Defense against brute-force attacks - Security Center - Alibaba Cloud Documentation Center

Security Center automatically blocks IP addresses that repeatedly fail to log on to your hosts, stopping brute-force attacks before they succeed. This page explains how to create defense rules, manage system-generated blocking policies, and add custom IP address blocking policies.

The brute-force attack defense feature blocks *failed* logon attempts. If you suspect a host has already been compromised, investigate the host's logon history and consider isolating the instance.

How it works

When an IP address exceeds the allowed number of logon failures within the statistical period you define, Security Center triggers the matching defense rule and automatically generates an IP address blocking policy. Logon requests from that IP address are blocked for the disablement period you configured.

Security Center uses one of two interception mechanisms depending on your edition and configuration:

Mechanism	When it applies
Security Center (AliNet plug-in)	Advanced, Enterprise, and Ultimate editions with Malicious Network Behavior Prevention enabled. Security Center uses the AliNet plug-in to block logons directly.
ECS Security Group	A security group rule is created automatically when a system rule is enabled, and deleted automatically when the rule expires or is disabled.

View all automatically generated blocking policies on the System Rules tab of the Defense Against Brute-force Attacks tab.

Prerequisites

Before you begin, ensure that you have:

Access to the Security Center consoleSecurity Center consoleSecurity Center console
Permission to manage Security Center resourcesLog on to the Security Center console.Log on to the Security Center console.
(Optional) SQL Server logon logging enabled — required if you want to protect SQL Server instances against brute-force attacks (see Enable logon logging in SQL Server)

Create a defense rule

Create a defense rule to define the conditions that trigger automatic IP address blocking on your hosts. Each server can have only one defense rule applied at a time.

Important

To allow logon requests from trusted IP addresses — for example, from bastion hosts or jump servers — click the number under Approved Logon IP Address and add the IP address to the approved list. Defense rules never block approved logon IP addresses.

Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the top navigation bar, select the region of the assets you want to manage. Supported regions: China and Outside China.
In the left-side navigation pane, go to Protection Configuration > Host Protection > Host-specific Rule Management.
Click the Defense Against Brute-force Attacks tab.
If Security Center is not yet authorized to access your cloud resources, click Authorize Immediately. For details, see Service-linked roles for Security Center.
On the Defense policy tab, click Create Policy.

In the Create Policy panel, configure the parameters. The default settings block an IP address for 6 hours after 80 failed logon attempts within 10 minutes. To use the default settings, skip directly to selecting servers. To create a custom rule, configure the following parameters:

Parameter	Description
Policy name	A name for the defense rule.
Defense rule	The trigger condition. If logon failures from an IP address exceed the limit within the statistical period, the IP address is blocked for the disablement period. For example: block an IP address for 30 minutes after 3 failed logon attempts within 1 minute.
Protection scenario	The attack types the rule covers. RDP Brute-force Attack and SSH Brute-force Attack are mandatory. SQL Server Brute-force Attack is optional — enable it to protect database logons. The logon logging feature must be enabled in SQL Server before this scenario takes effect.
Set as default policy	If selected, the rule applies to all servers not covered by another defense rule, regardless of which servers you select below.
Select server(s)	The servers this rule protects. Search by server name or IP address.

Click OK.

Important

Each server can only be protected by one defense rule at a time. If you apply a new rule to a server that already has a defense rule, confirm the change in the Confirm Changes dialog. The existing rule's server count decreases accordingly.

Manage system rules

A system rule is an IP address blocking policy automatically generated when a defense rule is triggered. Use the System Rules tab to view, enable, and disable these policies.

Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the top navigation bar, select the region of the assets you want to manage.
In the left-side navigation pane, go to Protection Configuration > Host Protection > Host-specific Rule Management.
Click the Brute-force attacks protection tab, then click the System Rules tab.
Take any of the following actions:
- View a system rule: The list shows the blocked IP address, port, effective servers, rule name, interception mode, validity period, and status. An effective server is a server to which the rule is applied.
- Enable a system rule: Turn on the switch in the Status column. Security Center resumes blocking logons from the specified IP address. The rule remains valid for 2 hours after you enable it.
- Disable a system rule: If the blocked IP address was flagged incorrectly (false positive) — for example, a legitimate source such as a bastion host — turn off the switch in the Status column. After approximately 1 minute, logon attempts from that IP address are allowed again. To prevent future false positives from the same address, add it to the approved logon IP address list.

Manage custom rules

Create custom IP address blocking policies to block access from specific malicious IP addresses to your cloud resources.

Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the top navigation bar, select the region of the assets you want to manage.
In the left-side navigation pane, go to Protection Configuration > Host Protection > Host-specific Rule Management.
Click the Brute-force attacks protection tab, then click the Custom Rules tab.

Create a custom IP address blocking policy

If Security Center is not yet authorized to access your cloud resources, click Authorize Immediately. For details, see Service-linked roles for Security Center.

Click Create Whitelist Rule. In the Create IP Address Blocking Policy panel, configure the following parameters, then click OK.

Parameter	Description
Intercepted object	The IP address to block.
All assets	The servers on which the policy takes effect. Select one or more servers, or search by server name or IP address.
Rule direction	The traffic direction to block. Valid values: Inbound and Outbound.
Security group	The security group associated with the policy. Default: Cloud Security Center Block Group. A blocking rule is created in this group when the policy is enabled, and deleted when the policy expires or is disabled.
Expiration time	The date and time when the policy expires. After expiration, the policy status changes to Disabled.

New policies are created in the Disabled state. Enable the policy after creation.

View custom policies

The Custom Rules tab shows each policy's blocked IP address, effective servers, expiration time, rule direction, and status. Click Details in the Actions column to open the Effective Server(s) panel, where you can filter servers by status: Disabled, Enabled, Enabling, or Enable Rule.

Edit a custom policy

A policy must be in the Disabled state before you can edit it. Disable the policy first if it is currently enabled.

Find the policy and click Edit in the Actions column. In the Edit IP Address Blocking Policy panel, modify the All Assets and Expire Date parameters, then click OK.

Enable or disable a custom policy

Enable: Turn on the switch in the Status column, then click OK in the Enable IP Policies dialog. The policy status changes to Enabling. The time to complete enabling increases with the number of effective servers. After enabling, the policy may be in one of the following states: To retry failed servers, click Details in the Actions column, find servers in the Enable Rule state, and click Retry.
- Enable Rule: The policy does not yet take effect on all selected servers.
- Partially Successful: The policy takes effect on only some of the selected servers.
If a policy expires after you enable it, the policy remains valid for 2 hours from the time you enabled it. To change the validity period, edit the policy before enabling it.
Disable: Turn off the switch in the Status column, then click OK in the Disable IP Policies dialog. The policy becomes inactive and its status changes to Disabled. Security Center stops blocking requests from the specified IP address.

Delete a custom policy

A policy must be in the Disabled state before you can delete it. Click Delete in the Actions column, then click OK to confirm.

Enable logon logging in SQL Server

SQL Server brute-force attack protection requires logon logging to be enabled in SQL Server. This allows Security Center to detect repeated failed authentication attempts against your database.

Open SQL Server Management Studio and connect to your SQL Server instance.
In Object Explorer, right-click the target instance and select Properties.
In the Properties dialog, click Security in the left menu.
Under Login Auditing, select Both Failed and Successful Logins.
Click OK and restart the SQL Server instance for the changes to take effect.

What's next

Proactive Defense — Enable Malicious Network Behavior Prevention to use the AliNet plug-in interception mechanism for faster blocking.
Service-linked roles for Security Center — Grant Security Center the permissions it needs to manage your cloud resources.