To improve instance security, we recommend using key pair authentication, strong password authentication, or password-free Workbench connections, and implementing a regular credential rotation policy.
Security risks
Many users set simple passwords, such as 123456 or admin@123, because they are easy to remember. This exposes their systems to the following security risks:
-
Brute-force attacks: Attackers use automated tools, such as Hydra and John the Ripper, to rapidly try common password combinations and crack weak passwords quickly.
-
Data breaches: After cracking a password, an attacker can steal sensitive data, such as personal or financial information, or commit fraud by impersonating the user.
-
Lateral movement: Attackers can compromise a low-privilege account, such as a regular employee's email, by using a weak password. They can then move laterally within the internal network to gain administrator permissions or control of critical systems.
-
Credential stuffing: If a user reuses the same weak password across multiple platforms, a data breach on one platform allows attackers to use the leaked credentials to compromise their accounts on other services.
Best practices
Linux instances
We recommend key pair authentication, which is more secure than password authentication.
Console
When you create an instance on the instance buy page, set Logon Credential to Key Pair, and then select an existing Key Pair.
If you do not have a key pair, click Create Key Pair and then select the new key pair.
We recommend setting Logon Credential to Key Pair (Recommended) instead of Password. For Logon Name, select ecs-user.
API
When you call the RunInstances or CreateInstance API operation to create an instance, specify the KeyPairName parameter. If this parameter is specified, the Password parameter is ignored.
If you do not have a key pair, you can call the CreateKeyPair API operation to create one.
Windows instances
We recommend using strong password authentication. Key pair authentication is not supported for Windows instances.
When you create an instance on the instance buy page, set Logon Credential to Password. Then, follow the prompts to set a strong Logon Password:
-
Create a strong password that meets the following requirements:
-
Be at least 8 characters long.
-
Contain at least three of the following character types: uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and special characters (~, !, @, $, %, ^, &, *, -, _, =, +, #, /, ?).
-
Not be the username or the username written in reverse.
-
-
Do not use common or publicly known weak passwords. Examples of weak passwords include:
-
Commonly known weak passwords, such as
abcd1234,admin,root, oradmin@123. -
Sequential characters or keyboard patterns, such as
123456,abcdef,123abc,qwerty, or1qaz2wsx. -
Common phrases, such as
5201314orwoaini1314. -
Personal information, such as a company name, birthday, name, ID number, phone number, email address, user ID, or year.
-
-
We recommend changing your password every 90 days.
Compliance features
Check: Linux instances without key pair authentication
ECS Insight
-
Go to ECS Insight.
-
On the Security tab, click Use of Key Pairs (Linux Only) to view Linux instances that do not use key pair authentication.
Security Center
-
Go to the Security Center console.
-
In the left-side navigation pane, select . On the Cloud Asset Configuration Risks tab, find the Use SSH key pairs to log on check item and click Scan in the Operation column.
A status of Failed indicates that there are Linux instances that do not use key pair authentication. You can click Details to view them.
Block: Prohibit password authentication for Linux instances
Use a Resource Access Management (RAM) policy at the organization or account level to proactively block actions that set passwords for Linux instances.
-
For enterprise users:
-
Log on to the Resource Directory console with your Alibaba Cloud account. In the left-side navigation pane, click Control Policies, and then create a custom control policy. Paste the following JSON content.
This policy denies the use of password authentication when you create an instance, attach or replace a system disk, modify instance attributes, or reset a password.
{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance", "ecs:ReplaceSystemDisk" ], "Resource": "*", "Condition": { "Bool": { "ecs:PasswordCustomized": [ "true" ] }, "StringEquals": { "ecs:ImagePlatform": "linux" } }, "Effect": "Deny" }, { "Action": [ "ecs:ModifyInstanceAttribute", "ecs:InvokeCommand", "ecs:AttachDisk" ], "Resource": "*", "Condition": { "Bool": { "ecs:PasswordCustomized": [ "true" ] } }, "Effect": "Deny" } ] } -
In Resource Directory, attach the control policy to the appropriate node. The policy blocks these actions for accounts under that node.
-
-
For non-enterprise users:
-
Log on to the RAM console with your Alibaba Cloud account. In the left-side navigation pane, click Permission Policy. Create a custom permission policy with the same JSON content as provided above.
-
Grant permissions to a RAM user, RAM user group, or RAM role by attaching the custom permission policy.
-
Remediate: Switch instances to key pair logon
If you find existing Linux instances that use password authentication, switch them to key pair authentication.
-
Bind key pair: Bind an existing key pair, or create a new key pair and bind it.
After attaching the key pair, verify that you can log on to the instance with it.
-
Disable password logon: Log on to the instance and run the following script to modify the SSH service configuration file.
#!/bin/bash # Back up the original configuration file. cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak_$(date +%F) # Disable password authentication: Change the PasswordAuthentication parameter to no. sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config # Restart the SSH service for the changes to take effect. # The command can be sshd or ssh, depending on the operating system. systemctl restart sshd || service sshd restart -
Verify the result: Restart the instance. Verify that password-based logon fails and that key pair logon succeeds.