All Products
Search
Document Center

Security Center:Use the host-specific rule management feature

Last Updated:Oct 28, 2024

The host-specific rule management feature allows you to manage defense and detection rules that are configured for your servers by using the following modules: malicious behavior defense, defense against brute-force attacks, and approved logon management. You can create rules based on your business requirements to improve the security of your system. This topic describes how to manage the rules that are configured for your servers by using malicious behavior defense, defense against brute-force attacks, and approved logon management.

Modules and supported editions

Module

Supported edition

Description

Malicious behavior defense

Advanced, Enterprise, and Ultimate

Security Center provides system defense rules to defend against common attacks, such as execution of commands that contain malicious scripts and insertion of malicious files. You can also create custom defense rules based on your business scenarios. Malicious behavior defense allows you to manage system defense rules and custom defense rules to build a finer-grained security system.

Defense against brute-force attacks

Advanced, Enterprise, and Ultimate

You can configure a defense rule against brute-force attacks. If the number of logon failures to the same server exceeds the specified limit during the specified statistical period, the IP address is blocked.

Approved logon management

Approved logon location

All editions

Approved logon management allows you to specify approved logon locations, IP addresses, time ranges, and accounts. You can identify unusual logons that may be initiated by attackers.

Approved logon IP address

Advanced, Enterprise, and Ultimate

Approved logon time range

Advanced, Enterprise, and Ultimate

Approved logon account

Advanced, Enterprise, and Ultimate

Malicious behavior defense

Scenarios

Malicious behavior defense supports system defense rules and custom defense rules. The following table describes the scenarios for which the two types of rules are suitable.

Important

Custom defense rules are assigned a higher priority than system defense rules.

Rule type

Scenario

System defense rule

  • Defense against common attacks

    Common attacks are automatically blocked. You can disable a system defense rule or change the servers to which a system defense rule is applied to minimize false alerts.

  • False alert handling

    If you handle an alert event whose alert type is Precise defense and you determine that the processes detected and reported by Security Center based on a system defense rule are normal and are required for your workloads, you can disable the rule on the System Defense Rule tab of the Malicious Behavior Defense tab. You can also remove the affected servers from the list of servers on which the rule takes effect.

Custom defense rule

If you want to allow or block specific behavior, you can use the Custom Defense Rule to create custom defense rules based on your business scenarios. For more information about the examples of custom defense rules, see Best practices for configuring custom defense rules by using the malicious behavior defense feature.

Manage system defense rules

Security Center automatically enables all system defense rules in the Advanced, Enterprise, and Ultimate editions.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the System Defense Rule tab of the Malicious Behavior Defense tab, find and manage a system defense rule.

    Search for a system defense rule

    • On the System Defense Rule tab, enter the name of the system defense rule in the search box.

    • On the System Defense Rule tab, select a value in the ATT&CK Phase section to filter rules.

    Manage a system defense rule

    • Enable or disable a system defense rule

      If a system defense rule is not suitable for your business scenario and affects the security score of your assets, you can disable the rule.

      Important

      After you disable a system defense rule, Security Center no longer detects or reports risks based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.

      1. Select one or more system defense rules.

      2. In the lower-left corner of the rule list, click Enable or Disable.

    • Manage servers to which a system defense rule is applied

      Important

      After you remove a server from a system defense rule, Security Center no longer detects or reports risks on the server based on the rule. Proceed with caution.

      1. Find the system defense rule that you want to manage and click Manage Host in the Actions column.

      2. In the Host Management panel, add servers to the rule or remove servers from the rule. Then, click OK.

Manage custom defense rules

If Security Center generates alerts for your normal service requests, you can create a custom defense rule to add specific behavior to the whitelist. For example, you can add behavior of the Command line and process hash types to the whitelist.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the Custom Defense Rule tab of the Malicious Behavior Defense tab, click Create Rule.

  4. In the Create Rule panel, configure the Rule Type parameter, the required parameters, and the Action parameter based on your business requirements. Then, click Next.

    The required parameters vary based on the value of the Rule Type parameter. If you want to add specific behavior to the whitelist, make sure that the Rule type parameter for the defense rule uses one of the following values:

    • Process hash

    • Command line

    • Process Network

    • File Read and Write

    • Operation on Registry

    • Dynamic-link Library Loading

    • File Renaming

    For more information, see Best practices for configuring custom defense rules by using the malicious behavior defense feature.

    Note

    You can add only behavior of the Process hash type to the blacklist.

  5. In the server list in the Create Rule panel, select the servers on which you want the rule to take effect and click Complete.

    By default, a new custom defense rule is enabled. You can manage the servers on which the rule takes effect.

View and handle alert events

After you configure a malicious behavior defense rule, Security Center automatically blocks malicious behavior that hits the rule and generates alerts based on the rule. To view and handle alert events, perform the following operations:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Detection and Response > Alerts.

  3. In the upper part of the Alerts page, click the number below Precise Defense.

    精准防御

  4. In the list of alert events, view the alert events that are generated for automatically blocked risks. If an alert event is a false positive, click Details in the Actions column to handle the alert event.

    In this example, the alert event that is generated for the alert named Suspicious worm script behavior is handled.

    In the alert details panel, obtain and record the following information for subsequent use.

    • The name of the system defense rule based on which risks are detected. The alert event is generated for the detected risks. In this example, the name of the system defense rule is Malicious Damage To Client Processes.

    • The value of ATT&CK Phase for the alert event. In this example, the value is Impact and Damage.

    • The names and IP addresses of the servers that are affected by the alert event.

    image.png

  5. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  6. On the Host defense rules tab, search for the system defense rule based on which the alert event is generated.

    • You can enter Suspicious worm script behavior in the search box.

    • You can also click Damage in the ATT&CK Phase section of the Host defense rules tab.

  7. Manage the Suspicious worm script behavior system defense rule.

    • If the system defense rule is not suitable for your business scenario and you no longer want Security Center to generate alert events based on the system defense rule, you can click the 开关 icon in the Switch column to disable the rule.

      Important

      After you disable a system defense rule, Security Center no longer detects risks or generates alert events based on the rule. The alert events that are generated based on the rule are no longer displayed on the Alerts page. Proceed with caution.

    • If you want to handle an alert event that is a false positive, you can click Actions in the Manage Host column and remove the servers that are affected from the server list of the rule.

      You can also find and handle the false positive alert event on the Alerts page. For more information, see View and handle alert events.

      Important

      If you want the system defense rule to continue protecting your server, you can add the server to the server list on the Malicious Behavior Defense tab after you handle the alert event.

Defense against brute-force attacks

How it works

You can create a defense rule against brute-force attacks. If the number of logon failures from an IP address to a server to which your defense rule is applied exceeds the specified limit during the specified statistical period, the defense rule is triggered, and an IP address blocking policy is automatically generated. Logon requests from the IP address to the server are blocked within the specified disablement period. You can view the IP address on the System Rules tab of the Defense Against Brute-force Attacks tab. The IP address blocking policy is automatically enabled and valid during the disablement period of the defense rule.

Create a defense rule against brute-force attacks

You can create a defense rule against brute-force attacks and specify a trigger condition in the rule. You can also create multiple defense rules against brute-force attacks for servers based on different scenarios.

Important

If you want to add an IP address to the whitelist of defense against brute-force attacks, you can click the number below Approved Logon IP Address and specify the IP address as an approved logon IP address. Defense rules against brute-force attacks do not block logon requests from approved logon IP addresses.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the Host-specific Rule Management page, click the Brute-force attacks protection tab.

  4. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.

    For more information, see Service-linked roles for Security Center.

  5. On the Defense policy tab, click Create Policy. In the Create Policy panel, configure the parameters.

    Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.

    Parameter

    Description

    Policy Name

    Enter a name for the defense rule.

    Defense Rule:

    Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes.

    Set as Default Policy

    Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule.

    Note

    If you select Set as Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.

    Select Server(s):

    Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address.

  6. Click OK.

    Important

    You can create only one defense rule against brute-force attacks for each server.

    • If a selected server is not protected by a defense rule, the defense rule that you create takes effect.

    • If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.

    • If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.

Manage a system rule

A system rule refers to an IP address blocking policy that is automatically generated after a defense rule against brute-force attacks is triggered. You can perform the following operations to view, enable, and disable a system rule:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  2. On the Host-specific Rule Management page, click the Brute-force attacks protection tab.

  3. On the System Rules tab, perform the following operations:

    • View the information about a system rule

      You can view the following information: blocked IP address, port, effective servers, rule name, interception mode, validity period, and status. An effective server refers to a server to which a rule is applied. Security Center enables different interception mechanisms based on whether the AliNet plug-in is installed. The following list describes the interception mechanisms:

      • ECS Security Group: When you enable a system rule, a security group rule is automatically created. If the system rule expires or is disabled, the security group rule is automatically deleted.

      • Security Center: This interception mechanism uses the AliNet plug-in. If you use the Advanced, Enterprise or Ultimate edition of Security Center and enable the Malicious Network Behavior Prevention feature, Security center automatically uses the AliNet plug-in to block logons. For more information about how to enable the Malicious Network Behavior Prevention feature, see Proactive Defense.

    • Enable a system rule

      If a system rule is disabled, you can turn on the switch in the Status column to enable the system rule. Then, Security Center continues to block logons from the IP address that is specified in the system rule. The rule is valid for 2 hours after it is enabled.

    • Disable a system rule

      If a system rule is enabled and you confirm that the blocking of the IP address specified in the system rule is a false positive, you can disable the rule to allow logons from the IP address. To disable the rule, turn off the switch in the Status column. After approximately 1 minute, logon attempts from the IP address are allowed.

Manage a custom rule

You can create custom IP address blocking policies to block access from malicious IP addresses to your cloud assets. To manage a custom IP address blocking policy, perform the following operations:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the Host-specific Rule Management page, click the Brute-force attacks protection tab.

  4. On the Custom Rules tab, perform the following operations:

    • Create a custom IP address blocking policy

      1. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.

        For more information, see Service-linked roles for Security Center.

      2. Click Create Rule. In the Create IP Address Blocking Policy panel, configure the parameters and click OK. The following table describes the parameters.

        Parameter

        Description

        Intercepted Object

        The IP address that you want to block.

        All Assets

        The server on which you want the IP address blocking policy to take effect. You can select multiple servers. You can also enter a server name or server IP address in the search box to search for the server.

        Note

        Only Alibaba Cloud Elastic Compute Service (ECS) instances are supported.

        Rule Direction

        The direction of the traffic that you want to block. Valid values: Inbound and Outbound.

        Security Group

        The security group that is associated with the IP address blocking policy. Default value: Cloud Security Center Block Group. When you enable the policy, a blocking rule is automatically created in the security group. If the policy expires or is disabled, the rule in the security group is automatically deleted.

        Expiration Time

        The expiration time of the policy. After the policy expires, the status of the policy changes to Disabled.

        By default, a new IP address blocking policy is in the Disabled state. You must manually enable the policy.

    • View custom IP address blocking policies and the details of a custom IP address blocking policy

      On the Custom Rules tab, you can view the following information about each custom IP address blocking policy: blocked IP address, effective servers, expiration time, rule direction, and status. You can also click Details in the Actions column of a policy to go to the Effective Server(s) panel. In this panel, you can view the servers on which the policy takes effect. You can filter servers by status, such as Disabled, Enabled, Enabling, and Enable Rule.

    • Edit a custom IP address blocking policy

      Find the IP address blocking policy that you want to edit and click Edit in the Actions column. In the Edit IP Address Blocking Policy panel, modify the All Assets and Expire Date parameters and click OK. After modification, Security Center blocks access requests from IP addresses based on the new settings of the policy.

      You can edit a policy only if the policy is in the Disabled state. If you want to edit a policy that is in the Enabled state, you must disable the policy.

    • Enable or disable an IP address blocking policy

      You can configure an IP address blocking policy for an IP address that is likely used to launch brute-force attacks. If normal traffic is blocked by the policy, you can disable the policy. After you disable the policy, Security Center no longer blocks requests from the IP address.

      • Enable: To enable an IP address blocking policy, turn on the switch in the Status column. In the Enable IP Policies message, click OK. Then, the policy takes effect, and the status of the policy changes to Enabling. The amount of time during which the policy is in the Enabling state increases with the number of effective servers. Security Center blocks malicious traffic based on the policy. After you enable the policy, the policy may be in one of the following states:

        • Enable Rule: The IP address blocking policy does not take effect on all selected servers.

        • Partially Successful: The IP address blocking policy takes effect only on several selected servers.

        To view the details of effective servers, click Details in the Actions column. In the Effective Server panel, find a server that is in the Enable Rule state and click Retry in the Actions column to enable the policy.

        Note

        If you enable a custom IP address blocking policy and the policy expires, the policy is valid for 2 hours after the point in time when you enable the policy. If you want to change the validity period of the policy, we recommend that you modify the policy before you enable the policy.

      • Disable: To disable an IP address blocking policy, turn off the switch in the Status column. In the Disable IP Policies message, click OK. Then, the policy becomes invalid, and the status of the policy changes to Disabled. Security Center no longer blocks requests from the IP address that is specified in the policy.

    • Delete a custom IP address blocking policy

      You can delete an IP address blocking policy that is in the Disabled state. To delete a policy, click Delete in the Actions column. In the message that appears, click OK.

Approved logon management

You can specify approved logon locations, IP addresses, time ranges, and accounts. Security Center monitors logons based on your settings. If unapproved logons are detected, Security Center generates alerts. To configure approved logon settings, perform the following operations:

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the Host-specific Rule Management page, click the Common Logon Management tab.

  4. On the Common Logon Management tab, configure approved logon locations, IP addresses, time ranges, and accounts.

    This example shows how to configure Approved Logon Location.

    1. On the Approved Logon Location tab, click Create Policy.

    2. In the Approved Logon Location panel, select one or more locations as approved logon locations based on your business requirements, select the servers on which the settings take effect, and then click OK.

    Security Center allows you to change the servers that allow logons from selected logon locations and delete selected logon locations.

    • To change the servers that allow logons from the logon location, find the location and click Modify on the right side.

    • To delete an approved logon location, find the location and click Remove in the Actions column.

    Security Center allows you to add remarks to approved logon IP addresses. To add remarks to an IP address, find the IP address and click the 编辑图标 icon in the Note column on the Approved Logon IP Address tab.

After you configure approved logon settings, you can go to the Alerts page and select Unusual Logon for Alert Type to view and handle the alerts that are generated for unapproved logons at the earliest opportunity. For more information, see View and handle alert events. 查看异常登录告警