Security Center:Configure common features (simplified)

Alert notification

If Security Center detects exceptions in your assets, Security Center sends alert notifications based on the severity levels, notification periods, and notification methods that you specify. This way, you can monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots. For more information, see Use the notification feature.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose System Configuration > Notification Settings.
3. On the Notification Settings page, click the Text Message/Email/Internal Message tab. Then, specify the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.

   Notification items refer to the threat events and security risks that Security Center detects in your assets. Security Center supports the following notification items: Weekly Security Report, Baseline Risks, Notification of Insufficient Threat Analysis Log Capacity, Alerts, Precision Defense, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, Anti-Tampering of web pages, Container firewall exception alert notification, Container firewall proactive defense notification, Malicious IP interception alert, Virus scan notification, Log excess, Honeypot Alert, and Alert Generated by Application Protection.

Proactive defense, webshell detection, and client protection

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose System Configuration > Feature Settings.
3. On the Feature Settings page, click the Settings tab. On the General tab, turn on or turn off the switches in the Proactive Defense section.
   Click Manage for Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention to select the servers for which you want to enable proactive defense and turn on the switches.

   After you turn on the switches in the Proactive Defense section, Security Center automatically quarantines the detected common viruses or suspicious connections. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precision defense search condition.
4. Enable the webshell detection feature.
   In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
5. Enable the client protection feature.
   In the Client Protection section, turn on Defense mode: and click Manage to select the servers for which you want to enable the client protection feature.

Container image scan

The container image scan feature is a value-added feature provided by Security Center. To use this feature, you must purchase a sufficient quota for container image scan. For more information, see Enable container image scan.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
3. Optional:Click Authorize Immediately.
   The first time you use container image scan, you must obtain the required permissions.
4. On the Image Security page, click Scan Now.
   Security Center requires approximately 1 minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
5. Click the Image Vulnerability, Image Baseline Check, Image Malicious Sample, or Sensitive Image File tab to view the detected vulnerabilities or malicious samples.
   You can perform the following operations:

   • Search for vulnerabilities, malicious samples, or sensitive files

     Select a vulnerability severity (High, Medium, or Low), a malicious sample severity (Urgent, Suspicious, or Reminder), or a sensitive file risk level (Important, Medium risk, or Low). Alternatively, enter an instance ID, repository name, namespace, or digest to search for a vulnerability, malicious sample, or sensitive file.

   • View the details of a vulnerability, malicious sample, or sensitive file

     Click the name of a vulnerability or a malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 hash value, last scan time, and first scan time. You can also view the list of affected images on these pages.

     Find a sensitive file and click Details in the Actions column to view the list of images that contain sensitive files.

   • View the details of affected images

     Go to the details panel of the vulnerability, malicious sample, or sensitive file, find the image whose details you want to view and click Details in the Actions column. Then, you can view the details of the detected vulnerability, malicious sample, or sensitive file.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual checks and periodic automatic checks.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose Risk Management > Config Assessment.
3. On the Config Assessment page, run a configuration check.
   • Manual check

     If you want to immediately check whether risks exist in the configurations of your cloud services, you can click Scan now on the Config Assessment page. The system checks all your cloud services.

   • Automatic check

     You can configure automatic checks. Then, Security Center runs configuration checks based on the detection cycle and time that you specify.

     1. In the upper-right corner of the Config Assessment page, click Check Policy Settings.
     2. In the Check Policy Settings panel, configure the Detection Cycle, Detection Time, and Risk Check Item parameters. Then, click OK.
   Note

   • The default value of the Detection Cycle parameter is a random day from Monday to Sunday. You can configure this parameter based on your business requirements.
   • Wait until the configuration check on all cloud services is complete.

We recommend that you handle the detected security risks at the earliest opportunity. For more information, see Configuration assessment.

Defense rules against brute-force attacks

Security Center provides the feature of protection against brute-force attacks. The feature allows you to configure defense rules to prevent brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. The feature of protection against brute-force attacks can protect the password of your server from being cracked.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.
3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.
4. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.
   For more information, see Service-linked roles for Security Center.
5. Click Create Rule. In the Create Rule panel, configure the parameters.
   Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.

   Parameter	Description
   Policy Name	Enter a name for the defense rule.
   Defense Rule:	Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes.
   Set As Default Policy	Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule. Note If you select Set As Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.
   Select Server(s):	Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address.

6. Click Determine.
   Important You can create only one defense rule against brute-force attacks for each server.

   • If a selected server is not protected by a defense rule, the defense rule that you create takes effect.
   • If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.
   • If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.

Web tamper proofing

The feature of web tamper proofing monitors web directories in real time and can restore tampered files or directories based on the backup files. This prevents important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Step 1: Purchase the quota for web tamper proofing.

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
3. If this is the first time that you use web tamper proofing, click Add Servers for Protection.
   If this is not the first time that you use web tamper proofing, click the Management tab on the Tamper Protection page and click Add Server.
4. In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.
5. In the Add Directory step, configure the parameters and click Enable Protection.
   • Whitelist Mode

     In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.

     Parameter	Description
     Protected Directory	The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify. Enter a value in the /The name of the directory/ format. Example: /tmp/.
     Protected File Formats	The formats of the files that you want to protect. You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.
     Prevention Mode	Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server. Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits.
     Local Backup Directory	The default directory in which the backup files of the protected directory are stored. By default, Security Center assigns /usr/local/aegis/bak as the backup directory for a Linux server and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for a Windows server. You can change the default backup directories.

     Example

     If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

   • Blacklist Mode

     In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.

     Parameter	Description
     Protected Directory	The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify. Enter a value in the /The name of the directory/ format. Example: /tmp/.
     Excluded Sub-Directories	The path to the subdirectories that do not require protection. Enter a value in the Subdirectory name/ format. Example: dir1/dir0/.
     Excluded File Formats	The formats of the files that do not require protection.
     Excluded Files	The files that do not require protection. Enter a value in the Subdirectory name/File name format. Example: dir2/file3.
     Prevention Mode	Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server. Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits.
     Local Backup Directory	The default directory in which the backup files of the protected directories are stored. By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

     Important Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.

     Example

     If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, only the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

6. On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the icon in the Protection column to enable web tamper proofing for the server.
   If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.

   The following table describes the statuses that are available in the Status column.

   Status	Description	Suggestion
   Initializing	Web tamper proofing is being initialized.	The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.
   Running	Web tamper proofing is enabled and runs as expected.	None.
   Exception	An error occurred during the initialization of web tamper proofing.	Move the pointer over Exception, view the causes, and then click Retry.
   Not Initialized	The switch in the Protection column is turned off.	Turn on the switch in the Protection column.

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your core servers. Before you can use the anti-ransomware feature, you must purchase a specific quota. This quota allows you to enable the anti-ransomware feature for specific servers. For more information, see Enable anti-ransomware.

Configure anti-ransomware policies for servers

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
2. On the Server extortion virus protection tab of the Anti-blackmail page, click Create Policies.
3. In the Create Policies panel, configure the following parameters and click OK.

   Parameter	Description
   Policy Name	The name of the anti-ransomware policy.
   Server Type	The type of the server to which you want to apply the anti-ransomware policy.
   Select Assets	The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations: In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section. In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported. Note If you want to apply the anti-ransomware policy to ECS instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region. To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.
   Protection Policies	The anti-ransomware policy that you want to configure. Valid values: Recommendation Policy If you select Recommendation Policy, the default values of the following parameters are used: Protected Directories: All directories Directory to Exclude: Excluded Exclude specified directories: directories that are excluded from the policy Protected File Types: All File Types Start Time: a point in time within the range of 00:00 to 03:00 Backup policy execution interval: One Day Backup data retention period: 7 Days The bandwidth limit of the backup network: 0 MByte/s Note The value 0 indicates that no limits are imposed on the bandwidth. VSS (Windows): Yes Note The VSS feature is available only if you create the anti-ransomware policy for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. We recommend that you enable the VSS feature. After you enable the feature, the data of disks that are in the exFAT and FAT32 formats cannot be backed up. Custom policy If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.
   Protected Directories	The directories that you want to back up. Valid values: Specified directory: Security Center backs up only specified directories of the specified servers. Enter the addresses of the specified directories for Protect directory address. Examples: Windows server: C:\Program Files (x86)\. Linux server: /usr/bin/. You can enter up to 20 addresses. All directories: Security Center backs up all directories of the specified servers. You must set Directory to Exclude to Not Excluded. Note If you set Protected Directories to All directories, we recommend that you set Directory to Exclude to Not Excluded. This prevents system conflicts.
   Directory to Exclude	Specifies whether to exclude system directories. If you set this parameter to Excluded, the system directories that are automatically specified for Exclude specified directories are excluded. You can also add or remove system directories based on your business requirements. Note System directories that are automatically excluded from the anti-ransomware policy for Windows and Linux servers are in update. You can view the system directories that are automatically excluded to the right of the Exclude specified directories parameter.
   Protected File Types	The type of the files that you want to protect. Valid values: All File Types: Security Center protects all files. Specify file type: Security Center protects files only of the selected file type. Valid values: Document Picture Compressed Database Audio and video Script code Important If you set Protected File Types to Specify file type, you must select a file type from the drop-down list that appears. You can select multiple file types. Security Center protects only the files of the selected file types.
   Start Time	The time at which you want to start a data backup task. Important If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.
   Backup policy execution interval	The time interval between two data backup tasks. Default value: One Day. Valid values: Half a day One Day 3 Days Seven Days
   Backup data retention period	The retention period of backup data. Default value: 7 Days. Important The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements. Valid values: Permanent Custom Note You can specify a retention period. Valid values: 1 to 65535. Unit: days.
   The bandwidth limit of the backup network	The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s. Important If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. We recommend that you specify an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures service stability.
   VSS (Windows)	Specifies whether to enable the VSS feature. The feature can maintain the change history of files and audit trace logs. The feature is also used for disaster recovery for files that contain source code. The VSS feature is available only for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. Valid values: Yes: enables the feature. No: disables the feature.

   After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.

Configure anti-ransomware policies for databases

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. On the Anti-ransomware page, click the Database extortion virus protection tab and click Create Policies.
3. In the Database protection strategy panel, create an anti-ransomware policy for a database.
   1. In the Change database step, configure the following parameters and click Next.

      Parameter	Description
      Policy Name	The name of the anti-ransomware policy.
      Type	The method that you want to use to select the database. Valid values: Automatic identification database The system automatically identifies the databases that are deployed on your server. We recommend that you select this option. Manually enter the database If the database that you want to protect is not displayed in the list of databases after you select Automatic identification database, you can select this option and manually specify the database.
      Databases	The database that you want to protect or the server in which the database resides.
      Database type	The type of the database that you want to protect. This parameter is required only if you set the Type parameter to Manually enter the database. Valid values: MYSQL ORACLE MSSQL
      Account	The username of the account that you can use to log on to the required database. The account must have the permissions to back up data in the database. If you set the Database type parameter to ORACLE, you do not need to enter the username or the password of the database. Important You must enter the username and password of the database instead of the server.
      Password	The password of the account that you can use to log on to the database.

   2. In the Protection Policies step, configure the following parameters and click Finished.

      Parameter	Description
      Protection Policies	The anti-ransomware policy that you want to use. You can click Use recommendation strategy to use the recommended anti-ransomware policy that is provided by Security Center. If the recommended anti-ransomware policy cannot meet your business requirements, you can modify the policy.
      Full backup strategy	The interval at which full backup is performed, the days of a week on which full backup is performed, and the point in time at which the full backup starts. Full backup indicates that you back up all data that exists at a specific point in time. Full backup is time-consuming and requires a large amount of anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Week. Note The full backup policy and incremental backup policy take effect at the same time and do not affect each other.
      Incremental backup strategy	The interval at which incremental backup is performed and the point in time at which the incremental backup starts. Incremental backup indicates that you back up only the data that is newly generated or modified after the last full or incremental backup. Therefore, incremental backup is time-saving and requires less anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Day.
      Backup data retention time	The retention period of the backup.
      Backup network bandwidth limit	The maximum network bandwidth that is allowed during data backup. If you set this parameter to 0, network bandwidth is unlimited.

      After the anti-ransomware policy for your database is created, Security Center automatically installs the anti-ransomware agent on your server, and the policy enters the Initializing state. After the anti-ransomware agent is installed on your server, Security Center backs up data in your database based on the backup policy that is configured in the anti-ransomware policy.

Virus detection and removal

1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal.
3. On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.
   • Perform an immediate scan task
     1. On the Virus Detection and Removal page, click Scan now.
     2. In the Scan Settings panel, configure the Scan Mode and Scope parameters.

        Parameter	Description
        Scan Mode	Select a scan mode. Valid values: Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks. Custom Directory Scan: In this mode, you can specify the file directories that you want to scan. Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
        Scope	Select the assets that you want to scan. You can select assets based on the following types: By Asset: If you select this option, you can select the servers that you want to scan. By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center. By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

     3. Click OK.

        Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.

   • Configure a periodic scan task
     1. On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.
     2. In the Defense Configuration panel, configure the Scan Cycle, Scan Mode, and Scope parameters.

        Parameter	Description
        Scan Cycle	Specify the interval and period for automatic scan.
        Scan Mode	Select a scan mode. Valid values: Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks. Custom Directory Scan: In this mode, you can specify the file directories that you want to scan. Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
        Scope	Select the assets that you want to scan. You can select assets based on the following types: By Asset: If you select this option, you can select the servers that you want to scan. By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center. By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

     3. Click Determine.

        Security Center automatically scans the specified assets based on the configurations.