Security Center provides various features to protect your cloud assets and servers in data centers. These features include alert notification, antivirus, webshell detection, client protection, and container image scan. This topic describes how to configure these features.
Alert notification
If Security Center detects exceptions in your assets, Security Center sends alert notifications based on the severity levels, notification periods, and notification methods that you specify. This way, you can monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots. For more information, see Use the notification feature.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Notification Settings page, click the Text Message/Email/Internal Message tab. Then, specify the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.
Notification items refer to the threat events and security risks that Security Center detects in your assets. Security Center supports the following notification items: Weekly Security Report, Baseline Risks, Notification of Insufficient Threat Analysis Log Capacity, Alerts, Precision Defense, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, Anti-Tampering of web pages, Container firewall exception alert notification, Container firewall proactive defense notification, Malicious IP interception alert, Virus scan notification, Log excess, Honeypot Alert, and Alert Generated by Application Protection.
Proactive defense, webshell detection, and client protection
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Feature Settings page, click the Settings tab. On the General tab, turn on or turn off the switches in the Proactive Defense section. Click Manage for Malicious Behavior Defense, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention to select the servers for which you want to enable proactive defense and turn on the switches.After you turn on the switches in the Proactive Defense section, Security Center automatically quarantines the detected common viruses or suspicious connections. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precision defense search condition.
- Enable the webshell detection feature. In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
- Enable the client protection feature. In the Client Protection section, turn on Defense mode: and click Manage to select the servers for which you want to enable the client protection feature.
Container image scan
The container image scan feature is a value-added feature provided by Security Center. To use this feature, you must purchase a sufficient quota for container image scan. For more information, see Enable container image scan.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- Optional:Click Authorize Immediately. The first time you use container image scan, you must obtain the required permissions.
- On the Image Security page, click Scan Now. Security Center requires approximately 1 minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
- Click the Image Vulnerability, Image Baseline Check, Image Malicious Sample, or Sensitive Image File tab to view the detected vulnerabilities or malicious samples. You can perform the following operations:
- Search for vulnerabilities, malicious samples, or sensitive files
Select a vulnerability severity (High, Medium, or Low), a malicious sample severity (Urgent, Suspicious, or Reminder), or a sensitive file risk level (Important, Medium risk, or Low). Alternatively, enter an instance ID, repository name, namespace, or digest to search for a vulnerability, malicious sample, or sensitive file.
- View the details of a vulnerability, malicious sample, or sensitive file
Click the name of a vulnerability or a malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 hash value, last scan time, and first scan time. You can also view the list of affected images on these pages.
Find a sensitive file and click Details in the Actions column to view the list of images that contain sensitive files.
- View the details of affected images
Go to the details panel of the vulnerability, malicious sample, or sensitive file, find the image whose details you want to view and click Details in the Actions column. Then, you can view the details of the detected vulnerability, malicious sample, or sensitive file.
- Search for vulnerabilities, malicious samples, or sensitive files
Configuration assessment
The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual checks and periodic automatic checks.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Config Assessment page, run a configuration check.
- Manual check
If you want to immediately check whether risks exist in the configurations of your cloud services, you can click Scan now on the Config Assessment page. The system checks all your cloud services.
- Automatic check
You can configure automatic checks. Then, Security Center runs configuration checks based on the detection cycle and time that you specify.
- In the upper-right corner of the Config Assessment page, click Check Policy Settings.
- In the Check Policy Settings panel, configure the Detection Cycle, Detection Time, and Risk Check Item parameters. Then, click OK.
Note- The default value of the Detection Cycle parameter is a random day from Monday to Sunday. You can configure this parameter based on your business requirements.
- Wait until the configuration check on all cloud services is complete.
- Manual check
We recommend that you handle the detected security risks at the earliest opportunity. For more information, see Configuration assessment.
Defense rules against brute-force attacks
Security Center provides the feature of protection against brute-force attacks. The feature allows you to configure defense rules to prevent brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. The feature of protection against brute-force attacks can protect the password of your server from being cracked.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.
- If you have not authorized Security Center to access your cloud resources, click Authorize Immediately. For more information, see Service-linked roles for Security Center.
- Click Create Rule. In the Create Rule panel, configure the parameters. Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.
Parameter Description Policy Name Enter a name for the defense rule. Defense Rule: Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes. Set As Default Policy Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule. Note If you select Set As Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.Select Server(s): Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address. - Click Determine. Important You can create only one defense rule against brute-force attacks for each server.
- If a selected server is not protected by a defense rule, the defense rule that you create takes effect.
- If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.
- If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.
Web tamper proofing
The feature of web tamper proofing monitors web directories in real time and can restore tampered files or directories based on the backup files. This prevents important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Step 1: Purchase the quota for web tamper proofing.
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- If this is the first time that you use web tamper proofing, click Add Servers for Protection. If this is not the first time that you use web tamper proofing, click the Management tab on the Tamper Protection page and click Add Server.
- In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.
- In the Add Directory step, configure the parameters and click Enable Protection.
- Whitelist Mode
In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.
Parameter Description Protected Directory The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.
Enter a value in the /The name of the directory/ format. Example:
/tmp/
.Protected File Formats The formats of the files that you want to protect. You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.
Prevention Mode - Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
- Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits.
Local Backup Directory The default directory in which the backup files of the protected directory are stored.
By default, Security Center assigns
/usr/local/aegis/bak
as the backup directory for a Linux server andC:\Program Files (x86)\Alibaba\Aegis\bak
as the backup directory for a Windows server. You can change the default backup directories.Example
If you specify
/tmp/
for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory. - Blacklist Mode
In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.
Parameter Description Protected Directory The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify. Enter a value in the /The name of the directory/ format. Example:
/tmp/
.Excluded Sub-Directories The path to the subdirectories that do not require protection. Enter a value in the Subdirectory name/ format. Example:
dir1/dir0/
.Excluded File Formats The formats of the files that do not require protection. Excluded Files The files that do not require protection. Enter a value in the Subdirectory name/File name format. Example:
dir2/file3
.Prevention Mode - Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
- Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files. Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits.
Local Backup Directory The default directory in which the backup files of the protected directories are stored. By default, Security Center assigns
/usr/local/aegis/bak
as the backup path for servers that run Linux operating systems andC:\Program Files (x86)\Alibaba\Aegis\bak
for servers that run Windows operating systems. You can modify the default path as needed.Important Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.Example
If you specify
/tmp/
for Protected Directory,dir1/dir0/
for Excluded Sub-Directories, txt for Excluded File Formats,dir2/file3
for Excluded Files, and Interception Mode for Prevention Mode, only the files in thedir1
subdirectory belowdir0
in the tmp directory, TXT files in the tmp directory, or thefile3
file in thedir2
subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.
- Whitelist Mode
- On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the
icon in the Protection column to enable web tamper proofing for the server.
If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.The following table describes the statuses that are available in the Status column.Status Description Suggestion Initializing Web tamper proofing is being initialized. The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled. Running Web tamper proofing is enabled and runs as expected. None. Exception An error occurred during the initialization of web tamper proofing. Move the pointer over Exception, view the causes, and then click Retry. Not Initialized The switch in the Protection column is turned off. Turn on the switch in the Protection column.
Anti-ransomware
Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your core servers. Before you can use the anti-ransomware feature, you must purchase a specific quota. This quota allows you to enable the anti-ransomware feature for specific servers. For more information, see Enable anti-ransomware.
Configure anti-ransomware policies for servers
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China. In the left-side navigation pane, choose .
- On the Server extortion virus protection tab of the Anti-blackmail page, click Create Policies.
- In the Create Policies panel, configure the following parameters and click OK.
After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.Parameter Description Policy Name The name of the anti-ransomware policy. Server Type The type of the server to which you want to apply the anti-ransomware policy. Select Assets The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations: - In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section.
- In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported.
Note- If you want to apply the anti-ransomware policy to ECS instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region.
- To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.
Protection Policies The anti-ransomware policy that you want to configure. Valid values: - Recommendation PolicyIf you select Recommendation Policy, the default values of the following parameters are used:
- Protected Directories: All directories
- Directory to Exclude: Excluded
- Exclude specified directories: directories that are excluded from the policy
- Protected File Types: All File Types
- Start Time: a point in time within the range of 00:00 to 03:00
- Backup policy execution interval: One Day
- Backup data retention period: 7 Days
- The bandwidth limit of the backup network: 0 MByte/sNote The value 0 indicates that no limits are imposed on the bandwidth.
- VSS (Windows): YesNote The VSS feature is available only if you create the anti-ransomware policy for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. We recommend that you enable the VSS feature. After you enable the feature, the data of disks that are in the exFAT and FAT32 formats cannot be backed up.
- Custom policy
If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.
Protected Directories The directories that you want to back up. Valid values: - Specified directory: Security Center backs up only specified directories of the specified servers. Enter the addresses of the specified directories for Protect directory address. Examples:
- Windows server:
C:\Program Files (x86)\
. - Linux server:
/usr/bin/
.
- Windows server:
- All directories: Security Center backs up all directories of the specified servers. You must set Directory to Exclude to Not Excluded. Note If you set Protected Directories to All directories, we recommend that you set Directory to Exclude to Not Excluded. This prevents system conflicts.
Directory to Exclude Specifies whether to exclude system directories. If you set this parameter to Excluded, the system directories that are automatically specified for Exclude specified directories are excluded. You can also add or remove system directories based on your business requirements. Note System directories that are automatically excluded from the anti-ransomware policy for Windows and Linux servers are in update. You can view the system directories that are automatically excluded to the right of the Exclude specified directories parameter.Protected File Types The type of the files that you want to protect. Valid values: - All File Types: Security Center protects all files.
- Specify file type: Security Center protects files only of the selected file type. Valid values:
- Document
- Picture
- Compressed
- Database
- Audio and video
- Script code
Important- If you set Protected File Types to Specify file type, you must select a file type from the drop-down list that appears.
- You can select multiple file types. Security Center protects only the files of the selected file types.
Start Time The time at which you want to start a data backup task. Important If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.Backup policy execution interval The time interval between two data backup tasks. Default value: One Day. Valid values: - Half a day
- One Day
- 3 Days
- Seven Days
Backup data retention period The retention period of backup data. Default value: 7 Days. Important The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements.Valid values:- Permanent
- CustomNote You can specify a retention period. Valid values: 1 to 65535. Unit: days.
The bandwidth limit of the backup network The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s. Important If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. We recommend that you specify an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures service stability.VSS (Windows) Specifies whether to enable the VSS feature. The feature can maintain the change history of files and audit trace logs. The feature is also used for disaster recovery for files that contain source code. The VSS feature is available only for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. Valid values: - Yes: enables the feature.
- No: disables the feature.
Configure anti-ransomware policies for databases
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- On the Anti-ransomware page, click the Database extortion virus protection tab and click Create Policies.
- In the Database protection strategy panel, create an anti-ransomware policy for a database.
Virus detection and removal
- Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. The following regions are supported: China and Outside China.
- In the left-side navigation pane, choose .
- On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.
- Perform an immediate scan task
- On the Virus Detection and Removal page, click Scan now.
- In the Scan Settings panel, configure the Scan Mode and Scope parameters.
Parameter Description Scan Mode Select a scan mode. Valid values: - Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.
- Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.
Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
Scope Select the assets that you want to scan. You can select assets based on the following types: - By Asset: If you select this option, you can select the servers that you want to scan.
- By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.
- By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.
- Click OK.
Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.
- Configure a periodic scan task
- On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.
- In the Defense Configuration panel, configure the Scan Cycle, Scan Mode, and Scope parameters.
Parameter Description Scan Cycle Specify the interval and period for automatic scan. Scan Mode Select a scan mode. Valid values: - Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.
- Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.
Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.
Scope Select the assets that you want to scan. You can select assets based on the following types: - By Asset: If you select this option, you can select the servers that you want to scan.
- By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.
- By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.
- Click Determine.
Security Center automatically scans the specified assets based on the configurations.
- Perform an immediate scan task