Security Center:Web tamper-proofing

Prerequisites

The Security Center agent must be installed on the server that you want to protect. For more information, see Install the client.

Billing rules

Web tamper-proofing is a value-added feature of Security Center. You must purchase this feature before you can use it. For more information about billing, see Security Center billing.

Limits

• One web tamper-proofing quota protects one server.

• You can enable protection for a server only once. Each server supports up to 10 protected directories.

• If your server’s operating system and kernel version are within the supported range (Supported operating systems and kernel versions for the whitelist feature):

  • You can use the whitelist feature. If you confirm that an intercepted file change or an alert is caused by a legitimate business process, you can add the process path to the whitelist. After you add the process path to the whitelist, Security Center no longer blocks the process or generates alerts for the process.

  • When you add protected directories, take note of the following limits:

    • The full path of each protected file or directory cannot exceed 1,000 English characters or 500 Chinese characters.

    • If the protected directory is set as the process path of a Network File System (NFS) server, Security Center cannot defend against attacks that modify files in this path from an NFS client.

• If your server’s operating system and kernel version are outside the supported range (Supported operating systems and kernel versions for the whitelist feature):

  • The whitelist feature is not supported. Even if you add a process to the whitelist, the rule does not take effect.

  • When you add protected directories, take note of the following limits:

    • Each protected directory must be no larger than 20 GB.

    • Each protected directory can contain no more than 20,000 folders.

    • Each protected directory can have no more than 20 folder levels.

    • Each protected file must be no larger than 20 GB.

    • Alert Mode is unavailable.

    • Paths on Network File System (NFS) cannot be protected.

    • Alerts might not be generated. If alerts are generated, they will not include process path information.

Step 1: Purchase web tamper-proofing quotas

Before you use the web tamper-proofing feature, make sure that your Alibaba Cloud account has a sufficient number of web tamper-proofing quotas.

1. Log on to the Security Center console.

2. In the navigation pane on the left, choose Protection Configuration > Host Protection > Web Tamper Proofing. In the upper-left corner of the console, select the region where your assets reside: Chinese Mainland or Outside Chinese Mainland.

3. Perform the following operations based on whether you have purchased web tamper-proofing quotas.

   No web tamper-proofing quotas purchased

   1. On the Web Tamper-Proofing page, click Upgrade Now.

   2. Follow these steps based on your Security Center edition.

      • Free Edition:

        In the Select a suitable product edition panel, select any edition. In the Buy Now panel, configure parameters such as Edition and Number of Protected Servers. Set Web Tamper-Proofing to Yes, and select the Tamper-Proofing Quota based on the number of servers that you want to protect.

        You can purchase the web tamper-proofing feature separately by setting the edition to Value-Added Plan Only. For more information about Security Center editions and other purchase configurations, see Purchase Security Center.

      • Paid editions:

        In the Select a suitable product edition panel, click Upgrade. In the Upgrade Now panel, set Web Tamper-Proofing to Yes and select the Tamper-Proofing Quota based on the number of servers that require protection.

   3. Click Buy Now and complete the payment.

   Web tamper-proofing quotas already purchased

   If your web tamper-proofing quota is insufficient, click Purchase Quota in the upper-right corner of the Web Tamper-Proofing page to purchase sufficient tamper-proofing quotas.

Step 2: Add protection for servers

Add protection for servers on which the Security Center agent is installed. You can add multiple protected directories for each server.

1. On the Web Tamper-Proofing page, if this is your first time using the feature, click Create Web Tamper-Proofing.

   If you have used this feature before, go to the Protection Management tab on the Web Tamper-Proofing page and click Add Protection for Server.

2. On the Create Web Tamper-Proofing panel, select the server to protect from the list and click Next.

3. You can configure the web tamper-proofing rules and click Enable Protection.

   By default, Whitelist Mode is used. In this mode, you specify the directories and file types to protect. You can also click Blacklist Mode to specify subdirectories, file types, and specific files in the protected directory that do not require protection.

   • Whitelist Mode

     If a protected file in the protected directory is modified, Security Center blocks the modification or generates an alert.

     Configuration item	Description
     Protected Directory	Enter the directory on your server to protect. After specifying the directory, Security Center decides whether to block modifications to file names, content, or attributes in this directory based on the process whitelist and protection mode. Use the format: /directory_name/. Example: /tmp/.
     Protected File Types	Select or enter the file types to protect. You can select file types from the drop-down list or manually enter types not listed. Note All file types are supported for web tamper-proofing protection.
     Protection Mode	Block Mode: Security Center actively blocks abnormal processes and file changes to ensure the security of your server's websites and files. Alert Mode: Security Center alerts on detected abnormal processes and file changes. Important If your server’s operating system and kernel version are not in the supported range for the whitelist feature, Alert Mode does not take effect. Even if you select Alert Mode, Security Center still blocks abnormal processes.
     Local Backup Directory	Set the backup storage path for the protected directory. Security Center uses /usr/local/aegis/bak (for Linux servers) and C:\Program Files (x86)\Alibaba\Aegis\bak (for Windows servers) as the default backup directories. You can manually change these paths. Important If your server’s operating system and kernel version are in the supported range for the whitelist feature, the Local Backup Directory setting is ignored.

     Configuration Example

     For example, if you set Protected Directory to /tmp/, Protected File Types to XML, and Protection Mode to Block Mode, Security Center blocks any changes to XML files in the tmp directory.

   • Blacklist Mode

     Modifications to specified subdirectories, file types, or files in the protected directory are not blocked and do not trigger alerts. Modifications to other items in the protected directory are blocked or trigger alerts.

     For information about how to configure Protected Directory, Protection Mode, and Local Backup Directory, see Whitelist Mode.

     Configuration item	Description
     Excluded Subdirectories	Enter the paths of subdirectories that do not require protection. Use the format: subdirectory_name/. Example: dir1/dir0/.
     Excluded File Types	Select or enter file types that do not require protection.
     Exclude Specified Files	Enter the files that do not require protection. Use the format: subdirectory_name/file. Example: dir2/file3.

     Important

     The Excluded Subdirectories, Excluded File Types, and Excluded Files settings are evaluated using a logical OR.

     Example configuration

     For example, if you set Protected Directory to /tmp/, Excluded Subdirectories to dir1/dir0/, Excluded File Types to txt, Excluded Files to dir2/file3, and Protection Mode to Block Mode, then only the following items within the `/tmp` directory can be modified: files in the dir1 subdirectory within the dir0 directory, files with the .txt extension, or the file3 file in the dir2 subdirectory. Security Center blocks modifications to all other files and directories in the `/tmp` directory.

4. (Optional) On the Web Tamper-Proofing page, click the Protection Management tab. Find a server that is already protected and click Add Protected Directory in the Actions column to add more protected directories.

   Click the expand icon next to a server to view its protected directories. You can then click Edit next to a directory to modify its rules.

5. On the Management tab of the Web Tamper Proofing page, find the server that you configured in the server list and click the icon in the Protection Status column to enable web tamper proofing.

   When you enable protection for the first time, the Service Status column displays Starting and a progress bar. Wait until the status changes to Running.

   The following table describes the service statuses.

   Service status	Description	Suggestion
   Starting	The web tamper-proofing feature is starting.	When you enable protection for the first time, the service status changes to Starting. Please wait for the process to complete.
   Running	Protection is enabled and the service is running as expected.	None.
   Abnormal	The protection feature failed to start.	Hover over the service status to view the cause of the error and click Retry.
   Not started	Protection is disabled.	Set the protection status to Enabled.

Step 3: View protection status

On the Web Tamper-Proofing page, view protection details on the Protection Status tab.

• View overview statistics for web tamper-proofing, including the top 5 protected files and top 5 blocked processes in the last 15 days.

  

• View web tamper-proofing alert details

  This list displays all alerts for abnormal file changes that are detected by Security Center in Block Mode and Alert Mode. The alerts include details such as the severity (currently only Medium), alert name, affected asset, file path of the abnormal change, abnormal process name, and defense status.

  • In the Handled list:

    By default, alerts for Block Mode are displayed. The Status is Defended, which indicates that Security Center intercepted the process that caused the abnormal file change.

    

  • In the Unhandled list:

    The alerts are from Alert Mode. A Status of Unhandled indicates that Security Center generated an alert for an abnormal process and a file change.

    

  If you confirm that an intercepted action or an alert is part of a normal business operation, you can use the whitelist feature to allow the process to run normally. After you add a process to the whitelist, the corresponding alert appears in the Handled list with the status Added to Whitelist. For more information, see Optional: Add to whitelist.

  Important

  If an alert is triggered more than 100 times, which indicates that a process has written to a file more than 100 times, you must handle the alert at your earliest convenience.

Optional: Add to whitelist

If you confirm that the file changes made by a specific process are required for normal business operations and you need to modify files that are protected by tamper-proofing, you can add the process to the process whitelist. This allows the files to be modified as expected.

On the Web Tamper-Proofing page, click the Protection Status tab to add normal business processes to the whitelist.

Add a single alert event to the whitelist

1. In the Unhandled alert list, find the abnormal process that you want to whitelist and click Handle in the Actions column.

2. In the dialog box, set Handling Method to Add to Whitelist and click Process Now.

   To whitelist the same process on multiple servers or in different file paths on a single server, select Process servers with the same process simultaneously.

You can also view the process paths for Defended alerts in the Handled alert list and add the corresponding processes to the whitelist.

Batch-add multiple alert events to the whitelist

1. In the alert list on the Protection Status tab, select the abnormal processes that you want to add to the whitelist.

2. Click Add to Whitelist at the bottom of the list. Then, click OK in the dialog box.

Directly add target protection processes to the whitelist

1. Click the number below Blocked Processes or Process Whitelist to open the Process Management panel.

2. Click Add to Whitelist in the upper-right corner. Enter the Process Path and Server Name/IP to add multiple abnormal processes to the whitelist in a batch.

View or remove whitelist entries

1. Click the number under Process Whitelist to open the Process Management panel. In this panel, you can view all whitelisted abnormal processes, including their server, process path, and the number of file write attempts.

2. To remove a process from the whitelist, click Remove from Whitelist in the Actions column. To remove multiple entries at once, select the entries and click Remove from Whitelist at the bottom of the list.

FAQ

• Security Center has nearly three years of validity remaining. Can I purchase web tamper-proofing for only one year?

• When I start web tamper-proofing, I receive the message "Protection module initialization failed. Check whether other software is blocking service creation." Why does this happen?

• What are the requirements for the local backup directory in web tamper-proofing?

• After I configure tamper-proofing, I cannot modify my website's content or images. What should I do?