All Products
Search
Document Center

Elastic Compute Service:basic security services

Last Updated:Jan 16, 2025

Alibaba Cloud ECS basic security services include features such as unusual logon detection and vulnerability scanning. You can monitor the security status of your Elastic Compute Service in real-time via the ECS console or Security Center.

Background information

Alibaba Cloud Security Center offers complimentary basic security services for Elastic Compute Service, encompassing vulnerability scanning, basic alert notifications, unusual logon detection, AccessKey leak detection, and compliance checks. You can access related security information on the Overview page of the ECS console or the Security Center console. For more information, see What is Security Center.

image

Billing overview

The billing overview for basic security services is as follows:

Use the Security Center client

The Security Center client is a lightweight agent installed on Elastic Compute Service instances. Instances without the Security Center client will not benefit from Security Center protection, and the ECS console will not display information such as vulnerabilities, alerts, baseline vulnerabilities, and Asset Fingerprints for those assets. For the installation path of the Security Center client, see Operating systems supported by the client.

You can manage the Security Center client as follows:

  • Automatically install the Security Center client when creating an ECS instance

    1. Log on to the ECS console.

    2. In the left-side navigation pane, choose Instances & Images > Instances.

    3. In the top navigation bar, select a region.

    4. Create an ECS instance. In the Image section, choose Free Security Hardening. The system will automatically install the Security Center client on the new ECS instance. For more information, see Customize instance purchase.

    Note

    You can also automatically install the Security Center client on the new ECS instance by setting SecurityEnhancementStrategy=Active when calling RunInstances.

  • Manually install the Security Center client on existing ECS instances

    For specific steps, refer to Install the client.

  • Uninstall the Security Center client

    For specific steps, refer to Uninstall the client.

View security status and fix security issues

To view the security status of Elastic Compute Service and address security issues, follow these steps:

  1. Log on to the ECS console.

  2. In the left-side navigation pane, choose Instances & Images > Instances.

  3. In the top navigation bar, select the region and resource group to which the resource belongs. 地域

  4. On the instance list page, locate the target instance and click the Monitor icon under the image column to enter the Security Center console and view the security report.

  5. Navigate to the Security Center console to remediate the identified vulnerabilities and security alert events. For specific remediation methods, see Fix vulnerabilities and View and handle security alerts.

Common security issue scenarios

Familiarize yourself with common scenarios of vulnerabilities and security alert events in Vulnerability classification and scenarios and Security alert event scenarios.

Vulnerability classification and scenarios

Vulnerability level

Description

Common scenarios

Countermeasures

Repair methods

High-risk vulnerabilities

These vulnerabilities pose a direct threat to system security, such as unpatched system vulnerabilities, SQL injection, and weak passwords. Immediate attention and remediation are advised.

Unpatched system vulnerabilities:

  • High-risk CVE vulnerabilities in operating systems like Linux and Windows.

  • Remote code execution vulnerabilities (RCE) that have not been addressed promptly.

  • Regularly check and apply security patches for operating systems and applications.

  • Utilize the vulnerability scanning feature of Security Center to quickly address high-risk vulnerabilities.

  • For Linux systems: Execute yum update or apt-get update to install updates.

  • For Windows systems: Use Windows Update to install the latest patches.

Web application vulnerabilities:

  • SQL injection vulnerabilities (can directly compromise database permissions).

  • Remote command execution vulnerabilities (such as those found in Struts2).

  • Rigorously validate and sanitize user input.

  • Deploy a Web Application Firewall (WAF) to mitigate common web attacks.

  • Address code vulnerabilities (e.g., use parameterized queries to prevent SQL injection).

  • Update web frameworks and components to their latest versions.

Service configuration vulnerabilities:

  • Services such as Redis and MySQL are exposed to the public network without password protection.

  • Unauthorized access vulnerabilities in Docker.

  • Prohibit public network exposure of high-risk services like Redis and MySQL.

  • Implement strong passwords and restrict IP access.

  • Adjust configuration files to bind services to internal network IPs or set access whitelists.

  • Activate authentication features (e.g., requirepass for Redis).

Malware:

  • Malicious files such as mining trojans and backdoor programs.

  • Regularly scan the system to detect and remove malicious files.

  • Utilize Security Center's malicious file detection feature.

  • Eradicate malicious files and address related vulnerabilities.

  • Reset passwords for compromised services.

Weak password risks:

  • Services such as SSH, RDP, and FTP are using weak or default passwords.

  • Implement strong password policies including a mix of uppercase and lowercase letters, numbers, and special characters.

  • Enable multi-factor authentication (MFA).

  • Replace weak passwords with strong ones.

  • Disable default accounts or change default passwords.

Medium-risk vulnerabilities

These vulnerabilities may cause some harm to the system, such as XSS, file upload vulnerabilities, and unusual logon. Prompt remediation is recommended.

Unpatched software vulnerabilities:

  • Medium-risk vulnerabilities in middleware like Apache, Nginx, and Tomcat.

  • Privilege escalation vulnerabilities in databases such as MySQL and PostgreSQL.

  • Keep middleware up to date with the latest versions.

  • Deactivate unnecessary functional modules.

  • Download and apply official patches.

  • Modify configuration files to disable high-risk features.

Web application vulnerabilities:

  • Cross-site scripting attacks (XSS).

  • File upload vulnerabilities (may result in malicious file uploads).

  • Thoroughly filter and encode user input and output.

  • Limit file upload types and sizes.

  • Rectify XSS vulnerabilities in the code (e.g., HTML encode output content).

  • Implement type checks and virus scans for file uploads.

Configuration risks:

  • Web services not secured with HTTPS.

  • High-risk ports (such as 22 and 3389) without IP access restrictions.

  • Enable HTTPS to secure communications.

  • Close ports that are not in use.

  • Set up SSL certificates and activate HTTPS.

  • Adjust security group rules to restrict IP access for high-risk ports.

Unusual logon:

  • Detected brute-force attack behavior, such as multiple failed logon attempts.

  • Implement logon failure lockout mechanisms.

  • Restrict IP ranges for logon attempts.

  • Use the Fail2Ban tool for SSH to prevent brute-force attacks.

  • Modify security group rules to limit IP access for services like SSH and RDP.

Data breach risks:

  • Configuration files (e.g., .env files) containing sensitive data.

  • Avoid storing sensitive data in plaintext within configuration files.

  • Encrypt sensitive data for storage.

  • Remove sensitive information from configuration files.

  • Employ environment variables or Key Management Service (KMS) to manage sensitive data.

Low-risk vulnerabilities

These vulnerabilities have a minor impact on the system, but if left unaddressed, they may increase risks over time, such as configuration and compliance risks. Addressing them can be deferred.

Unpatched low-risk vulnerabilities:

  • Low-risk vulnerabilities in operating systems or software, such as information disclosure vulnerabilities.

  • Systematically scan the system to address low-risk vulnerabilities.

  • Install official patches or updates.

Configuration risks:

  • Log audit function not enabled.

  • SSL certificates not updated in a timely manner.

  • Activate log audit functions and regularly review logs.

  • Renew SSL certificates promptly.

  • Set up log audit tools (such as Logrotate).

  • Update SSL certificates and configure automatic renewal.

Compliance risks:

  • Multi-factor authentication (MFA) not enabled.

  • Non-compliance with security standards such as Level Protection 2.0 or GDPR.

  • Enable multi-factor authentication (MFA).

  • Adjust system configurations to comply with security standards.

  • Activate MFA in the cloud console.

  • Refer to security standards like Level Protection 2.0 or GDPR to enhance security configurations.

Other risks:

  • Unused services or ports not closed.

  • Shut down unused services and ports.

  • Use systemctl disable to deactivate unused services.

  • Adjust security group rules to close off unused ports.

Security alert event scenarios

For a comprehensive list of security alert types, see Security alert type list and Security alert check items.

Alert type

Description

Common scenarios

Unusual logon

Unusual logon behavior detected.

  • Unusual logon: Logon from an unfamiliar IP address.

  • Brute-force attack: Multiple failed logon attempts detected.

  • Logon during unusual hours: Logon activity outside of normal working hours.

Malicious files

Malicious programs or files detected.

  • Mining trojans: For example, XMRig.

  • Backdoor programs: For instance, WebShell.

  • Viruses or worms: Indications of malware spreading.

Network attacks

Network attack behavior targeting ECS instances detected.

  • DDoS attacks: Such as SYN Flood and UDP Flood.

  • Port scanning: Port scans targeting ECS instances.

  • Brute-force attack: Brute-force attacks on services like FTP and MySQL.

Data breaches

Sensitive information leaks or unauthorized access detected.

  • Sensitive information leaks: Leaks of databases or configuration files.

  • Unauthorized access: Unauthorized users accessing sensitive resources.

Configuration risks

Security risks due to improper system or service configurations detected.

  • High-risk port exposure: Ports such as 22 and 3389 are exposed to the public network.

  • HTTPS not enabled: Web services without HTTPS encryption enabled.

Compliance risks

Behavior not meeting security compliance requirements detected.

  • MFA not enabled: Multi-factor authentication not enabled.

  • Log audit not enabled: Log audit function not enabled.

Other alerts

Other potential security threats or unusual behaviors detected.

  • Unusual processes: Unknown or suspicious processes running.

  • File tampering: Key system files have been altered.

Set alert notifications

Basic security services enable you to configure alert notifications for security events. Notifications can be delivered via internal message. Configure alert notifications by following these steps:

  1. Log on to the ECS console.

  2. On the Overview page, click the Security Score section after the pending tasks, and then click Handle Now to proceed to the Security Center management console.

  3. In the left-side navigation pane, choose System Configuration > Notification Settings.

  4. In the Security Alerts section, select the alert level, and specify the notification method and timing. For details on security alert levels, see Classification of security alert risk levels.安全告警.png

    Note

    If you have upgraded to the Pro or Enterprise edition of Security Center, refer to Overview of security alerts for additional notification options.

Classification of security alert risk levels

Security Center categorizes alerts into the following risk levels:

Risk level

Description

Urgent

Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity.

Suspicious

Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks.

Reminder

Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts.