All Products
Search

This Product

    Elastic Compute Service:Basic security services

    Document Center

    Elastic Compute Service:Basic security services

    Last Updated:Nov 18, 2025

    Basic security services for Alibaba Cloud ECS include features such as unusual logon detection and vulnerability scanning. You can view the real-time security status of your ECS instances in the ECS console or the Security Center console.

    Background information

    Alibaba Cloud Security Center provides basic security services for ECS instances free of charge. These services include vulnerability scanning, basic alert notifications, unusual logon detection, AccessKey pair leak detection, and compliance checks. You can view this security information on the Overview page of the ECS console or in the Security Center console. For more information, see What is Security Center?.

    Billing

    Note the following about the billing of basic security services:

    Use the Security Center agent

    The Security Center agent is a lightweight component installed on ECS instances. ECS instances without the agent are not protected by Security Center. Security data for these instances, such as vulnerabilities, alerts, baseline vulnerabilities, and asset fingerprints, is not displayed in the ECS console. For information about the installation paths of the Security Center agent, see Supported operating systems.

    You can manage the Security Center agent in the following ways.

    • Automatically install the Security Center agent when you create an ECS instance

      1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

      2. Create an ECS instance. In the Image section, select Free Security Hardening. The system automatically installs the Security Center agent on the new ECS instance. For more information, see Create an instance using the wizard.

      You can also set SecurityEnhancementStrategy=Active when you call the RunInstances

    • Manually install the Security Center agent on an existing ECS instance

      For more information, see Install the agent.

    • Uninstall the Security Center agent

      For more information, see Uninstall the agent.

    View security status and fix security issues

    To view the security status of an ECS instance and fix security issues, follow these steps.

    1. Go to ECS console - Instances. In the top navigation bar, select the target region and resource group.

    2. On the Instances page, find the target instance and click the image icon in the Monitoring column to open the Security Center console and view security reports.

    3. Go to the Security Center console to fix vulnerabilities and security alerts. For more information, see Fix vulnerabilities and Analyze and process security alerts.

    Common security scenarios

    For common vulnerability and security alert scenarios, see Vulnerability categories and scenarios and Security alert scenarios.

    Vulnerability categories and scenarios

    Vulnerability level

    Description

    Common scenarios

    Countermeasures

    Fixes

    High-risk vulnerabilities

    These vulnerabilities pose a direct threat to system security, such as unpatched system vulnerabilities, SQL injection, and weak passwords. Pay close attention to these vulnerabilities and fix them as soon as possible.

    Unpatched system vulnerabilities:

    • High-risk Common Vulnerabilities and Exposures (CVEs) in operating systems such as Linux and Windows.

    • Remote code execution (RCE) vulnerabilities that are not fixed promptly.

    • Regularly check for and install security patches for operating systems and software.

    • Use the vulnerability scan feature of Security Center to promptly fix high-risk vulnerabilities.

    • For Linux: Run yum update or apt-get update to install updates.

    • For Windows: Use Windows Update to install the latest patches.

    Web application vulnerabilities:

    • SQL injection vulnerabilities that can grant direct database permissions.

    • Remote command execution vulnerabilities, such as Struts2 vulnerabilities.

    • Strictly validate and filter user input.

    • Use Web Application Firewall (WAF) to defend against common attacks.

    • Fix security vulnerabilities in the code. For example, use parameterized queries to prevent SQL injection.

    • Update web frameworks and components to their latest versions.

    Service configuration vulnerabilities:

    • Services such as Redis and MySQL do not have passwords or are exposed to the Internet.

    • Docker unauthorized access vulnerabilities.

    • Do not expose high-risk services, such as Redis and MySQL, to the Internet.

    • Set strong passwords and restrict access by IP address.

    • Modify configuration files to bind services to internal network IP addresses or configure whitelists.

    • Enable identity verification features, such as the requirepass setting for Redis.

    Malware:

    • Malicious files such as mining trojans and backdoors.

    • Regularly scan the system to detect and remove malicious files.

    • Use the malicious file detection feature of Security Center.

    • Delete malicious files and fix related vulnerabilities.

    • Reset the passwords of affected services.

    Weak password risks:

    • Services such as SSH, RDP, and FTP use weak or default passwords.

    • Use a strong password policy. Passwords must contain uppercase letters, lowercase letters, digits, and special characters.

    • Enable multi-factor authentication (MFA).

    • Change weak passwords to strong passwords.

    • Disable default accounts or change default passwords.

    Medium-risk vulnerabilities

    These vulnerabilities can cause some harm to the system, such as cross-site scripting (XSS) attacks, file upload vulnerabilities, and unusual logons. Fix these vulnerabilities promptly.

    Unpatched software vulnerabilities:

    • Medium-risk vulnerabilities in middleware such as Apache, Nginx, and Tomcat.

    • Privilege escalation vulnerabilities in databases such as MySQL and PostgreSQL.

    • Regularly update middleware to the latest versions.

    • Turn off unnecessary feature modules.

    • Download and install official patches.

    • Modify configuration files to disable high-risk features.

    Web application vulnerabilities:

    • Cross-site scripting (XSS) attacks.

    • File upload vulnerabilities that may lead to malicious file uploads.

    • Strictly filter and encode user input and output.

    • Restrict the types and sizes of files that can be uploaded.

    • Fix XSS vulnerabilities in the code. For example, use HTML encoding for output content.

    • Add file type checks and virus scans for file uploads.

    Configuration risks:

    • Web services that do not have HTTPS enabled.

    • High-risk ports, such as 22 and 3389, that do not restrict access by IP address.

    • Enable HTTPS-encrypted communication.

    • Close unnecessary ports.

    • Configure an SSL Certificate and enable HTTPS.

    • Modify security group rules to restrict access to high-risk ports by IP address.

    Unusual logons:

    • Brute-force attacks are detected, such as multiple failed logon attempts.

    • Enable a logon failure lockout mechanism.

    • Restrict the logon IP address range.

    • Configure the Fail2Ban tool for SSH to prevent brute-force attacks.

    • Modify security group rules to restrict access to services such as SSH and RDP by IP address.

    Data breach risks:

    • Configuration files, such as .env files, contain sensitive data.

    • Do not store sensitive data in plaintext in configuration files.

    • Encrypt sensitive data for storage.

    • Remove sensitive data from configuration files.

    • Use environment variables or Key Management Service (KMS) to store sensitive data.

    Low-risk vulnerabilities

    These vulnerabilities have a minor impact on the system. However, if left unaddressed, they can increase risks, such as configuration and compliance risks. You can schedule these fixes for a later time.

    Unpatched low-risk vulnerabilities:

    • Low-risk vulnerabilities in the operating system or software, such as information disclosure vulnerabilities.

    • Regularly scan the system and fix low-risk vulnerabilities.

    • Install official patches or updates.

    Configuration risks:

    • The log audit feature is not enabled.

    • SSL Certificates are not updated promptly.

    • Enable the log audit feature and check logs regularly.

    • Update SSL Certificates promptly.

    • Configure a log audit tool, such as Logrotate.

    • Update SSL Certificates and configure automatic renewal.

    Compliance risks:

    • Multi-factor authentication (MFA) is not enabled.

    • Does not meet compliance requirements such as MLPS 2.0 or the General Data Protection Regulation (GDPR).

    • Enable multi-factor authentication (MFA).

    • Adjust system configurations based on compliance requirements.

    • Enable MFA in the Alibaba Cloud console.

    • Improve security configurations by referring to the requirements of MLPS 2.0 or GDPR.

    Other risks:

    • Unused services or ports are not closed.

    • Close unused services and ports.

    • Use systemctl disable to close unused services.

    • Modify security group rules to close unused ports.

    Security alert scenarios

    For more information about security alert types, see Overview of security alerts for Cloud Workload Protection Platform (CWPP) and Overview of security alerts for Cloud Workload Protection Platform (CWPP).

    Alert type

    Description

    Common scenarios

    Unusual logons

    Unusual logon behavior is detected.

    • Unusual logon location: Logon from an IP address that has never been used before.

    • Brute-force attack: Multiple failed logon attempts.

    • Unusual logon time: Logon during non-working hours.

    Malicious files

    Malicious programs or files are detected.

    • Mining trojan: Such as XMRig.

    • Backdoor program: Such as a webshell.

    • Virus or worm: Malware propagation behavior.

    Network attacks

    Network attacks against ECS instances are detected.

    • DDoS attacks: Such as SYN floods and UDP floods.

    • Port scan: A scan of ports on an ECS instance.

    • Brute-force attacks: Such as brute-force attacks on FTP and MySQL services.

    Data breaches

    Sensitive data leaks or unauthorized access is detected.

    • Sensitive data leak: A database or configuration file is leaked.

    • Unauthorized access: An unauthorized user accesses sensitive resources.

    Configuration risks

    Security risks caused by improper system or service configurations are detected.

    • High-risk port exposure: Ports such as 22 and 3389 are exposed to the Internet.

    • HTTPS not enabled: HTTPS encryption is not enabled for web services.

    Compliance risks

    Behavior that does not meet security compliance requirements is detected.

    • MFA not enabled: Multi-factor authentication is not enabled.

    • Log audit not enabled: The log audit feature is not enabled.

    Other alerts

    Other potential security threats or abnormal behavior are detected.

    • Abnormal process: An unknown malicious program is running.

    • File tampering: Critical system files are tampered with.

    Set alert notifications

    Basic security services support alert notifications for security alerts. Notifications are sent as internal messages. You can configure alert notifications as follows.

    1. ECS console

    2. On the Overview page, hover over a pending task in the area and click Handle Now in the Security Protection area on the right to open the Security Center console.

    3. In the navigation pane on the left, choose System Settings > Notification Settings.

    4. In the Alert section, select the alert levels, and configure the notification methods and schedule. For more information about security alert levels, see Risk levels of security alerts.

      If you have upgraded to the Premium or Enterprise Edition of Security Center, see Overview of security alerts for Cloud Workload Protection Platform (CWPP) for more notification methods.

    Risk levels of security alerts

    Security Center classifies security alerts into the following risk levels:

    Risk level

    Description

    Urgent

    Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity.

    Suspicious

    Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks.

    Reminder

    Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts.