improve security, Alibaba Cloud has launched the Security Credibility program, which provides increased DDoS protection based on a security credit score. If you meet the scoring criteria set by the program, you can obtain a free DDoS mitigation capacity of up to 100 Gbit/s. You can go to the Anti-DDoS Origin console to check your security credibility score, security credibility details, and scoring criteria. For more information, see Security Credibility.

Access Security Center

Security Center is a unified security management system that recognizes, analyzes, and warns of security threats in real time. With security capabilities such as ransomware protection, anti-virus protection, web tamper protection, and compliance assessments, users can automate security operations, responses, and threat tracing to secure cloud and local servers and meet regulatory compliance requirements.

The Security Center agent is a security plug-in installed on your local servers. You must install this agent on your servers before you can enable Security Center features. For more information about how to install the Security Center agent, see Install the Security Center agent.
Note When you purchase an ECS instance, you can select the Security Enhancement check box to automatically install the agent and activate Security Center Basic edition.

The Basic edition of Security Center is available by default. The Basic edition only scans for the following risks: unusual logons to servers, vulnerabilities, and configuration risks in cloud services. To use advanced features such as vulnerability fixing and virus detection and removal, you must log on to the Security Center console.

Access Web Application Firewall

Web Application Firewall (WAF) depends on the big data capabilities of Alibaba Cloud Security Center to protect web applications against common attacks reported by the Open Web Application Security Project (OWASP) and HTTP flood attacks. The attacks include SQL injections, cross-site scripting (XSS) attacks, webshells, trojans, and unauthorized access. WAF blocks malicious visits to prevent data leaks and ensure the security and availability of your websites.

WAF has the following benefits:
  • WAF can handle various web application attacks to ensure web security and availability of a website without installing software or hardware or modifying website configuration and code. In addition to powerful web protection capabilities, WAF can customize protection for specific websites. WAF is used to protect web applications in fields such as finance, e-commerce, O2O, Internet Plus, gaming, governments, and insurance.
  • Without WAF, you may be vulnerable to web intrusions such as data leaks, HTTP floods, and trojans.

For more information about how to access WAF, see Deploy WAF.

Alibaba Cloud provides multiple security services to safeguard ECS instances. You can choose appropriate methods to enhance systems and data protection, prevent intrusion into ECS instances, and ensure stability and reliability.