Web tamper proofing is a value-added feature provided by Security Center. The feature monitors website directories in real time and can restore tampered files or directories by using backups. The feature also protects important website information from being tampered with and prevents trojans, hidden links, and uploads of violent and illicit content.

Background information

  • Web tamper proofing is a value-added feature of Security Center. Security Center Basic does not support the feature. If you use the Basic edition, you must upgrade Security Center to the Anti-virus, Advanced, Enterprise, Ultimate, or Value-added Plan edition before you can purchase and use the feature.
  • Web tamper proofing allows you to add processes on Linux and Windows servers to a whitelist. This ensures that protected files are updated in real time.
  • To make illegal profits or launch business attacks, attackers exploit vulnerabilities in websites to insert illegal hidden links and tamper with the websites. Defaced web pages affect normal user access and may cause serious economic loss, damaged brand reputation, and political risks.

How web tamper proofing works

The Security Center agent automatically collects the processes that attempt to modify files in the protected directories of the protected servers. The agent identifies suspicious processes and file changes in real time and blocks the suspicious processes that cause file changes.

If you use web tamper proofing, you can set Prevention Mode to one of the following modes:
  • Interception Mode: Security Center blocks suspicious processes and file changes. This ensures the security of websites and files on your servers. You can view the alerts that are generated for blocked suspicious processes on the Protection tab of the Tamper Protection page.
  • Alert Mode: Security Center identifies suspicious processes and file changes and generates alerts for the identified suspicious processes and file changes. If you cannot determine trusted processes, you can select this mode. You can view alerts and determine whether to add a specific alert to the whitelist on the Protection tab of the Tamper Protection page. After you determine trusted processes, we recommend that you set Prevention Mode to Interception Mode for servers that you want to protect. This ensures the security of files on the servers. For more information about how to add alerts to the whitelist, see Add blocked processes to a whitelist.

How the process whitelist ensures normal workloads

You can view the alerts that are generated for unusual file changes, suspicious processes, and the number of times that each suspicious process attempts to modify files on the Tamper Protection page. To go to this page, log on to the Security Center console and choose Precaution > Tamper Protection. If a file is modified by a process due to normal workloads, you can add the process to the whitelist. After the process is added to the whitelist, web tamper proofing no longer blocks the process. In scenarios in which the content of websites is frequently modified, the whitelist eliminates the need for you to frequently enable and disable web tamper proofing. The whitelist is suitable for websites such as news and education websites. For more information, see Add blocked processes to a whitelist.

Limits on versions of operating systems and kernels

Web tamper proofing requires that your servers run specific versions of operating systems and kernels. If the versions of operating systems and kernels of your servers are not supported, you cannot add processes to the whitelist and enable the alerting mode of web tamper proofing.
OS version Kernel version
  • CentOS 6.3
  • CentOS 6.5
  • CentOS 6.6
  • CentOS 6.7
  • CentOS 6.8
  • CentOS 6.9
  • CentOS 6.10
  • CentOS 7.0-1406
  • CentOS 7.1-1503
  • CentOS 7.2-1511
  • CentOS 7.3-1611
  • CentOS 7.4-1708
  • CentOS 7.5-1804
  • CentOS 7.6-1810
  • CentOS 7.7-1908
  • CentOS 7.8-2003
  • CentOS 7.9-2009
  • 2.6.32-**, which indicates all the CentOS kernels whose version numbers start with 2.6.32
  • 3.10.0-**, which indicates all the CentOS kernels whose version numbers start with 3.10.0
  • CentOS 8.0-1905
  • CentOS 8.1-1911
  • CentOS 8.2-2004
  • CentOS 8.3-2011
  • 4.18.0-80.11.2.el8_0.x86_64
  • 4.18.0-147.5.1.el8_1.x86_64
  • 4.18.0-147.8.1.el8_1.x86_64
  • 4.18.0-193.el8.x86_64
  • 4.18.0-193.6.3.el8_2.x86_64
  • 4.18.0-193.28.1.el8_2.x86_64
  • 4.18.0-240.1.1.el8_3.x86_64
  • 4.18.0-240.15.1.el8_3.x86_64
Ubuntu 14.04
  • 3.13.0-32-generic
  • 3.13.0-65-generic
  • 3.13.0-86-generic
  • 3.13.0-145-generic
  • 3.13.0-164-generic
  • 3.13.0-170-generic
  • 3.19.0-80-generic
  • 4.4.0-93-generic
Ubuntu 16.04
  • 4.4.0-62-generic
  • 4.4.0-63-generic
  • 4.4.0-93-generic
  • 4.4.0-117-generic
  • 4.4.0-142-generic
  • 4.4.0-151-generic
  • 4.4.0-154-generic
  • 4.4.0-157-generic
  • 4.4.0-174-generic
  • 4.4.0-178-generic
  • 4.4.0-179-generic
  • 4.4.0-184-generic
  • 4.4.0-194-generic
Ubuntu 18.04
  • 4.15.0-23-generic
  • 4.15.0-42-generic
  • 4.15.0-45-generic
  • 4.15.0-52-generic
  • 4.15.0-70-generic
  • 4.15.0-88-generic
  • 4.15.0-91-generic
  • 4.15.0-109-generic
  • 4.15.0-112-generic
  • 4.15.0-121-generic
  • 4.15.0-124-generic
AliyunOS 2.1903
  • 4.19.81-17.al7.x86_64
  • 4.19.81-17.2.al7.x86_64
  • 4.19.91-18.al7.x86_64
  • 4.19.91-19.1.al7.x86_64
  • 4.19.91-21.al7.x86_64
  • 4.19.91-22.2.al7.x86_64

References

Enable web tamper proofing

Enable the web tamper proofing feature

View the protection status

Add blocked processes to a whitelist