When you create an ECS instance, use new, unique logon credentials, such as an SSH key pair. Avoid using any preset logon credentials in a custom image.
Security risks
When you create a new ECS instance from a custom image, the new instance inherits any preset logon passwords or SSH keys from that image. Public images do not contain default passwords. These credentials, often set by image creators for convenience during development or testing, pose significant security risks:
Uncontrolled credential exposure: Custom images come from various sources, and their built-in default passwords or keys may have been distributed to multiple users or even accidentally published in public code repositories or technical forums. Attackers continuously scan cloud platforms for these known, public credentials. A successful login gives them full control of your server.
Bypassed security measures: If an attacker obtains the preset credentials, they can bypass all other security protections and log on directly to the system.
Best practices
When you create a custom image, do not include preset passwords or SSH keys.
Delete the passwords for all users (
passwd -d <username>).Ensure that the
/root/.ssh/authorized_keysfile and the corresponding files for other users are empty.Clear the bash history (
history -c && history -w).
When you create an instance from a custom image, avoid using the image's preset password.
This action reconfigures the logon credentials (password or key pair) only for the root or ecs-user. It does not clear the logon credentials of other users. To clear them, follow the steps in Remediation.
Linux instances
When you create an instance from a custom image, use a key pair instead of the image's preset password.
Console
When you create an instance from a custom image or shared image, avoid selecting Use Predefined Password. Instead, use a Key Pair.
In the Management Settings section, for Logon Credentials, select Key Pair. The Login Name defaults to root. Select an existing key pair from the Key Pair drop-down list, or click Create Key Pair to create a new one.
API
When you call the RunInstances or CreateInstance operation, set the
PasswordInheritparameter tofalse.Windows instances
When you create an instance from a custom image or shared image, avoid selecting Use Predefined Password. Set a strong custom password. Key pairs are not supported.
In the Logon Credentials section, select the Custom Password tab. The logon name is
administrator. The password must be 8 to 30 characters long and contain uppercase letters, lowercase letters, and numbers. It can also contain the following special characters:()~!@#$%^&*-_+=|{}[];'<>,.?/. Do not use common, publicly known passwords such asP@ssw0rd.
Compliance
Check for non-compliant instances
Log on to a Linux instance using Workbench to perform the following checks.
Check for suspicious user accounts: View the
/etc/passwdfile to identify any unknown users that you did not create or that are not default system users.cat /etc/passwdCheck SSH authorized public keys: Check the
authorized_keysfiles in critical system locations to see which public keys are configured for password-free logon.# Check the authorized public keys for the root user. cat /root/.ssh/authorized_keys # Check the authorized public keys for another user, such as 'admin'. cat /home/admin/.ssh/authorized_keysCarefully review the public keys in the files to ensure they correspond to the private keys that you use. Immediately remove any suspicious or unrecognized public keys.
Block: Prevent using preset passwords
At the organization or account level, use a RAM policy to proactively block the creation of instances that use an image's preset password.
For enterprise users:
Log on to the Resource Directory console using your Alibaba Cloud account. In the left-side navigation pane, click Control Policies. Then, create a custom permission policy with the following JSON content.
This policy denies the permission to inherit the default password from an image when you create an instance or replace a system disk.
{ "Version": "1", "Statement": [ { "Action": [ "ecs:RunInstances", "ecs:CreateInstance", "ecs:ReplaceSystemDisk" ], "Resource": "*", "Condition": { "Bool": { "ecs:PasswordInherit": [ "true" ] } }, "Effect": "Deny" } ] }In Resource Directory, attach the policy to the appropriate node. The policy is then enforced on all accounts under that node.
For non-enterprise users:
Log on to the RAM console using your Alibaba Cloud account. In the left-side navigation pane, click Permission Policy, and create a custom policy with the same content as in the preceding section.
Grant permissions by attaching policies to RAM users, RAM user groups, or RAM roles.
Remediation: Fix instances with preset passwords
Set new logon credentials
Linux instances: Bind a new key pair
Go to the ECS console - Instances page, select a region and resource group, and then click the target instance ID to open its details page.
Click , select an existing key pair, and then click OK. The new key pair takes effect after you restart the instance.
Windows instances: Reset the password
Go to the ECS console - Instances page, select a region and resource group, and then click the target instance ID to go to its details page.
Click , set a strong password as prompted, and then click OK.
Remove original preset credentials (Linux)
Log on to the ECS instance with your new credentials. Use the new key pair or password that you just configured.
Delete old public keys: Carefully inspect all
authorized_keysfiles and clear any old public keys.# Edit the authorized_keys file for the root user and delete all unwanted public keys. vi /root/.ssh/authorized_keys # Perform the same operation for all other users. vi /home/<username>/.ssh/authorized_keysDisable password authentication: After confirming that you can successfully log on using the key pair, modify the SSH configuration to disable password authentication. This ensures that only key pair authentication is allowed.
# 1. Edit the SSH configuration file. sudo vi /etc/ssh/sshd_config # 2. Find and modify the following lines. PasswordAuthentication no PubkeyAuthentication yes # 3. Restart the SSH service for the changes to take effect. sudo systemctl restart sshd
Clean up unnecessary system users and files
Check the
/etc/passwdand/etc/shadowfiles to remove any unnecessary user accounts left over from the image creation process. Also, delete any temporary files or scripts that might contain sensitive information, such as old passwords or keys.