All Products
Search
Document Center

Elastic Compute Service:Basic security services

Last Updated:Jan 13, 2025

Alibaba Cloud ECS offers basic security services that include unusual logon detection and vulnerability scanning. You can monitor the security status of your ECS instances in real time via the ECS console or Security Center.

Background information

Alibaba Cloud Security Center provides complimentary basic security services for ECS instances, such as vulnerability scanning, basic alert notifications, unusual logon detection, AccessKey leakage detection, and compliance checks. You can access related security information on the Overview page of the ECS console or within the Security Center console. For more information, see What is Security Center.

image

Billing overview

The billing details for basic security services are as follows:

Use the Security Center agent

The Security Center agent is a lightweight security control installed on ECS instances. Without the agent, ECS instances are not protected by Security Center, and the ECS console will not display their security data, such as vulnerabilities, alerts, baseline vulnerabilities, and asset fingerprints. For the agent's installation path, see Supported operating systems for the client.

The following operations can be performed on the agent:

  • Automatically install the Security Center agent when creating an ECS instance

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select a region.

    4. Create an ECS instance. In the Image section, select Free Security Hardening. The system will automatically install the agent on the new ECS instance. For more information, see the referenced document.

    Note

    The agent can also be automatically installed on new ECS instances by setting SecurityEnhancementStrategy=Active when using RunInstances.

  • Manually install the Security Center agent on an existing ECS instance

    For more information, see install the client.

  • Uninstall the agent

    For detailed instructions, see uninstall the client.

View security status and fix security issues

Follow these steps to view the security status of ECS instances and address security issues.

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the instance list page, locate the destination instance and click the Monitoring column's image icon to navigate to the Security Center console and view the cloud security report.

  5. Navigate to the Security Center console to remediate the identified vulnerabilities and security alert events. For specific methods, see Fix vulnerabilities and View and handle security alerts.

Common scenarios of security issues

For common vulnerability and security alert event scenarios, see vulnerability classification and scenarios and security alert event scenarios.

Vulnerability classification and scenarios

Vulnerability level

Description

Common scenarios

Countermeasures

Remediation methods

Critical vulnerabilities

These vulnerabilities pose a direct threat to system security, such as unpatched system vulnerabilities, SQL injection, or weak passwords. It is recommended that you pay close attention and fix them as soon as possible.

Unpatched system vulnerabilities:

  • High-risk CVE vulnerabilities in operating systems such as Linux or Windows.

  • Remote code execution vulnerabilities (RCE) that have not been patched in time.

  • Regularly check and install security patches for operating systems and software.

  • Use the vulnerability scanning feature of Security Center to promptly fix high-risk vulnerabilities.

  • For Linux systems: Run yum update or apt-get update to install updates.

  • For Windows systems: Install the latest patches through Windows Update.

Web application vulnerabilities:

  • SQL injection vulnerabilities (can directly obtain database permissions).

  • Remote command execution vulnerabilities (such as Struts2 vulnerabilities).

  • Strictly validate and filter user input.

  • Use Web Application Firewall (WAF) to protect against common attacks.

  • Fix security vulnerabilities in the code (such as using parameterized queries to prevent SQL injection).

  • Update web frameworks and components to the latest version.

Service configuration vulnerabilities:

  • Services like Redis or MySQL without passwords or exposed to the public network.

  • Unauthorized access vulnerabilities in Docker.

  • Prohibit exposing high-risk services such as Redis or MySQL to the public network.

  • Set strong passwords and restrict access IPs.

  • Modify configuration files to bind to internal network IPs or set access whitelists.

  • Enable authentication features (such as Redis's requirepass).

Malware:

  • Malicious files such as mining trojans or backdoor programs.

  • Regularly scan the system to detect and remove malicious files.

  • Use the malicious file detection feature of Security Center.

  • Delete malicious files and fix related vulnerabilities.

  • Reset passwords for affected services.

Weak password risks:

  • Services such as SSH, RDP, or FTP using weak or default passwords.

  • Use strong password policies (including uppercase and lowercase letters, numbers, and special characters).

  • Enable multi-factor authentication (MFA).

  • Change weak passwords to strong passwords.

  • Disable default accounts or change default passwords.

Medium vulnerabilities

These vulnerabilities may cause some harm to the system, such as XSS, file upload vulnerabilities, or unusual logons. It is recommended that you fix them promptly.

Unpatched software vulnerabilities:

  • Medium-risk vulnerabilities in middleware such as Apache, Nginx, or Tomcat.

  • Privilege escalation vulnerabilities in databases such as MySQL or PostgreSQL.

  • Regularly update middleware to the latest version.

  • Disable unnecessary functional modules.

  • Download and install official patches.

  • Modify configuration files to disable high-risk features.

Web application vulnerabilities:

  • Cross-site scripting attacks (XSS).

  • File upload vulnerabilities (may lead to malicious file uploads).

  • Strictly filter and encode user input and output.

  • Restrict file upload types and sizes.

  • Fix XSS vulnerabilities in the code (such as HTML encoding of output content).

  • Enhance file upload type checks and virus scans.

Configuration risks:

  • Web services not using HTTPS.

  • High-risk ports (such as 22 or 3389) not restricted by IP access.

  • Enable HTTPS for encrypted communication.

  • Close unnecessary ports.

  • Configure SSL certificates and enable HTTPS.

  • Modify security group rules to restrict IP access to high-risk ports.

Unusual logons:

  • Detected brute-force attacks (such as multiple failed logon attempts).

  • Enable logon failure lockout mechanisms.

  • Restrict logon IP ranges.

  • Configure the Fail2Ban tool for SSH to prevent brute-force attacks.

  • Modify security group rules to restrict IP access for services such as SSH or RDP.

Data breach risks:

  • Configuration files (such as .env) containing sensitive information.

  • Avoid storing sensitive information in plaintext in configuration files.

  • Use encryption to store sensitive data.

  • Remove sensitive information from configuration files.

  • Use environment variables or Key Management Service (KMS) to store sensitive data.

Low vulnerabilities

These vulnerabilities have a minor impact on the system, but if left unaddressed, they may increase risks, such as configuration or compliance risks. You can delay fixing them.

Unpatched low-risk vulnerabilities:

  • Low-risk vulnerabilities in operating systems or software (such as information disclosure vulnerabilities).

  • Regularly scan the system to fix low-risk vulnerabilities.

  • Install official patches or updates.

Configuration risks:

  • Log audit function not enabled.

  • SSL certificates not updated in time.

  • Enable log audit functions and regularly check logs.

  • Update SSL certificates in a timely manner.

  • Configure log audit tools (such as Logrotate).

  • Update SSL certificates and configure automatic renewal.

Compliance risks:

  • Multi-factor authentication (MFA) not enabled.

  • Non-compliance with requirements such as Level Protection 2.0 or GDPR.

  • Enable multi-factor authentication (MFA).

  • Adjust system configurations according to compliance requirements.

  • Enable MFA in the cloud console.

  • Refer to Level Protection 2.0 or GDPR requirements to improve security configurations.

Other risks:

  • Unused services or ports not closed.

  • Close unused services and ports.

  • Use systemctl disable to close unused services.

  • Modify security group rules to close unused ports.

Security alert event scenarios

For more security alert types, see the list of security alert types and security alert check items.

Alert type

Description

Common scenarios

Unusual logons

Detected unusual logon behavior.

  • Unusual logon: Logon from an unfamiliar IP address.

  • Brute-force attack: Multiple failed logon attempts.

  • Logon during unusual time periods: Logon outside of normal working hours.

Malicious files

Malicious programs or files detected.

  • Mining trojans: For example, XMRig.

  • Backdoor programs: Such as WebShell.

  • Viruses or worms: Signs of malware propagation.

Network attacks

Network attacks targeting ECS instances detected.

  • DDoS attacks: Such as SYN Flood or UDP Flood.

  • Port scanning: Scanning of ECS instance ports.

  • Brute-force attack: Attacks on services like FTP or MySQL.

Data breaches

Sensitive information leaks or unauthorized access detected.

  • Sensitive information leaks: Leaks of databases or configuration files.

  • Unauthorized Access: Occurs when unauthorized users gain access to sensitive resources.

Configuration risks

Security risks due to improper system or service configurations detected.

  • High-risk port exposure: Ports such as 22 or 3389 exposed to the public network.

  • HTTPS not enabled: Web services not using HTTPS encryption.

Compliance risks

Behavior not adhering to security compliance requirements detected.

  • MFA not enabled: Multi-factor authentication not enabled.

  • Log audit not enabled: Log audit function not enabled.

Other alerts

Other potential security threats or abnormal behavior detected.

  • Unusual processes: Unknown or malicious programs running.

  • File tampering: Tampering with system critical files detected.

Set alert notifications

Basic security services enable you to configure alert notifications for security alert items. Notifications can be sent via internal message. To set alert notifications, follow these steps:

  1. Log on to the ECS console.

  2. On the Overview page, click Security Score in the area of pending tasks, and then click Handle Now to proceed to the Security Center console.

  3. In the left-side navigation pane, select System Configuration > Notification Settings.

  4. In the Security Alerts section, select the alert level and configure the notification method and timing. For more information about alert levels, see the classification of security alert risk levels.安全告警.png

    Note

    If you have upgraded to the Pro or Enterprise edition of Security Center, refer to Security alert overview for additional notification methods.

Classification of security alert risk levels

Security Center classifies alerts into the following risk levels:

Risk level

Description

Urgent

Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity.

Suspicious

Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks.

Reminder

Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts.