Security Center allows you to configure alert settings. You can configure logon settings for your server. The settings include approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts. You can also configure defense rules against brute-force attacks, specify custom web directories to scan, and manage alert handling rules. This way, you can create fine-grained protection rules and manage the rules in a centralized manner. The rules are used to detect threats to your assets and monitor the security status of your assets in real time.

Background information

After you configure alert settings for your server in the Settings panel of the Alerts page, the system displays the alerts that are triggered by unauthorized logon requests and configured rules in the alert list of the Alerts page. The settings include approved logon locations, approved logon IP addresses, approved logon time ranges, approved logon accounts, defense rules against brute-force attacks, custom web directories for scans, and alert handling rules. To ensure the security of your assets, we recommend that you handle alerts at the earliest opportunity. For more information, see View and handle alerts.

Limits

The following table describes the items in the Settings panel for different editions of Security Center.
Note The following symbols are used in the table:
  • ×: indicates that the item is not supported by the edition.
  • √: indicates that the item is supported by the edition.
Item Basic edition Anti-virus edition Advanced edition Enterprise edition Ultimate edition
Approved logon location √ √ √ √ √
Approved logon IP address × × √ √ √
Approved logon time range × × √ √ √
Approved logon account × × √ √ √
Defense rule against brute-force attacks × × √ √ √
Web directory for scans √ √ √ √ √
Alert handling rule √ √ √ √ √

Configure logon settings

You can configure approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts in the Settings panel of the Alerts page. After you configure the logon settings, Security Center generates alerts for unauthorized logon requests on your server.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click Settings in the upper-right corner.
  3. In the Settings panel, configure approved logon locations, approved logon IP addresses, approved logon time ranges, and approved logon accounts.
    The procedures for configuring each item of the logon settings are similar. This example shows how to configure approved logon locations.
    1. On the Usual logon location tab, click Management on the right of the Usual logon location section.
    2. In the Usual logon location panel, select a logon location based on your business requirements, select the servers that allow logons from the logon location, and then click OK.
    Security Center allows you to change the servers that allow logons from the selected logon location and delete the selected logon location.
    • To change the servers that allow logons from the logon location, find the location and click Edit on the right.
    • To delete the logon location, find the location and click Delete on the right.

Configure defense rules against brute-force attacks

Security Center allows you to configure defense rules to protect your server against brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. Defense rules can protect the password of your server from being cracked.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click Settings in the upper-right corner. In the panel that appears, click the brute-force attacks protection tab.
  3. If this is the first time that you configure defense rules against brute-force attacks, you must obtain the required permissions.
    1. On the right of the Anti-brute Force Cracking section, move the pointer over the dimmed Management button. In the message that appears, click Authorize Now.
    2. Click Confirm Authorization Policy.
  4. On the right of the Anti-brute Force Cracking section, click Management.
    If you use the Basic or Anti-virus edition of Security Center, you must upgrade Security Center to the Advanced edition or higher before you can configure a defense rule.
  5. In the brute-force attacks protection panel, configure the parameters.
    Security Center provides default settings in the Defense Rule section. If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you retain the default settings, you can directly select servers. You can create a custom defense rule. The following table describes the parameters.
    Parameter Description
    Defense Rule Name Enter the name of the defense rule.
    Defense Rule Specify the content of the rule. The content includes the measurement duration, number of logon failures, and disablement duration. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the specified number during the specified measurement duration, the defense rule blocks the IP address for the disablement duration. For example, if the number of logon failures exceeds 3 within 1 minute from an IP address, the IP address is blocked for 30 minutes.
    Set As Default Policy Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s) section.
    Select Server(s) Select the servers to which you want to apply the defense rule. You can select servers from the server list or search for servers by using the server names or server IP addresses.
  6. Click OK.
    Notice You can apply only one defense rule to a server.
    • If a server selected for the defense rule that you create is not protected by a different defense rule, the created defense rule takes effect on the server.
    • If a server is protected by a different defense rule from the rule that you create but you want to replace the former rule with the latter rule, read and confirm the information in the Confirm Changes message, and click OK.
    • If you replace the defense rule for a server with a new rule, the number of servers protected by the original rule decreases.

    After you configure a defense rule on the brute-force attacks protection tab of the Settings panel, IP blocking can be triggered based on the rule. In this case, Security Center generates an IP blocking policy. For more information about IP blocking policies, see Configure IP address blocking policies.

Specify custom web directories to scan

Security Center automatically scans the web directories of your server and runs dynamic and static scan tasks. You can also specify the web directories to scan. If suspicious connections are established by using known webshells, Security Center intercepts the connections and generates alerts. The alerts are displayed in the alert list of the Alerts page.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click Settings in the upper-right corner. In the panel that appears, click the Web Directory Definition tab.
  3. On the right of the Add Scan Targets section, click Management.
  4. Specify a commonly used web directory and select the servers on which the specified web directory is scanned.
    Note To ensure the scan performance and efficiency, we recommend that you do not specify a root directory.
  5. Click OK.

Manage alert handling rules

If you add an alert to the whitelist, an alert handling rule is created and displayed in the list of alert handling rules of the Settings panel. You can modify or delete the alert handling rule in the Settings panel.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click Settings in the upper-right corner.
  3. In the Settings panel, click the Alert Handling Rule tab.
  4. In the Alert Handling Rule section, modify or delete an alert handling rule.
    • Modify an alert handling rule
      1. Find the rule that you want to modify and click Edit in the Actions column.
      2. In the Edit Rule panel, add or remove the servers on which the alert rule takes effect.
      3. Click OK. The rule is modified.
    • Delete an alert handling rule
      1. Find the rule that you want to delete and click Delete in the Actions column.
      2. In the message that appears, click OK. The rule is deleted.

Configure IP address blocking policies

You can configure IP address blocking policies to defend against brute-force attacks. Security Center offers two types of policies: system policies and custom policies.
  • System policies: If you configure a defense rule, and the rule is triggered to block specific IP addresses, Security Center automatically generates a system policy. To configure a defense rule, you can perform the following operations: On the Alerts page of the Security Center console, click Settings in the upper-right corner. In the panel that appears, click the brute-force attacks protection tab. In the Anti-brute Force Cracking section, click Management. In the brute-force attacks protection panel, create a defense rule. System policies are enabled by default. If the number of logon failures exceeds the value of the Failures Exceeds parameter within the time period that are specified in the defense rule, Security Center generates a system policy. The system policy blocks specific IP addresses. The value of the Disable logon parameter determines the validity period of the system policy. For more information, see Configure defense rules against brute-force attacks.
  • Custom policies: If you want to create a custom policy, you can perform the following operations: On the Alerts page of the Security Center console. click the number below IP blocking/All. In the IP Policy Library panel, click the Custom Rules tab and then click Create Rule. In the New IP Blocking Policy panel, create a custom policy. You can create custom policies to prevent malicious IP addresses from accessing assets in the cloud. You can use the custom policies to block access from specific IP addresses and prevent the IP addresses from accessing specific servers. Custom policies are disabled by default. You can manually enable a custom policy based on your business requirements.
  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click the number below the IP blocking / All column to go to the IP Policy Library panel. In the IP Policy Library panel, you can manage system rules or custom IP blocking policies. IP blocking / All
    • Create a custom IP blocking policy
      1. Click the Custom Rules tab. On the Custom Rules tab of the IP Policy Library panel, create a custom IP blocking policy.

        If you create a custom policy for the first time, you must authorize Security Center to access the required cloud resources. To authorize Security Center, move the pointer over Create Rule and click Authorize Now. On the Cloud Resource Access Authorization page, click Confirm Authorization Policy. Then, go back to the Custom Rules tab of the IP Policy Library panel.

      2. Click Create Policy. In the New IP Blocking Policy panel, configure the parameters and click OK.
        Parameter Description
        Intercepted object The IP address that you want to block.
        All Assets The servers to which the policy applies. You can select more than one server. You can also enter the server name or server IP address in the search box to search for a server.
        Note Only Alibaba Cloud Elastic Compute Service (ECS) instances are supported.
        Rule Direction The direction of the traffic that you want to block. Valid values: Inbound and Outbound.
        Security Group The security group that is associated with the IP address blocking policy. Default value: Cloud Security Center Block Group. When the policy is enabled, a blocking rule is automatically created in the security group. If the policy expires or is disabled, the rule in the security group is automatically deleted.
        Expire Date The expiration time of the policy. After the policy expires, the status of the policy changes to Disabled.

        By default, the policy is disabled. You must manually enable the policy before the policy can take effect.

    • Modify a custom IP blocking policy

      Find the IP blocking policy that you want to modify and click Edit in the Operate column. In the Edit IP Blocking Policy panel, add or remove the assets on which the blocking policy takes effect and the expiration time of the policy. Then click OK. Security Center blocks access requests from IP addresses based on the latest policy.

      You can edit a policy only when the policy is in the Disabled state. If you want to edit a policy that is in the Enabled state, you must first disable the policy.

    • Enable or disable a policy

      You can enable specific policies to block access requests from malicious IP addresses based on your business requirements. If normal traffic is blocked, you can disable the related policy. After you disable the policy, Security Center no longer blocks the access requests from the IP addresses that are specified in the policy.

      On the System Rules or Custom Rules tab of the IP Policy Library panel, find the policy and disable or enable the policy.
      • Enable: Turn on the switch in the Policy Status column. In the Enable IP Policies message, click OK. Then, the policy takes effect, and the status of the policy changes to Enabled. Security Center blocks access requests from the IP addresses specified in the policy.
        Note If you enable a custom policy but the policy expires, the policy is valid for two hours after the point in time at which you enable the policy. We recommend that you modify the validity period of the policy before you enable the policy.
      • Disable: Turn off the switch in the Policy Status column. In the Disable IP Policies message, click OK. After a policy is disabled, the policy becomes invalid, and the status of the policy changes to Disabled. Security Center no longer blocks access requests from the IP addresses specified in the policy.