edit-icon download-icon

ECS security deployment method

Last Updated: May 07, 2018

Operating system security hardening

  1. Reset the ECS instance.
    Note: We strongly recommend backing up all data before resetting the ECS instances. After you reset the ECS instances, all data must be scanned with antivirus software before uploading to the ECS instances.

    1. Log on to ECS console, and click Instances.
    2. Choose your instance, and click Stop under the More drop-down list (if your instance is currently in a running status).
    3. Once the instance stops, click Reinitialize Disk under the More drop-down list.
    4. After disk reinitialization completes, the operating system returns to its original state at the time of purchase.
      Disk Reinitialization
  2. Logon security settings.

    1. Change the default ports (RDP and SSH).
    2. Log on to the ECS instances using certificates, and set the IPs for trusted logon hosts.
    3. If you log on to the ECS instances using a username and password, use a complex password (minimum of 10 characters, and can contain uppercase and lowercase letters, digits, and special symbols).
    4. Use the normal user permission for logon users and do privilege escalation when administrator permission is required. (Use RunAs in Windows, or use sudo in Linux).

For more methods to harden operating system security, view the following articles:

Security deployment for application service software

For common web applications

  1. Do not use default passwords or blank passwords for web service consoles such as WDCP, TOMCAT, Apache, Nginx, Jekins, PHPMyAdmin, WebLogic, and Jboss. A complex password (minimum of 10 characters, and can contain uppercase and lowercase letters, digits, and special symbols) must be used. Idle consoles must be turned off. Otherwise, those consoles may be hacked to gain control of your ECS servers.

  2. Upgrade web applications to the latest version. For example, a vulnerability is executable remotely for a previous version of Struts and ElasticSearch. Make sure that your web applications are up-to-date. Otherwise, hackers may gain control of your ECS servers.

  3. If Redis, Memcached, and MongoDB are set to password-free access, hackers may log on remotely to gain control of your server. To guarantee server security, use a complex password for access. Additionally, modify the ports and bind the listening IP to 127.0.0.1.

For common database applications

  • Modify default connection ports for services such as Postgresql, Oracle, MySQL, and SQLServer, to non-common ports.

  • Create different accounts for different roles and refine authentication. Do not share the account or log on to the database by using the system account.

  • Use a complex password (minimum of 10 characters, and can contain uppercase and lowercase letters, digits, and special symbols) for the database password.

Others

  • Update applications to prevent hackers from using security vulnerabilities to enter your server.
  • Enable Alibaba Cloud Security and antivirus protection.
Thank you! We've received your feedback.