The feature of web tamper proofing can monitor website directories in real time and restore tampered files or directories by using backups. The feature can also protect important website information from being tampered with and prevent trojans, hidden links, and uploads of violent and illicit content. This topic describes how to use the feature of web tamper proofing.

Background information

To make illegal profits or launch business attacks, attackers exploit vulnerabilities in websites to insert illegal hidden links and tamper with the websites. Tampered web pages affect normal user access and may cause serious economic loss, damaged brand reputation, and political risks.

The Security Center agent automatically collects information about the processes that modify files in the protected directories of protected servers. The agent identifies suspicious processes and file changes in real time and generates alerts for or intercepts the suspicious processes that cause file changes.

Limits

Only the Anti-virus, Advanced, Enterprise, and Ultimate editions of Security Center support this feature. For more information about how to purchase and upgrade Security Center, see Purchase Security Center and Upgrade and downgrade Security Center.

Billing

Web tamper proofing is a value-added feature of Security Center. You must separately purchase and enable the feature. For more information about how to enable web tamper proofing, see Purchase web tamper proofing.

For more information about the billing of web tamper proofing, see Billing.

Limits on versions of operating systems and kernels

Web tamper proofing requires that your servers run specific versions of operating systems and kernels. If the versions of operating systems and kernels of your servers are not supported, the process whitelist does not take effect, and you cannot enable the alerting mode of web tamper proofing.

  • If the operating system and kernel versions of the servers that you want to protect are supported by web tamper proofing, take note of the following items. For more information, see Limits on versions of operating systems and kernels.
    • The maximum number of directories that you can add for protection is 10 for each server.
    • The maximum length of the full path to each protected file or directory is 1,000 characters.
  • If the operating system or kernel versions of the server that you want to protect are not supported by web tamper proofing, take note of the following items. For more information, see Limits on versions of operating systems and kernels.
    • The maximum number of directories that you can add for protection is 10 for each server.
    • The maximum size of each protected directory is 20 GB.
    • The maximum number of folders in each protected directory is 20,000.
    • The maximum number of folder levels in each protected directory is 20.
    • The maximum size of each protected file is 20 GB.
    • The process whitelist does not take effect.
    • You cannot set Prevention Mode to Alert Mode.
    • The paths to the Network File System (NFS) cannot be protected.
Table 1. Limits on versions of operating systems and kernels
Operating system Operating system version Kernel version
Windows (32-bit or 64-bit) Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019 All versions
CentOS (64-bit)
  • CentOS 6.3
  • CentOS 6.5
  • CentOS 6.6
  • CentOS 6.7
  • CentOS 6.8
  • CentOS 6.9
  • CentOS 6.10
  • CentOS 7.0-1406
  • CentOS 7.1-1503
  • CentOS 7.2-1511
  • CentOS 7.3-1611
  • CentOS 7.4-1708
  • CentOS 7.5-1804
  • CentOS 7.6-1810
  • CentOS 7.7-1908
  • CentOS 7.8-2003
  • CentOS 7.9-2009
  • 2.6.32-**, indicating all the CentOS kernels whose version numbers start with 2.6.32
  • 3.10.0-**, indicating all the CentOS kernels whose version numbers start with 3.10.0
  • CentOS 8.0-1905
  • CentOS 8.1-1911
  • CentOS 8.2-2004
  • CentOS 8.3-2011
  • CentOS 8.4-2105
  • CentOS 8.5
  • CentOS Stream 8
  • 4.18.0-80.11.2.el8_0.x86_64
  • 4.18.0-147.3.1.el8_1.x86_64
  • 4.18.0-147.5.1.el8_1.x86_64
  • 4.18.0-147.8.1.el8_1.x86_64
  • 4.18.0-193.el8.x86_64
  • 4.18.0-193.6.3.el8_2.x86_64
  • 4.18.0-193.14.2.el8_2.x86_64
  • 4.18.0-193.28.1.el8_2.x86_64
  • 4.18.0-240.1.1.el8_3.x86_64
  • 4.18.0-240.15.1.el8_3.x86_64
  • 4.18.0-240.22.1.el8_3.x86_64
  • 4.18.0-305.3.1.el8.x86_64
  • 4.18.0-305.7.1.el8_4.x86_64
  • 4.18.0-305.10.2.el8_4.x86_64
  • 4.18.0-305.12.1.el8_4.x86_64
  • 4.18.0-305.19.1.el8_4.x86_64
  • 4.18.0-305.25.1.el8_4.x86_64
  • 4.18.0-348.2.1.el8_5.x86_64
  • 4.18.0-348.7.1.el8_5.x86_64
  • 4.18.0-358.el8.x86_64
  • 4.18.0-365.el8.x86_64
Ubuntu (64-bit) Ubuntu 14.04
  • 3.13.0-32-generic
  • 3.13.0-65-generic
  • 3.13.0-86-generic
  • 3.13.0-145-generic
  • 3.13.0-164-generic
  • 3.13.0-170-generic
  • 3.19.0-80-generic
  • 4.4.0-93-generic
Ubuntu 16.04
  • 4.4.0-62-generic
  • 4.4.0-63-generic
  • 4.4.0-79-generic
  • 4.4.0-93-generic
  • 4.4.0-96-generic
  • 4.4.0-104-generic
  • 4.4.0-117-generic
  • 4.4.0-124-generic
  • 4.4.0-142-generic
  • 4.4.0-146-generic
  • 4.4.0-151-generic
  • 4.4.0-154-generic
  • 4.4.0-157-generic
  • 4.4.0-161-generic
  • 4.4.0-170-generic
  • 4.4.0-174-generic
  • 4.4.0-176-generic
  • 4.4.0-177-generic
  • 4.4.0-178-generic
  • 4.4.0-179-generic
  • 4.4.0-184-generic
  • 4.4.0-194-generic
  • 4.4.0-198-generic
  • 4.4.0-210-generic
Ubuntu 18.04
  • 4.15.0-23-generic
  • 4.15.0-42-generic
  • 4.15.0-45-generic
  • 4.15.0-48-generic
  • 4.15.0-52-generic
  • 4.15.0-54-generic
  • 4.15.0-66-generic
  • 4.15.0-70-generic
  • 4.15.0-72-generic
  • 4.15.0-88-generic
  • 4.15.0-91-generic
  • 4.15.0-96-generic
  • 4.15.0-101-generic
  • 4.15.0-106-generic
  • 4.15.0-109-generic
  • 4.15.0-112-generic
  • 4.15.0-117-generic
  • 4.15.0-118-generic
  • 4.15.0-121-generic
  • 4.15.0-122-generic
  • 4.15.0-124-generic
  • 4.15.0-128-generic
  • 4.15.0-143-generic
  • 4.15.0-151-generic
  • 4.15.0-162-generic
  • 4.15.0-166-generic
  • 4.15.0-169-generic
  • 4.15.0-170-generic
  • 4.15.0-173-generic
  • 4.15.0-175-generic
  • 4.15.0-177-generic
  • 4.15.0-181-generic
  • 4.15.0-189-generic
  • 4.15.0-190-generic
  • 4.15.0-192-generic
Ubuntu 20.04
  • 5.4.0-47-generic
  • 5.4.0-70-generic
  • 5.4.0-77-generic
  • 5.4.0-86-generic
  • 5.4.0-90-generic
  • 5.4.0-92-generic
  • 5.4.0-94-generic
  • 5.4.0-100-generic
  • 5.4.0-102-generic
  • 5.4.0-106-generic
  • 5.4.0-108-generic
  • 5.4.0-110-generic
  • 5.4.0-113-generic
  • 5.4.0-122-generic
  • 5.4.0-123-generic
  • 5.4.0-125-generic
Anolis OS (64-bit)
  • Anolis OS 7.9 RHCK
  • Anolis OS 7.9 ANCK
  • Anolis OS 8.4 RHCK
  • 3.10.0-1062.an7.x86_64
  • 3.10.0-1160.an7.x86_64
  • 3.10.0-1160.59.1.0.1.an7.x86_64
  • 3.10.0-1160.62.1.0.1.an7.x86_64
  • 3.10.0-1160.66.1.0.1.an7.x86_64
  • 3.10.0-1160.71.1.0.1.an7.x86_64
  • 4.18.0-348.2.1.an8_4.x86_64
  • 4.18.0-348.12.2.an8.x86_64
  • 4.18.0-348.20.1.an8_5.x86_64
  • 4.18.0-348.23.1.an8_5.x86_64
  • 4.18.0-372.9.1.an8.x86_64
  • 4.18.0-372.16.1.an8_6.x86_64
  • 4.18.0-372.19.1.an8_6.x86_64
  • 4.19.91-25.2.an7.x86_64
  • 4.19.91-25.7.an7.x86_64
  • 4.19.91-25.7.an8.x86_64
  • 4.19.91-25.8.an8.x86_64
  • 4.19.91-26.an7.x86_64
  • 4.19.91-26.an8.x86_64
  • 4.19.91-26.1.an8.x86_64
RHEL
  • RHEL 6.2
  • RHEL 7.7
  • RHEL 7.8
  • RHEL 7.9
  • RHEL 8.0
  • 2.6.32-220
  • 3.10.0-1062
  • 3.10.0-1127
  • 3.10.0-1160
  • 4.18.0-80
Alibaba Cloud Linux (64-bit)
  • Alibaba Cloud Linux 2.1903
  • Alibaba Cloud Linux 3.2104
  • 4.4.95-1.al7.x86_64
  • 4.4.95-2.al7.x86_64
  • 4.4.95-3.al7.x86_64
  • 4.19.24-7.al7.x86_64
  • 4.19.24-7.14.al7.x86_64
  • 4.19.81-17.al7.x86_64
  • 4.19.81-17.2.al7.x86_64
  • 4.19.91-18.al7.x86_64
  • 4.19.91-19.1.al7.x86_64
  • 4.19.91-21.al7.x86_64
  • 4.19.91-22.2.al7.x86_64
  • 4.19.91-23.al7.x86_64
  • 4.19.91-24.al7.x86_64
  • 4.19.91-24.1.al7.x86_64
  • 4.19.91-25.1.al7.x86_64
  • 4.19.91-25.3.al7.x86_64
  • 4.19.91-25.6.al7.x86_64
  • 4.19.91-25.7.al7.x86_64
  • 4.19.91-25.8.al7.x86_64
  • 4.19.91-26.al7.x86_64
  • 4.19.91-26.1.al7.x86_64
  • 5.10.23-5.al8.x86_64
  • 5.10.60-9.al8.x86_64
  • 5.10.84-10.2.al8.x86_64
  • 5.10.84-10.3.al8.x86_64
  • 5.10.84-10.4.al8.x86_64
  • 5.10.112-11.al8.x86_64
  • 5.10.112-11.1.al8.x86_64
  • 5.10.112-11.2.al8.x86_64
  • 5.10.134-12.al8.x86_64

Purchase web tamper proofing

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
  2. On the Tamper Protection page, click Upgrade Now. In the Select a product version panel, click Upgrade. On the Upgrade/Downgrade page, set Web Tamper Protection to Yes and set Quota for Web Tamper Proofing to the number of the servers that you want to protect.
    Note The value of Protected Servers on the Upgrade/Downgrade page specifies the number of the servers that are added to Security Center. You can specify a value for Quota for Web Tamper Proofing based on the value of Protected Servers.
  3. Click Buy Now and complete the payment.

Enable web tamper proofing for a server

If the quota for web tamper proofing is exhausted, you can no longer enable web tamper proofing for a server. Before you enable web tamper proofing, make sure that the quota for web tamper proofing is sufficient within your Alibaba Cloud account. To purchase the sufficient quota for web tamper proofing, click Upgrade Now in the upper-right corner of the Tamper Protection page.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
  2. On the Management tab of the Tamper Protection page, click Add Server.
  3. In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.
  4. In the Add Directory step, configure the parameters and click Enable Protection.
    • Whitelist Mode

      In whitelist mode, Security Center intercepts the modifications to the files of the specified formats in the protected directory or generates an alert for the modifications.

      Parameter Description
      Protected Directory

      The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Protected File Formats The formats of the files that you want to protect.

      You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.

      Prevention Mode
      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
      • Alert Mode: Security Center identifies suspicious processes and file changes and generates alerts for the identified suspicious processes and file changes.
        Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits on versions of operating systems and kernels.
      Local Backup Directory

      The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup directory for Linux servers and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for a Windows server. You can change the default backup directories.

      Example

      If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

    • Blacklist Mode

      In blacklist mode, Security Center does not intercept the modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory or generate alerts for the modifications. Security Center intercepts the modifications to other subdirectories and files in the protected directory and generates an alert for the modifications.

      Parameter Description
      Protected Directory The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept the changes on the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Excluded Sub-Directories The path to the subdirectories that do not require protection.

      Enter a value in the Subdirectory name/ format. Example: dir1/dir0/.

      Excluded File Formats The formats of the files that do not require protection.
      Excluded Files The files that do not require protection.

      Enter a value in the Subdirectory name/File name format. Example: dir2/file3.

      Prevention Mode
      • Interception Mode: Security Center intercepts suspicious processes and suspicious modifications to files. This ensures the security of websites and files on your server.
      • Alert Mode: Security Center identifies suspicious processes and file changes and generates alerts for the identified suspicious processes and file changes.
        Important If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information about the supported operating systems and kernel versions, see Limits on versions of operating systems and kernels.
      Local Backup Directory

      The default directory in which the backup files of the protected directories are stored.

      By default, Security Center assigns /usr/local/aegis/bak as the backup directory for Linux servers and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for a Windows server. You can change the default backup directories.

      Important Excluded Sub-Directories, Excluded File Formats, and Excluded Files are evaluated by using a logical OR.

      Example

      If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, only the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

  5. On the Management tab of the Tamper Protection page, find the server that you specify in the Add Servers for Protection panel and click the The Switch icon icon in the Protection column to enable web tamper proofing for the server.
    If this is the first time that you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Web tamper proofing is enabled in a few seconds. After the feature is enabled, the status changes to Running.
    The following table describes the statuses that are available in the Status column.
    Status Description Suggestion
    Initializing Web tamper proofing is being initialized. The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.
    Running Web tamper proofing is enabled and runs as expected. None.
    Exception An error occurred during the initialization of web tamper proofing. Move the pointer over Exception, view the causes, and then click Retry.
    Not Initiated The switch in the Protection column is turned off. Turn on the switch in the Protection column.

View the details on the Protection tab

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
  2. On the Protection tab of the Tamper Protection page, view the details.
    • Statistical items

      In the statistics overview module, you can view the total numbers of modified files on the current day and in the last 15 days, the numbers of protected servers and directories, the number of suspicious processes that are intercepted by web tamper proofing, the number of processes that are added to the whitelist, and the purchased quota for web tamper proofing within your Alibaba Cloud account.

    • Distribution of protected file formats

      Protected file formats include TXT, PNG, MSI, and ZIP. You can also add more formats for protection based on your business requirements.

      Note All formats of files can be added for protection.
    • Top five file changes

      This section shows the top five files that are most frequently modified in descending order in the last 15 days. You can view the names of the files and paths to the files.

    • Top five suspicious processes that are blocked

      This section shows the top five suspicious processes that are most frequently intercepted in descending order in the last 15 days. You can view the names of the processes and the number of processes.

    • Details of alerts triggered by web tamper proofing

      Web tamper proofing helps you intercept all suspicious modifications to the files on your server. In the alert list, you can view the details about alerts for these modifications. The details include the severity level, alert name, affected assets, path to the modified files, process name, and protection status.

      Note
      • If an alert is reported more than 100 times or the number of times that a process writes on files exceeds 100, we recommend that you handle the alert at your earliest opportunity.
      • The severity level of alerts is Medium.
      • The status of alerts is Defended. The alerts are triggered when web tamper proofing intercepts suspicious processes that modify files without authorization. If an intercepted process is required in your workloads, you can add the process to the whitelist to allow the process. For more information, see Add a process to the whitelist.

Add a process to the whitelist

If web tamper proofing detects that a process modifies the files that are protected, web tamper proofing intercepts the process. If you confirm that the process is normal and want the process to modify the files, you can add the process to the whitelist.

  1. Log on to the Security Center console.In the left-side navigation pane, choose Protection Configuration > Host Protection > Tamper Protection.
  2. On the Protection tab of the Tamper Protection page, add a normal process to the whitelist.
    Important Attackers may exploit the processes in the whitelist to compromise your server. We recommend that you add processes to the whitelist only if the processes are trusted.
    • Add a process for which an alert event is generated to the whitelist
      1. In the alert event list of the Protection tab, find a process that you want to add to the whitelist and click Handle in the Actions column.
      2. In the dialog box that appears, select Whitelist for Process Method and click OK.

        A process may run on multiple servers or run in multiple directories on the same server. If you want to add the process to the whitelist, select Process servers with the same process at the same time.

    • Add multiple processes for which alert events are generated to the whitelist at a time
      1. In the alert event list on the Protection tab, find and select the processes that you want to add to the whitelist.
      2. Click Whitelist below the list. In the message that appears, click OK.
      You can click the number below Whitelist to go to the Process Management panel. In the upper-right corner of the panel, click Enter the whitelist. In the dialog box that appears, configure Process Path and Server Name/IP to add multiple suspicious processes to the whitelist at a time. View a whitelist
    • View the processes in the whitelist or remove processes from the whitelist

      You can click the number below Whitelist to go to the Process Management panel. In the Process Management panel, you can view the information about the suspicious processes that are added to the whitelist. The information includes the server on which the processes run, the paths to the processes, and the numbers of times that the processes change files.

      In the Process Management panel, you can find the suspicious process that you want to remove and click Cancel whitelist in the Actions column. You can also select multiple suspicious processes and click Cancel whitelist below the list to remove the processes from the whitelist at a time.