Security Center provides various features to protect your cloud assets and on-premises servers. These features include alert notifications, antivirus, webshell detection, client protection, and container image scan. This topic describes how to configure these features.

Background information

The following sections are arranged based on the read habits of users.

Alert notifications

If Security Center detects exceptions in your assets, it sends alerts based on the severity levels, notification periods, and notification methods that you specify. This allows you to monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots. For more information, see Use the notification feature.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings. On the page that appears, click the Notifications tab. Then, select the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts. 2

    Notification items refer to the threat events and security risks that Security Center detects in your assets. By default, Security Center provides the following notification items: Vulnerabilities, Baseline Risks, Alerts, AccessKey leakage info, Config Assessment, Emergency Vul Intelligence, and Anti-Tampering of web pages.

Proactive defense, webshell detection, and client protection

If you want to enable the proactive defense, webshell detection, or client protection feature, go to the Settings page and select the servers for which you want to enable the features.
Note If you do not turn on the switches in the Proactive Defense section, Security Center only detects related threats but does not automatically process detected common viruses or malicious network behavior.
  1. Log on to the Security Center console.
  2. In the left-side navigation pane, click Settings. On the page that appears, turn on or turn off the switches in the Proactive Defense section.
    Click Manage for Anti-Virus, Anti-ransomware (Bait Capture), Webshell Protection, and Behavior prevention to select the servers for which you want to turn on the switches.
    After you enable the proactive defense feature, Security Center automatically quarantines the common viruses or abnormal connections that it detects. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precise Defense type. Precise defense
  3. Enable the webshell detection feature.
    In the Webshell Detection section, click Manage to select the servers for which you want to enable the webshell detection feature.
  4. Enable the client protection feature.
    In the Client Protection section, turn on Defense Mode and click Manage to select the servers for which you want to enable the client protection feature.
Note For more information, see Overview.

Container image scan

The container image scan feature is in public preview. Only the Enterprise and Ultimate editions of Security Center support this feature. If you do not use these editions, you must upgrade Security Center to the Enterprise or Ultimate edition before you can use this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Image Security.
  3. Optional:Click Authorize Immediately.
    If this is your first time to use the container image scan feature, you must obtain the required permissions.
  4. On the Image Security page, click Scan Now.
    Security Center takes about one minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.
  5. Open the Image System Vul, Image Application Vul, or Mirror Malicious Sample tab to view the detected vulnerabilities or malicious samples.
    You can perform the following operations:
    • Search for specific vulnerabilities or malicious samples

      Select a vulnerability severity (high, medium, or low) or a malicious sample severity (urgent, warning, or notice). Alternatively, enter an instance ID, repository name, namespace, or digest to search for a specific vulnerability or malicious sample.

    • View the details of a vulnerability or a malicious sample

      Click the name of a vulnerability or a malicious sample to view its details. On the vulnerability details page, you can view the vulnerability ID, impact score, and vulnerability announcement. On the malicious sample details page, you can view the priority, MD5 value, last scan time, and first scan time. On these details pages, you can also view a list of affected images.

    • View the details of affected images

      Click the name of a vulnerability or a malicious sample. On the vulnerability or malicious sample details page, find the image whose details you want to view and click Details in the Operation column. Then, you can view the details of the detected vulnerability or malicious sample.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual and automated checks.
  • Manual checks: On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services.
  • Automatic checks: By default, Security Center automatically runs configuration checks during 00:00:00 - 06:00:00 every two days. You can also customize a detection cycle to periodically check for security risks in the configurations of your cloud services. This helps you detect and handle configuration risks at the earliest opportunity.

Manual check

  1. Log on to the Security Center console.
  2. On the Cloud Platform Configuration Assessment page, click Check Now to detect security risks in the configurations of your cloud services. After you run a check, the number of affected assets appears on this page.
    Note Do not perform other operations until the check is complete.
    After the check is complete, the results are listed in descending order based on the severity of risks detected.

Automated check

  1. Log on to the Security Center console.
  2. In the upper-right corner of the Cloud Platform Configuration Assessment page, click Settings.
  3. In the Settings dialog box, specify Detection Cycle and Detection Time.
    Parameters
    • Detection Cycle: Monday to Sunday. You can select multiple values.
    • Detection Time: 24:00 - 06:00, 06:00 - 12:00, 12:00 -18:00, and 18:00 - 24:00. You can select one value.
  4. Click OK.
    During the selected period, Security Center automatically runs checks on all check items.

We recommend that you handle the detected security risks in a timely manner. For more information, see View the check results of configuration assessment for your cloud services and handle the detected risks.

Security group check

The security group check feature detects high-risk rules in Elastic Compute Service (ECS) security groups and provides suggestions for fixing. This helps protect your network.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Application market > Security group check.
  3. Optional:On the Security Check page, click Obtain Latest Check Results.
    The check requires 1 to 5 minutes.Security Check
    Note The latest check results are obtained based on the static analysis of security group rules and may not cover all port risks. You can view complete check results about port exposure on the Internet Access page. For more information, see Internet access.
  4. Find the required check item and click View Details in the Actions column. The Details page provides suggestions for fixing.
  5. Manage weak security group rules.
    1. Find the rule that you want to manage and click View Details in the Actions column.
      Alternatively, click the number in the Risky Security Groups/Servers column to go to the Details page.
    2. On the Details page, find the security group for which you want to fix an issue and click Fix Issue in the Actions column.Details
      Improper security group configurations may lead to security incidents. The Details page provides a Suggestion to manage the security group risk. You can manage the risk based on the Suggestion.
      If you are using Cloud Firewall Premium, Enterprise, or Ultimate edition, you are redirected to the Security Groups page. You must manage security group risks based on the Suggestion. For more information, see Modify security group rules. If you are using the Cloud Firewall Basic edition, you must perform substep c.
    3. Optional:In the Cloud Firewall Premium Edition dialog box, click Upgrade Now or Fix Issue.
      You can use one of the following methods to manage security group risks:
      • Upgrade Now: You can purchase the Cloud Firewall Premium edition and use the security group check function. This function is provided by Cloud Firewall to manage security group risks. We recommend that you select this method. You can use Cloud Firewall to centrally manage security groups and access control policies of public IP addresses. This reduces assets exposure and improves efficiency of security management.
      • Fix Issue: You can go to the Security Groups page to manually manage the risk. For more information, see Modify security group rules.

Defense rules against brute-force attacks

Security Center allows you to configure defense rules to protect your assets against brute-force attacks.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Detection > Alerts.
  3. In the Settings panel, click the Anti-brute Force Cracking tab.
  4. Optional:Complete authorization.
    1. In the Anti-brute Force Cracking section, move the pointer over Management and click Authorize.
    2. Click Confirm Authorization Policy.
    Note If this is your first time to configure a defense rule against brute-force attacks, you must obtain the required permissions. If you have obtained permissions, skip this step.
  5. Click Management to the right of Anti-brute Force Cracking.
  6. In the Add panel, configure a defense rule. Add a defense rule
  7. Click OK.
  8. In the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates.
    After you configure a defense rule on the Anti-brute Force Cracking tab of the Settings panel, the rule triggers IP blocking, and Security Center generates an IP blocking rule. To view the IP blocking rules, perform the following steps:
    1. On the Alerts page, click the number below IP blocking / All.
      If you click the number under IP blocking, you are redirected to the page that contains enabled system policies. If you click the number under All, you are redirected to the page that contains both enabled and disabled system rules.
    2. On the System Rules tab of the IP Policy Library panel, view the IP blocking rules that Security Center automatically generates. System Rules
      For more information about IP blocking rules, see Configure blocking policies based on IP addresses.

Web tamper proofing

The web tamper proofing feature allows you to monitor web directories in real time. This feature also allows you to restore files or directories that have been tampered with based on the backup files. This protects important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Enable web tamper proofing.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Tamper Protection.
  3. On the Tamper Protection page, click the Management tab.
  4. On the Management tab, click Add Server to enable the web tamper proofing feature for a server. Enable the feature for a server
  5. In the Add Servers step of the Add Servers for Protection wizard, select a server that you want to protect.Add Servers for Protection
    Note If no licenses are available, you cannot enable the web tamper proofing feature for a new server. If a server no longer requires this feature, you can turn off Protection to release the license. You can use the released license to enable this feature for a new server.
  6. Click Next to go to the Add Directory step.
  7. In the Add Directory step, configure the parameters.Add Directory
    Select a protection mode. You can select Whitelist Mode or Blacklist Mode. In whitelist mode, this feature is enabled for the specified directory and file formats. In blacklist mode, this feature is enabled for the subdirectories, file formats, and files that are not excluded. By default, the whitelist mode is used.
    • Whitelist mode
      Parameter Description
      Protected Directory Enter the path of the directory that you want to protect.
      Note Servers that run Linux and Windows operating systems use different path formats. Enter the correct directory path based on your operating system.
      Protected File Formats Select file formats that you want to protect from the drop-down list, such as js, html, xml, and jpg.
      Local Backup Directory The default path where the backup files of the protected directory are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

    • Blacklist mode
      Parameter Description
      Protected Directory Enter the path of the directory that you want to protect.
      Excluded Sub-Directories Enter the path of the subdirectory for which you do not need to enable this feature.

      You can click Add Sub-Directory to add multiple subdirectories.

      The files under the excluded subdirectories are not protected by Security Center.

      Excluded File Formats Select the formats of files for which you do not need to enable this feature.

      Valid values: log, txt, and ldb.

      The files of the specified formats are not protected by Security Center.

      Excluded Files Enter the path of the file for which you do not need to enable this feature.

      You can click Add File to add multiple paths.

      The files in the specified paths are not protected by Security Center.

      Local Backup Directory The default path where the backup files of the protected directory are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup path for servers that run Linux operating systems and C:\Program Files (x86)\Alibaba\Aegis\bak for servers that run Windows operating systems. You can modify the default path as needed.

  8. Click Enable Protection.
    After you enable this feature for a server, the server is displayed in the server list on the Management tab of the Tamper Protection page.
    Note By default, Protection is turned off for the new server. To use the web tamper proofing feature, you must turn on Protection of the server on the Management tab of the Tamper Protection page.
    Server list
  9. In the server list, turn on Protection to enable this feature for the new server.Protection state
    Note By default, Protection is turned off for the new server. To use the web tamper proofing feature, you must turn on Protection of the server on the Management tab of the Tamper Protection page.
    If this is the first time you enable this feature for a server, the status of the server is Initializing, and a progress bar appears. It requires a few seconds to enable this feature. After this feature is enabled, the status changes to Running.Initializing
    If the status of a server is Exception, move the pointer over Exception in the Status column. A message that indicates the causes appears. Click Retry in the message. Exception

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your servers. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable anti-ransomware for specific servers. For more information, see Enable anti-ransomware.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Defense > Anti-ransomware.
  3. On the General Anti-ransomware Solutions page, click Authorize Now.
  4. In the Create Policies panel, configure the parameters.
    The following table describes the parameters.
    Parameter Description
    Policy Name The name of the anti-ransomware policy.
    Whether it is an Alibaba cloud server Specifies whether the server to which you want to apply the anti-ransomware policy is an ECS instance.
    Select Assets The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations:
    • In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section.
    • In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported.
    Note
    • If you want to apply the anti-ransomware policy to ECS instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region.
    • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy. You can add a maximum of 100 servers to each anti-ransomware policy.
    Protection Policies The anti-ransomware policy that you want to configure. Valid values:
    • Recommendation Policy
      If you select Recommendation Policy, the default values of the following parameters are used:
      • Protected Directories: all directories
      • Whether to exclude system directories: yes
      • Exclude specified directories: directories that are excluded from the policy
      • Protected File Types: all file types
      • Start Time: a point in time within the range of 00:00 to 03:00
      • Backup policy execution interval: one day
      • Backup data retention period: seven days
      • The bandwidth limit of the backup network: 0 Mbit/s
        Note The value 0 indicates that no limits are imposed on the bandwidth.
      • VSS (Windows): yes
        Note The VSS feature is available only if you create the anti-ransomware policy for Windows servers. After you enable the feature, the number of backup failures due to running processes is significantly reduced. We recommend that you enable the VSS feature. After you enable the feature, the data of disks that are in the exFAT and FAT32 formats cannot be backed up.
    • Custom policy

      If you select Custom policy, you must configure parameters based on your business requirements. The parameters include Protected Directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network.

    Protected Directories The directories that you want to back up. Valid values:
    • Specified directory: Security Center backs up only specified directories of the specified servers. Enter the addresses of the specified directories for Protect directory address.
    • All directories: Security Center backs up all directories of the specified servers.
      Note If you set Protected Directories to All directories, we recommend that you set Whether to exclude system directories to Not Excluded. This prevents system conflicts.
    Whether to exclude system directories Specifies whether to exclude system directories. If you set this parameter to Excluded, the system directories that are automatically specified for Exclude specified directories are excluded. You can also add or remove system directories based on your business requirements.
    Note System directories that are automatically excluded from the anti-ransomware policy for Windows and Linux servers are in update. You can view the system directories that are automatically excluded to the right of the Exclude specified directories parameter.
    Protected File Types The type of the files that you want to protect. Valid values:
    • Specify file type: Security Center protects files only of the selected file type. If you set Protected File Types to Specify file type, you must select a file type from the drop-down list that appears. The following values are contained in the drop-down list: Document, Picture, Compressed, Database, Audio and video, and Script code. You can select multiple file types.
    • All File Types: Security Center protects all files.
    Start Time The time at which you want to start a data backup task.
    Notice If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid impacts on your services, we recommend that you back up data during off-peak hours.
    Backup policy execution interval The time interval between two data backup tasks. Default value: One Day. Valid values:
    • Half a day
    • One Day
    • 3 days
    • Seven Days
    Backup data retention period The retention period of backup data. Default value: 7 Days. Valid values:
    • 7 Days
    • 30 Days
    • Half a year
    • One year
    • Permanent
    Notice The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements.
    The bandwidth limit of the backup network The maximum bandwidth that can be consumed by a data backup task. Valid values: 0 to unlimited. Unit: MB/s. The value 0 indicates that no limits are imposed on the bandwidth.
    Notice If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. We recommend that you specify an appropriate bandwidth threshold based on the bandwidth of your server. This prevents the backup tasks from using an excessive amount of bandwidth and ensures service stability.
  5. Click OK.
    After the anti-ransomware policy is created, the policy is enabled by default, and Security Center installs the anti-ransomware agent on your server. Then, Security Center backs up data in the protected directories of your server based on the backup settings that you configure in the anti-ransomware policy.
  6. Enable a protection policy in the policy list.

    After you create a protection policy, you must enable it in the policy list. Then, Security Center backs up server files based on the file directories that you specify in the policy.

    Enable a protection policy