Security Center provides various features to protect your cloud assets and servers in data centers. These features include alert notification, antivirus, webshell detection, client protection, and container image scan. This topic describes how to configure these features.

Alert notification

If Security Center detects exceptions in your assets, Security Center sends alert notifications based on the severity levels, notification periods, and notification methods that you specify. This way, you can monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots. For more information, see Use the notification feature.

  1. Log on to the Security Center console.In the left-side navigation pane, choose System Configuration > Notification Settings.
  2. On the Notification Settings page, click the Text Message/Email/Internal Message tab. Then, specify the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.

    Notification items refer to the threat events and security risks that Security Center detects in your assets. Security Center supports the following notification items: Vulnerabilities, Notification of Task Execution Result in Anti-ransomware, Baseline Risks, Alerts, Precision Defense, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, Anti-Tampering of web pages, Container firewall exception alert notification, Container firewall proactive defense notification, Malicious IP interception alert, Virus scan notification, Log excess, Honeypot Alert, and Alert Generated by Application Protection.

Proactive defense, webshell detection, and client protection

If you want to enable the proactive defense, webshell detection, or client protection feature, go to the Feature Settings page and select the servers for which you want to enable the features.
Note If you do not turn on the switches in the Proactive Defense section, Security Center only detects related threats and does not automatically process detected common viruses or malicious network behavior.
  1. Log on to the Security Center console. In the left-side navigation pane, choose System Configuration > Feature Settings.
  2. On the Feature Settings page, click the Settings tab. On the General tab, turn on or turn off the switches in the Proactive Defense section.
    Click Manage for Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention to select the servers for which you want to enable proactive defense and turn on the switches.
    After you turn on the switches in the Proactive Defense section, Security Center automatically quarantines the detected common viruses or suspicious connections. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precision defense search condition. Precise defense
  3. Enable the webshell detection feature.
    In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
  4. Enable the client protection feature.
    In the Client Protection section, turn on Defense mode and click Manage to select the servers for which you want to enable the client protection feature.

Container image scan

The feature of container image scan is in public preview. Only the Enterprise and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.
  2. Optional:Click Authorize Immediately.
    The first time you use container image scan, you must obtain the required permissions.
  3. On the Image Security page, click Scan Now.
    Security Center requires approximately 1 minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
  4. Click the Image Vulnerability, Image Baseline Check, or Image Malicious Sample tab to view the detected vulnerabilities or malicious samples.
    You can perform the following operations:
    • Search for vulnerabilities or malicious samples

      Select a vulnerability severity (high, medium, or low) or a malicious sample severity (urgent, warning, or notice). Alternatively, enter an instance ID, repository name, namespace, or digest to search for a vulnerability or malicious sample.

    • View the details of a vulnerability or a malicious sample

      Click the name of a vulnerability or a malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 hash value, last scan time, and first scan time. You can also view the list of affected images on these pages.

    • View the details of affected images

      Click the name of a vulnerability or a malicious sample. On the details page of the vulnerability or malicious sample, find the image whose details you want to view and click Details in the Operation column. Then, you can view the details of the detected vulnerability or malicious sample.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual checks and periodic automatic checks.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Risk Management > Config Assessment.
  2. On the Cloud Platform Configuration Assessment page, run a configuration check.
    • Manual check

      If you want to immediately check whether risks exist in the configurations of your cloud services, you can click Scan now on the Cloud Platform Configuration Assessment page. The system checks all your cloud services.

    • Automatic check

      You can configure automatic checks. Then, Security Center runs configuration checks based on the detection cycle and time that you specify.

      1. In the upper-right corner of the Cloud Platform Configuration Assessment page, click Settings.
      2. In the Settings panel, configure the Detection Cycle, Detection Time, and Risk Check Item parameters. Then, click OK.
    Note
    • The default value of the Detection Cycle parameter is a random day from Monday to Sunday. You can configure this parameter based on your business requirements.
    • Wait until the configuration check on all cloud services is complete.

We recommend that you handle the detected security risks at the earliest opportunity. For more information, see Configuration assessment.

Defense rules against brute-force attacks

Security Center provides the feature of protection against brute-force attacks. The feature allows you to configure defense rules to prevent brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. The feature of protection against brute-force attacks can protect the password of your server from being cracked.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Detection and Response > Alerts.
  2. On the Alerts page, click Settings in the upper-right corner. In the panel that appears, click the brute-force attacks protection tab.
  3. If this is the first time that you configure defense rules against brute-force attacks, you must obtain the required permissions.
    1. On the right of the Anti-brute Force Cracking section, move the pointer over the dimmed Management button. In the message that appears, click Authorize Now.
    2. Click Confirm Authorization Policy.
  4. On the right of the Anti-brute Force Cracking section, click Management.
    If you use the Basic or Anti-virus edition of Security Center, you must upgrade Security Center to the Advanced edition or higher before you can configure a defense rule.
  5. In the brute-force attacks protection panel, configure the parameters.
    Security Center provides default settings in the Defense Rule section. If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you retain the default settings, you can directly select servers. You can create a custom defense rule. The following table describes the parameters.
    Parameter Description
    Defense Rule Name Enter the name of the defense rule.
    Defense Rule Specify the content of the rule. The content includes the measurement duration, number of logon failures, and disablement duration. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the specified number during the specified measurement duration, the defense rule blocks the IP address for the disablement duration. For example, if the number of logon failures exceeds 3 within 1 minute from an IP address, the IP address is blocked for 30 minutes.
    Set As Default Policy Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the default defense rule.
    Note If you select Set As Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s) section.
    Select Server(s) Select the servers to which you want to apply the defense rule. You can select servers from the server list or search for servers by using the server names or server IP addresses.
  6. Click OK.
    Important You can apply only one defense rule to a server.
    • If a server selected for the defense rule that you create is not protected by a different defense rule, the created defense rule takes effect on the server.
    • If a server is protected by a different defense rule from the rule that you create but you want to replace the former rule with the latter rule, read and confirm the information in the Confirm Changes message, and click OK.
    • If you replace the defense rule for a server with a new rule, the number of servers protected by the original rule decreases.

    After you configure a defense rule on the brute-force attacks protection tab of the Settings panel, IP blocking can be triggered based on the rule. In this case, Security Center generates an IP blocking policy. For more information about IP blocking policies, see Configure IP address blocking policies.

Web tamper proofing

The feature of web tamper proofing monitors web directories in real time and can restore tampered files or directories based on the backup files. This prevents important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Purchase web tamper proofing.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
  2. On the Management tab of the Tamper Protection page, click Add Server.
  3. In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.
  4. In the Add Directory step, configure the parameters and click Enable Protection.
    • Whitelist Mode

      In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.

      Parameter Description
      Protected Directory

      The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Protected File Formats The formats of the files that you want to protect.

      You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.

      Prevention Mode
      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
      • Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files.
        Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits on versions of operating systems and kernels.
      Local Backup Directory

      The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup directory for a Linux server and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for a Windows server. You can change the default backup directories.

      Example

      If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

    • Blacklist Mode

      In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.

      Parameter Description
      Protected Directory The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Excluded Sub-Directories The path to the subdirectories that do not require protection.

      Enter a value in the Subdirectory name/ format. Example: dir1/dir0/.

      Excluded File Formats The formats of the files that do not require protection.
      Excluded Files The files that do not require protection.

      Enter a value in the Subdirectory name/File name format. Example: dir2/file3.

      Prevention Mode
      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
      • Alert Mode: Security Center identifies suspicious processes and suspicious modifications to files, and generates alerts for the identified suspicious processes and suspicious modifications to files.
        Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits on versions of operating systems and kernels.
      Local Backup Directory The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

      Important Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.

      Example

      If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, only the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

  5. On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the The Switch icon icon in the Protection column to enable web tamper proofing for the server.
    If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.
    The following table describes the statuses that are available in the Status column.
    Status Description Suggestion
    Initializing Web tamper proofing is being initialized. The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.
    Running Web tamper proofing is enabled and runs as expected. None.
    Exception An error occurred during the initialization of web tamper proofing. Move the pointer over Exception, view the causes, and then click Retry.
    Not Initiated The switch in the Protection column is turned off. Turn on the switch in the Protection column.

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your core servers. Before you can use the anti-ransomware feature, you must purchase a specific quota. This quota allows you to enable the anti-ransomware feature for specific servers. For more information, see Enable anti-ransomware.

Configure anti-ransomware policies for servers

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
  2. On the Server extortion virus protection tab of the Anti-blackmail page, click Create Policies.
  3. In the Create Policies panel, configure the following parameters and click OK.
    Parameter Description
    Policy Name The name of the anti-ransomware policy.
    Server Type The type of the server to which you want to apply the anti-ransomware policy.
    Select Assets The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations:
    • In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section.
    • In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported.
    Note
    • If you want to apply the anti-ransomware policy to ECS instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region.
    • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.
    Protection Policies The anti-ransomware policy that you want to configure. Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the default values of the following parameters are used:
      • Protected Directories: All directories
      • Directory to Exclude: Excluded
      • Exclude specified directories: directories that are excluded from the policy
      • Protected File Types: All File Types
      • Start Time: a point in time within the range of 00:00 to 03:00
      • Backup policy execution interval: One Day
      • Backup data retention period: 7 Days
      • The bandwidth limit of the backup network: 0 MByte/s
        Note The value 0 indicates that no limits are imposed on the bandwidth.
      • VSS (Windows): Yes
        Note The VSS feature is available only if you create the anti-ransomware policy for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. We recommend that you enable the VSS feature. After you enable the feature, the data of disks that are in the exFAT and FAT32 formats cannot be backed up.
    • Custom policy

      If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.

    Protected Directories The directories that you want to back up. Valid values:
    • Specified directory: Security Center backs up only specified directories of the specified servers. Enter the addresses of the specified directories for Protect directory address. You can enter up to 20 addresses.
    • All directories: Security Center backs up all directories of the specified servers. You must set Directory to Exclude to Not Excluded.
      Note If you set Protected Directories to All directories, we recommend that you set Directory to Exclude to Not Excluded. This prevents system conflicts.
    Directory to Exclude Specifies whether to exclude system directories. If you set this parameter to Excluded, the system directories that are automatically specified for Exclude specified directories are excluded. You can also add or remove system directories based on your business requirements.
    Note System directories that are automatically excluded from the anti-ransomware policy for Windows and Linux servers are in update. You can view the system directories that are automatically excluded to the right of the Exclude specified directories parameter.
    Protected File Types The type of the files that you want to protect. Valid values:
    • All File Types: Security Center protects all files.
    • Specify file type: Security Center protects files only of the selected file type. Valid values:
      • Document
      • Picture
      • Compressed
      • Database
      • Audio and video
      • Script code
      Important
      • If you set Protected File Types to Specify file type, you must select a file type from the drop-down list that appears.
      • You can select multiple file types. Security Center protects only the files of the selected file types.
    Start Time The time at which you want to start a data backup task.
    Important If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: One Day. Valid values:
    • Half a day
    • One Day
    • 3 days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days.
    Important The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements.
    Valid values:
    • Permanent
    • Custom
      Note You can specify a retention period. Valid values: 1 to 65535. Unit: days.
    The bandwidth limit of the backup network The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s.
    Important If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. We recommend that you specify an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures service stability.
    VSS (Windows) Specifies whether to enable the VSS feature. The feature can maintain the change history of files and audit trace logs. The feature is also used for disaster recovery for files that contain source code. The VSS feature is available only for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. Valid values:
    • Yes: enables the feature.
    • No: disables the feature.
    After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.

Configure anti-ransomware policies for databases

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.
  2. On the Anti-blackmail page, click the Database extortion virus protection tab and click Create Policies.
  3. In the Database protection strategy panel, create an anti-ransomware policy for a database.
    1. In the Change database step, configure the following parameters and click Next.
      Parameter Description
      Policy Name The name of the anti-ransomware policy.
      Type The method that you want to use to select the database. Valid values:
      • Automatic identification database

        The system automatically identifies the databases that are deployed on your server. We recommend that you select this option.

      • Manually enter the database

        If the database that you want to protect is not displayed in the list of databases after you select Automatic identification database, you can select this option and manually specify the database.

      Database The database that you want to protect or the server in which the database resides.
      Database type The type of the database that you want to protect. This parameter is required only if you set the Type parameter to Manually enter the database. Valid values:
      • MYSQL
      • ORACLE
      • MSSQL
      Account The username of the account that you can use to log on to the required database. The account must have the permissions to back up data in the database. If you set the Database type parameter to ORACLE, you do not need to enter the username or the password of the database.
      Important You must enter the username and password of the database instead of the server.
      Password The password of the account that you can use to log on to the database.
    2. In the Protection Policies step, configure the following parameters and click Finished.
      Parameter Description
      Protection Policies The anti-ransomware policy that you want to use. You can click Use recommendation strategy to use the recommended anti-ransomware policy that is provided by Security Center. If the recommended anti-ransomware policy cannot meet your business requirements, you can modify the policy.
      Full backup strategy The interval at which full backup is performed, the days of a week on which full backup is performed, and the point in time at which the full backup starts.

      Full backup indicates that you back up all data that exists at a specific point in time. Full backup is time-consuming and requires a large amount of anti-ransomware capacity.

      Incremental backup strategy The interval at which incremental backup is performed and the point in time at which the incremental backup starts.

      Incremental backup indicates that you back up only the data that is newly generated or modified after the last full or incremental backup. Therefore, incremental backup is time-saving and requires less anti-ransomware capacity.

      Backup data retention time The retention period of the backup.
      Backup network bandwidth limit The maximum network bandwidth that is allowed during data backup. If you set this parameter to 0, network bandwidth is unlimited.
      After the anti-ransomware policy for your database is created, Security Center automatically installs the anti-ransomware agent on your server, and the policy enters the Initializing state. After the anti-ransomware agent is installed on your server, Security Center backs up data in your database based on the backup policy that is configured in the anti-ransomware policy.

Virus defense

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Defense.
  2. On the Virus Defense page, perform a virus scan task.
    • Perform an immediate scan task
      1. On the Virus Defense page, click Scan or Scan Again.
      2. In the Select the assets to scan. dialog box, select the assets that you want to scan and click Scan.
        Note The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.
    • Configure a periodic scan task
      1. In the upper-right corner of the Virus Defense page, click Scan Settings.
      2. In the Defense Configuration panel, configure the Scan Cycle, Scanning mode, and Scan Assets parameters, and click Determine.

        Security Center automatically scans the assets that you specify based on the specified scan cycle and scan mode.