Enable basic security services in the ECS console to detect unusual logons and scan for vulnerabilities - Elastic Compute Service

Basic security services of Elastic Compute Service (ECS) include unusual logon detection and vulnerability scanning. You can view the security status of ECS instances in the ECS or Security Center console in real time.

Background information

Alibaba Cloud Security Center provides basic security services for ECS free of charge, such as vulnerability scanning, basic alert notification, unusual logon detection, AccessKey pair leak detection, and compliance check. You can view security information about ECS assets on the Overview page of the ECS console or in the Security Center console. For more information, see What is Security Center?

Billing

Take note of the following items about the billing of basic security services:

If you use Security Center Basic Edition, basic security services for ECS are provided free of charge. For more information, see Introduction to Security Center Basic.
If you want to upgrade to Security Center Advanced or Enterprise Edition, log on to the Security Center console for a free trial or purchase of Security Center Advanced or Enterprise Edition. For information about the billing methods of Security Center Advanced Edition and Enterprise Edition, see Billing overview.

Use the Security Center agent

The Security Center agent is a lightweight security control that can be installed on ECS instances. If the Security Center agent is not installed on your ECS instance, your ECS instance is not protected by Security Center. The security data of the instance, such as vulnerabilities, alerts, baseline vulnerabilities, and asset fingerprints, is not displayed in the ECS console. For information about the installation path of the Security Center agent, see Operating systems supported by the Security Center agent.

Perform the following operations to manage the Security Center agent:

Automatically install the Security Center agent when you create an ECS instance.
1. Log on to the ECS console.
2. In the left-side navigation pane, choose Instances & Images > Instances.
3. In the top navigation bar, select a region.
4. Click Create Instance to create an ECS instance. In the Image section of the ECS instance buy page, select Free Security Hardening to automatically install the Security Center agent on the instance. For more information, see Create an instance on the Custom Launch tab.
Note
If you call the RunInstances operation to create an ECS instance, set SecurityEnhancementStrategy to Active to automatically install the Security Center agent on the instance.
Manually install the Security Center agent on an existing ECS instance.
For more information, see Install the Security Center agent.
Uninstall the Security Center agent.
For more information, see Uninstall the Security Center agent.

View security status and resolve security issues

To view the security status of ECS instances and resolve security issues, perform the following steps:

Log on to the ECS console.
In the left-side navigation pane, choose Instances & Images > Instances.
In the top navigation bar, select the region and resource group to which the resource belongs.
On the Instance page, find the ECS instance that you want to manage and click the icon in the Monitoring column to log on to the Security Center console and view security reports.
Log on to the Security Center console to handle vulnerabilities and alerts. For information about how to handle vulnerabilities and alerts, see the Handle vulnerabilities section of the "View and handle vulnerabilities" topic and the Handle alerts section of the "View and handle alerts" topic.

Common security issues and scenarios

For information about common vulnerabilities and alerts and their scenarios, see Vulnerability categories and scenarios and Alerts and scenarios.

Vulnerability categories and scenarios

Vulnerability severity	Description	Scenario	Solution	Handling method
High Risk	The high-risk vulnerabilities directly threaten system security. The vulnerabilities include system vulnerabilities that are not fixed, SQL injection vulnerabilities, and weak passwords. We recommend that you take note of the vulnerabilities and fix the vulnerabilities at the earliest opportunity.	System vulnerabilities that are not fixed: High-risk Common Vulnerabilities and Exposures (CVE) in operating systems, such as Linux and Windows. Remote Code Execution (RCE) vulnerabilities that are not fixed at the earliest opportunity.	Detect and install security patches for the operating system and software on a regular basis. Use the vulnerability scanning feature of Security Center to fix high-risk vulnerabilities at the earliest opportunity.	In Linux, run the `yum update` or `apt-get update` command to install updates. In Windows, use Windows Update to install latest patches.
		Web application vulnerabilities: SQL injection vulnerabilities that can directly obtain database access permissions. Remote command execution vulnerabilities, such as Struts2.	Strictly validate and filter user inputs. Use Web Application Firewall (WAF) to protect against common attacks.	Fix security vulnerabilities in code, such as using parameterized queries to prevent SQL injection. Update web frameworks and components to the latest versions.
		Service configuration vulnerabilities: Services, such as Redis and MySQL, do not have passwords configured or are exposed to the Internet. Unauthorized access to Docker.	Do not expose high-risk services, such as Redis and MySQL, to the Internet. Configure strong passwords for the services and restrict IP addresses that can access the services.	Modify configuration files to bind the services to internal IP addresses or configure whitelist settings. Enable identity authentication features, such as the `requirepass` setting for Redis.
		Malware: Malicious files such as mining trojans and backdoor programs.	Scan for and kill malicious files in the system on a regular basis. Use the suspicious file detection feature of Security Center to detect suspicious files and delete malicious files.	Delete malicious files and fix the corresponding vulnerabilities. Reset the passwords of the affected services.
		Weak password risks: Services, such as SSH, Remote Desktop Protocol (RDP), and FTP, use weak passwords or the default password.	Use a strong password policy that requires a password to contain lowercase letters, uppercase letters, digits, and special characters. Enable multi-factor authentication (MFA).	Change weak passwords to strong passwords. Disable the default account or change the default password.
Medium Risk	The medium-risk vulnerabilities may cause harms to the system, such as Cross-Site Scripting (XSS), file upload vulnerability, and unusual logons. We recommend that you fix the vulnerabilities at the earliest opportunity.	Software vulnerabilities that are not fixed: Medium-risk vulnerabilities in middleware, such as Apache, NGINX, and Tomcat. Privilege escalation vulnerabilities in databases, such as MySQL and PostgreSQL.	Update middleware to the latest versions on a regular basis. Disable feature modules that you do not need.	Download and install official patches. Modify configuration files to disable high-risk features.
		Web application vulnerabilities: XSS. File upload vulnerabilities that may lead to malicious file upload.	Strictly filter and encode user inputs and outputs. Restrict the types of files that can be uploaded and limit the file size.	Fix the XSS vulnerabilities in code, such as encoding outputs by using HTML. Add the types of files to be checked and scan for viruses.
		Configuration risks: Web services that do not have HTTPS enabled. High-risk ports, such as ports 22 and 3389, that do not restrict IP access.	Enable HTTPS-encrypted communication. Close unnecessary ports.	Configure SSL certificates and enable HTTPS. Modify security group rules to restrict the IP addresses that can access high-risk ports.
		Unusual logons: Brute-force behaviors, such as multiple failed logon attempts.	Lock an account after a specific number of consecutive logon failures. Restrict the IP addresses that can log on.	Configure the `Fail2Ban` tool of SSH to prevent brute-force attacks. Modify security group rules to restrict the IP addresses that can access services, such as SSH and RDP.
		Data leak risks: Configuration files, such as .env files, contain sensitive information.	Do not store sensitive information in plaintext in configuration files. Encrypt sensitive data and store the encrypted sensitive data.	Remove sensitive information from configuration files. Use environment variables or Key Management Service (KMS) to store sensitive data.
Low Risk	The low-risk vulnerabilities are less harmful to your assets than high-risk and medium-risk vulnerabilities, but long-term existence of low-risk vulnerabilities may increase risks, such as configuration risks and compliance risks. You can fix low-risk vulnerabilities at your convenience.	Low-risk vulnerabilities that are not fixed: Low-risk vulnerabilities in the operating system or software, such as information disclosure vulnerabilities.	Scan for and fix low-risk vulnerabilities in the system on a regular basis.	Install official patches or updates.
		Configuration risks: The log audit feature is disabled. SSL certificates are not updated at the earliest opportunity.	Enable the log audit feature to check logs on a regular basis. Update SSL certificates at the earliest opportunity.	Configure a log audit tool, such as Logrotate. Update SSL certificates and enable auto-renewal for SSL certificates.
		Compliance risks: MFA is disabled. The compliance requirements, such as the requirements in Multi-layered Protection Scheme (MLPS) 2.0 or General Data Protection Regulation (GDPR), are not met.	Enable MFA. Modify system configurations based on compliance requirements.	Enable MFA in the Alibaba Cloud Management Console. Complete security settings based on the requirements in MLPS 2.0 or GDPR.
		Other risks: Unused services or ports are not disabled.	Disable unused services and ports.	Run the `systemctl disable` command to disable unused services. Modify security group rules to disable unused ports.

Alerts and scenarios

For more information about alert types, see the Alert types and Alerts sections of the "Overview" topic.

Type	Description	Scenario
Unusual logons	Unusual logon behaviors are detected.	Suspicious logons: ECS instances are logged on to from IP addresses that have never been used. Brute-force attacks: Multiple logon attempts fail. Logons during unusual time periods: ECS instances are logged on to during non-working hours.
Malicious files	Malicious programs or files are detected.	Mining trojans, such as XMRig. Backdoor programs, such as WebShell. Viruses or worms: the spread of malware.
Network attacks	Network attacks against ECS instances are detected.	DDoS attacks, such as SYN floods and UDP floods. Port scanning: scans the ports of ECS instances. Brute-force attacks, such as brute-force attacks for FTP and MySQL services.
Data leaks	Sensitive information leakage or unauthorized access is detected.	Sensitive information leakage: Databases or configuration files are leaked. Unauthorized access: Unauthorized users access sensitive resources.
Configuration risks	Security risks caused by improper system or service configurations are detected.	High-risk port exposure: For example, ports 22 and 3389 are exposed to the Internet. HTTPS not enabled: HTTPS encryption is not enabled for web services.
Compliance risks	Behaviors that do not meet security compliance requirements are detected.	MFA not enabled: MFA is disabled. Log audit not enabled: The log audit feature is disabled.
Other alerts	Other potential security threats or suspicious behaviors are detected.	Suspicious processes: Unknown malicious programs are running. File tampering: The key files of the system are tampered with.

Configure alert notifications

Basic security services allow you to configure alert notifications for security alert items. The alert notifications can be sent by internal message. Perform the following steps to configure alert notifications:

Log on to the ECS console.
On the Overview page, click Handle below the unhandled vulnerabilities in the Security Score section to go to the Security Center console.
In the left-side navigation pane, choose System Configuration > Notification Settings.
Scroll down to the Alert row, specify the severities for alerts, and then select the method and time period for sending alert notifications. For information about alert severities, see the Risk levels of alerts section of this topic.
Note
If you upgraded Security Center to Security Center Advanced or Enterprise Edition, see Overview for information about other methods for sending alert notifications.

Risk levels of alerts

The alerts generated by Security Center are classified into the following risk levels:

Risk level	Description
Urgent	Urgent alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to common attacks such as reverse shells. Urgent alerts indicate that your assets are probably under attack. We recommend that you view the details of the alerts and handle the alerts at the earliest opportunity.
Suspicious	Suspicious alerts are triggered by behavior that causes damages or imposes persistent impacts on your assets. This type of behavior is similar to some O&M behavior such as suspicious addition of users. This type of behavior may also be involved in an attack path but is unnecessary. Your assets can be attacked even if this type of behavior is missing. For example, the deletion of the traces that are left by attacks is unnecessary in an attack path. Suspicious alerts indicate that your assets have a certain probability of being attacked. We recommend that you view the details of the alerts and check whether risks exist. If risks exist, handle the risks.
Reminder	Reminder alerts are triggered by behavior that is unnecessary in an attack path. Your assets can be attacked even if this type of behavior is missing. This type of behavior is similar to some O&M behavior such as suspicious port listening. If you have high security requirements for your assets, pay attention to Reminder alerts.