Manage servers - Security Center - Alibaba Cloud Documentation Center

Synchronize the information about the most recent servers

Security Center automatically synchronizes the information about the servers on which the Security Center agent is installed every minute to the console. After the Security Center agent is installed on a server, you can view the information about the server in the server list. Before you view the information, we recommend that you synchronize the information about the most recent servers in the Security Center console. This ensures that newly added servers are added to the server list.

Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host.
On the Server tab of the Host page, click Synchronize Asset.
Security Center obtains the information about the most recent servers and updates the server list.

Note The system takes 1 minute to update the information. Wait until the information is updated.

Add multi-cloud assets to Security Center

Security Center can protect and manage the servers that are not deployed on Alibaba Cloud. The servers include third-party cloud servers and servers in data centers. Before you can use Security Center to protect servers that are not deployed on Alibaba Cloud, you must add the servers to Security Center. The following table describes the types of servers that can be added to Security Center and the operations that you must perform to add the servers to Security Center.


Server provider or server type	Operation
Server deployed on a third-party cloud such as Tencent Cloud or Amazon Web Services (AWS) Cloud	Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host. In the Add Multi-cloud Asset section, move the pointer over the icon of the server provider and click Add. In the Access to assets outside the cloud panel, configure the parameters. For information, see Add multi-cloud assets to Security Center.
Server in a data center	Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host. In the Add Multi-cloud Asset section, move the pointer over the icon and click Add. In the Access to assets outside the cloud panel, configure the parameters. For information, see Create an IDC probe.
Server outside the cloud	Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host. In the Add Multi-cloud Asset section, move the pointer over the icon and click Install Agent. On the Feature Settings page, install the Security Center agent. For information, see Manually install the Security Center agent.

View the information about servers

Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host.

On the Server tab of the Host page, view the information about servers.

View the information about a server

You can configure the search conditions above the server list to search for the server. The search conditions include Instance name, Internet IP, and Private IP.

In the Risks Status column of the server, you can view the security status of the server.

You can click View in the Operation column of the server to go to the details page of the server. The following table describes the details that you can view.


Tab	Description
Basic Info	Detail This tab displays the basic information about the server. The information includes ID, Region, Group, and OS. You can click Group to change the server group for the server. You can click Client Troubleshooting to troubleshoot the issues that cause the abnormal status of the Security Center agent installed on the server. Note If some basic information such as MAC Address and Kernel version of the server is missing, you can go to the server list, find and select the server, and then choose More Operations > Asset Collection below the server list to collect the basic information about the server. Defensive status This tab displays Self-protection, Virus Blocking, and Network Threat Prevention. Vulnerability check This tab displays the types of vulnerabilities that can be detected. You can adjust the types of vulnerabilities that you want to detect. Anti-brute Force Cracking This tab displays the rule that is used to defend against brute-force attacks and is applied to the server. You can modify the defense rule. Login security setting This tab displays the approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts of the server. You can configure alerts based on the information.
Vulnerabilities	This tab displays the vulnerabilities that are detected on the server.
Alerts	This tab displays the alerts that are generated for the server.
Baseline Risks	This tab displays the baseline check results of the server. Note This tab is available only in the Advanced, Enterprise, and Ultimate editions of Security Center. This tab is unavailable in the Basic and Anti-virus editions of Security Center.
Asset Fingerprints	This tab displays the details about the fingerprints of the server. Note This tab is available only in the Enterprise and Ultimate editions of Security Center. This tab is unavailable in the Basic, Anti-virus, and Advanced editions of Security Center.
Configuration Assessment	This tab displays the configuration check results of the server.
O&M and Monitoring	Remote operation and maintenance This tab displays the O&M commands that are remotely run on the server by Cloud Assistant, the execution results of the commands, and the execution results of file sending tasks that are run on the server. Performance monitoring This tab displays the information such as the CPU utilization, memory usage, system load, inbound traffic rate, outbound traffic rate, and number of TCP connections of the server.

View the information about servers in a category

On the Host page, servers are categorized to help you manage servers in an efficient manner. The categories include At-risk, Unprotected, and Exposed.


Category	Description
All Servers	The servers that are protected by Security Center. The servers include Elastic Compute Service (ECS) instances and servers that are not deployed on Alibaba Cloud and have the Security Center agent installed.
At-risk	The servers on which vulnerabilities and baseline risks are detected, and the servers for which alerts are generated.
Unprotected	The servers on which the Security Center agent is in the Offline or Disable Protection state. Important Security Center cannot protect the servers on which the Security Center agent is in the Offline or Disable Protection state. You can configure Security Center to protect the servers. For more information, see Change the protection status of a server.
Shutdown	The servers that are shut down.
Exposed	The servers that are exposed on the Internet. These servers are accessible over the Internet. For more information about the exposure details, see Asset exposure analysis. Note Only the Enterprise and Ultimate editions support asset exposure analysis. If you do not use one of the editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can view the number and list of the servers that are exposed on the Internet. If Unknown is displayed on the right side of Exposed, the current edition of Security Center does not support asset exposure analysis. In this case, the number of exposed servers is not displayed in the Security Center console. To use asset exposure analysis, you must upgrade Security Center to the Enterprise or Ultimate edition. For more information, see Upgrade and downgrade Security Center.
Add	The ECS instances that you purchased within the last 15 days.
Server Group	The servers that are categorized based on server groups. You can find a server group and click the number in the All Servers, At-risk, or Unprotected column to view the security status of the servers that belong to the server group. Note You can manage and delete a server group in the Security Center console. For more information, see Manage server groups, importance levels, and tags.
Server Region	The servers that are categorized based on regions. You can find a region and click the number in the All Servers, At-risk, or Unprotected column to view the security status of the servers that are deployed in the region.
VPC	The servers that are categorized based on virtual private clouds (VPCs). You can find a VPC and click the number in the All Servers, At-risk, or Unprotected column to view the security status of the servers that reside in the VPC.
Importance	The servers that are categorized based on asset importance levels. In the Importance section, you can click Important, Normal, or Test to view the security status of the related servers. Note Security Center allows you to classify your servers that belong to the current Alibaba Cloud account into three levels based on asset importance. You can determine the asset importance levels based on your business requirements. This way, you can manage multiple servers by asset importance level.
Tag	The servers that are categorized based on tags. You can click a tag in the Tag section to view the security status of the servers to which the tag is added. Note You can manage and delete a tag in the Security Center console. For more information, see Manage server groups, importance levels, and tags.

View the information about servers that match one or more search conditions
After you click the All Servers, At-risk, Unprotected, Shutdown, Exposed, or Add category, you can configure one or more search conditions to search for specific servers.
The following procedure provides an example on how to configure multiple search conditions to search for servers. The search conditions are the Linux operating system, alerts generated, and the China (Hangzhou) region.
1. On the Server tab of the Host page, click Unprotected.
2. In the drop-down list next to the search box, configure the System Type, Alert problems, and Region search conditions.
  - Select Linux for System Type.
  - Select Yes for Alert problems.
  - Select China (Hangzhou) for Region.
  Note If you cannot select a value for a search condition in the drop-down list, you can enter keywords for the search condition in the search box.
  
  After you configure the search conditions, the search conditions are displayed above the server list.
3. Click the switch on the left side of the search conditions to switch between the AND and OR Boolean operators.
  - AND: specifies the AND logical relation among search conditions.
  - OR: specifies the OR logical relation among search conditions.
  After you specify the search conditions, servers that match all the specified search conditions are displayed in the server list.
4. Optional:If you want to save the preceding search conditions as frequently used search conditions, click Save on the right side of the search conditions.
  After you save frequently used search conditions, you can select the search conditions from the Frequent search conditions drop-down list to search for servers, which is more efficient.

Manage server groups, importance levels, and tags

Security Center allows you to manage server groups, the importance levels of servers, and the tags that are added to servers on the Host page. This way, you can manage servers in different dimensions and use the features provided by Security Center with ease.

Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host.

On the Server tab of the Host page, manage server groups, importance levels, and tags.

Manage server groups
You can add servers to server groups in advance. This way, when you use the features of Security Center, you can select servers on which you want the features to take effect by server group, which is efficient. The features include anti-ransomware, web tamper proofing, baseline check, and vulnerability scan.

Click the Server tab. On the left side of the server list, click Server Group in the Attribute section to manage server groups.
- Edit or delete a server group
  Move the pointer over a server group and click the icon. In the Group dialog box, modify the name of the server group, add servers to the server group, or remove servers from the server group.
  
  Move the pointer over a server group and click the icon. In the Prompt message, click OK.
  
  Note You cannot delete the Default server group.
- Change the server group for a server
  In the Server Group section, click the name of the server group to which a specified server belongs. In the list of servers that are added to the server group, find and select the server and click Group below the server list. In the Group dialog box, change the server group for the server based on your business requirements.
  - Move to Existing Group
    Select Move to Existing Group for Mode, select a new server group from the New group drop-down list, and then click OK.
  - Create Group
    Select Create Group for Mode, enter a name for the new server group in the New Group field, and then click OK.
  Alternatively, you can find and select the server in the list of All Servers and click Group below the server list.

Manage the importance levels of servers

The importance level that you specify for a server determines the asset importance score of the server. The asset importance score is used in the formula that is used to calculate the score of urgency to fix a vulnerability. You can determine whether to preferentially fix a vulnerability based on the urgency score of a vulnerability. We recommend that you set Importance of core servers to Important. The vulnerabilities of servers whose importance level is set to Important have higher urgency scores.

The following table describes the relationships between importance levels and asset importance scores. For more information about the priorities to fix vulnerabilities, see Priorities to fix vulnerabilities.


Importance level	Asset importance score	Description
Important	1.5	Servers that are used in crucial business or used to store core business data. Virus intrusion into the servers adversely affects the system and causes major loss.
Normal	1	Servers that are used in non-crucial business and are highly replaceable. Virus intrusion into the servers causes less impact on the system.
Test	0.5	Servers that are used for functional or performance tests, or servers that can cause less impact on the system.

Click the Server tab. On the left side of the server list, manage the importance levels of servers in the Importance section.

Specify the importance level for a server
In the Importance section, click Management. In the Asset Importance Management dialog box, select an importance level from the Importance drop-down list, select the servers for which you want to apply the selected importance level, and then click OK.
Manage the importance levels of servers
In the Importance section, move the pointer over Important, Normal, or Test, and click the icon. In the Asset Importance Management dialog box, add servers for which you want to apply the importance level, or remove servers for which the importance level is applied. Then, click OK.
Manage the importance level of a server
In the server list, find the server whose importance level you want to manage and click the icon in the Server information column. In the dialog box that appears, configure the Asset Importance parameter and click OK.

Manage the tags that are added to servers
You can add custom tags to servers to identify their special attributes. This allows you to filter for servers that have the same attributes.
Click the Server tab. On the left side of the server list, manage the tags that are added to servers in the Tags section.
- View the servers to which a tag is added
  In the Tags section, click the name of a tag to view the servers to which the tag is added.
- Create a tag
  In the upper-right corner of the Tags section, click Management. In the Tag dialog box, enter a name for the tag, select the servers to which you want to add the tag, and then click OK.
- Edit or delete a tag
  Move the pointer over the tag that you want to edit and click the icon. In the Tag dialog box, change the name of the tag, add the servers to which you want to add the tag, or remove the servers to which the tag is added, and then click OK.
  
  Move the pointer over the tag that you want to delete and click the icon. In the Note message, click OK.
- Manage the tags that are added to a server
  In the server list, find the server to which you want to add a tag and click the icon in the Server information column. In the dialog box that appears, select the tag that you want to add to the server and click OK.
  
  Note You can add multiple tags to a server.
  
  In the server list, find the server from which you want to remove a tag and click the icon on the right side of the tag in the Server information column. In the Note message, click OK.

Change the protection status of a server

After you install the Security Center agent on a server, Security Center automatically enables protection for the server. You can change the protection status of the server based on your business requirements.

After you install the Security Center agent on a server, the Agent online icon is displayed in the Agent column for the server on the Host page. The icon indicates that the server is protected by Security Center. If the Agent offline icon is displayed in the Agent column for a server, the server is not running or the Security Center agent installed on the server is offline. If the Security Center agent is offline, Security Center cannot protect the server on which the agent is installed. You must troubleshoot the issue at the earliest opportunity. For more information, see Troubleshoot why the Security Center agent is offline.

Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host.
On the Server tab of the Host page, manage the protection status of the server.
- Disable protection
  
  Important After you disable protection for a server, Security Center no longer protects the server. For example, Security Center no longer detects vulnerabilities on the server or generates alerts for risks that are detected on the server. Proceed with caution.
  
  If you confirm that a server does not require protection from Security Center, you can disable protection for the server. Select one or more servers for which the icon is displayed in the Agent column, and choose More Operations > Suspend Protection below the server list.
  
  After this operation is complete, the icon in the Agent column of the server is replaced by the icon, which indicates that the server is not protected by Security Center.
- Enable protection
  Select one or more servers for which the icon is displayed in the Agent column, and choose More Operations > Turn on protection below the server list.
  Note After you click Turn on protection for a server, the icon may be still displayed in the Agent column of the server. This may be caused by the following reasons:
  
  The Security Center agent is not installed on the server. You must install the Security Center agent on the server. After the Security Center agent is installed, Security Center automatically enables protection for the server. For more information about how to install the Security Center agent, see Install the Security Center agent.
  
  The Security Center agent that is installed on the server is offline. You must troubleshoot the issue at the earliest opportunity. For more information, see Troubleshoot why the Security Center agent is offline.

Unbind a server not deployed on Alibaba Cloud from Security Center

Security Center can protect servers that are not deployed on Alibaba Cloud and have the Security Center agent installed. If you do not require protection for the servers, you can unbind the servers from Security Center.

If a server that is not deployed on Alibaba Cloud shuts down, the server is disconnected from Alibaba Cloud. If a server shuts down but still has unhandled vulnerabilities or alerts, you can unbind the server from Security Center in the asset list. This prevents the unhandled vulnerabilities and alerts from affecting the security score of your assets in Security Center. If you no longer want Security Center to protect the server, you can directly uninstall the Security Center agent. For more information, see Uninstall the Security Center agent.

Note

You can unbind only the servers that are not deployed on Alibaba Cloud from Security Center. If you use an Alibaba Cloud ECS instance, you do not need to unbind the ECS instance. If you uninstall the Security Center agent from an ECS instance, the ECS instance still exists as a disconnected server in the asset list of the Security Center console. The ECS instance is not removed from the asset list.
After you unbind a server that is not deployed on Alibaba Cloud from Security Center, the server no longer consumes the quota of protected servers or protected server vCPUs. This way, you can install the Security Center agent on other servers to meet your business requirements.

Log on to the Security Center console.In the left-side navigation pane, choose Assets > Host.
On the Server tab of the Host page, select a server that you want to unbind from Security Center in the asset list and choose More Operations > Unbind below the list.
In the Note message, click OK.

After the server is unbound from Security Center, Security Center delivers a command to uninstall the Security Center agent from the server, removes the server from the asset list, and no longer protects the server.

If you directly uninstall the Security Center agent, all processes and files in the directory of the Security Center agent are deleted from the server. To protect the server by using Security Center later, you must reinstall the Security Center agent on the server. For more information, see Install the Security Center agent.