All Products
Search
Document Center

Security Center:Configure common features (simplified)

Last Updated:May 20, 2024

Security Center provides various features to protect your cloud assets and servers in data centers. The features include alert notification, virus detection and removal, webshell detection, client protection, and container image scan. This topic describes how to configure the features.

Alert notification

If Security Center detects exceptions in your assets, Security Center sends alert notifications based on the severity levels, notification periods, and notification methods that you specify. This way, you can monitor the security of your assets in real time. The notification methods include text messages, emails, internal messages, and DingTalk chatbots.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Notification Settings.

  3. On the Notification Settings page, specify the notification periods, notification methods, and severity levels for the notification items on which Security Center sends alerts.

    Notification items refer to the threat events and security risks that Security Center can detect in your assets. For more information about the notification items supported by Security Center, see Configure notification settings.

Proactive defense, webshell detection, and client protection

If you want to enable the Malicious Host Behavior Prevention, webshell detection, or client protection feature, you can go to the Feature Settings page and select the servers for which you want to enable the feature.

Note

If you do not turn on the switches in the Proactive Defense section, Security Center only detects related threats and does not automatically block detected common viruses or malicious network behavior.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.

  2. In the left-side navigation pane, choose System Configuration > Feature Settings.

  3. Enable features in the Proactive Defense section, and enable the webshell detection and client protection features.

    Enable features in the Proactive Defense section.

    1. Go to the Settings > Host Protection Settings tab.

    2. In the Proactive Defense section, click Manage to the right of Malicious Host Behavior Prevention, Anti-ransomware (Bait Capture), Webshell Connection Prevention, or Malicious Network Behavior Prevention.

    3. Select the servers for which you want to enable the features and turn on the switches.

    After you turn on the switches in the Proactive Defense section, Security Center automatically quarantines the detected common viruses or suspicious connections. If you want to view the quarantined viruses and connections, you can go to the Alerts page and filter security events by using the Precision defense search condition.精准防御

    Enable the webshell detection feature.

    1. Go to the Settings > Host Protection Settings tab.

    2. In the Webshell Detection and Removal section, click Manage to select the servers for which you want to enable the webshell detection feature.

    Enable the client protection feature.

    1. Go to the Settings > Agent Settings tab.

    2. In the Agent Protection section, turn on Defense mode and click Manage to select the servers for which you want to enable the client protection feature.

    For more information, see Feature Settings.

Container image scan

The container image scan feature is a value-added feature provided by Security Center. To use this feature, you must purchase a sufficient quota for container image scan. For more information, see Enable container image scan.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Image Security.

    Note

    The first time you use container image scan, complete the authorization as prompted.

  3. On the Image Security page, click Immediate Scan.

    Security Center requires approximately 1 minute to perform the scan. After the scan is complete, you can refresh the page to view the scan results.

  4. Click the Image Vulnerability, Image Baseline Check, Malicious Image Sample, or Sensitive Image File tab to view the detected vulnerabilities or malicious samples.

    For more information, see View image scan results.

Configuration assessment

The configuration assessment feature allows you to check for security risks in the configurations of cloud services. Security Center supports both manual checks and periodic automatic checks.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to protect. You can select China or Outside China.

  2. In the left-side navigation pane, choose Risk Governance > Configuration Assessment.

  3. Click the Configuration Check tab and run a configuration check.

    • Full Scanning

      If you want to immediately check whether risks exist in the configurations of your cloud services, you can choose Immediate Scan > Full Scanning on the Configuration Assessment page. The system checks all your cloud services.

    • Scan By Policy

      After you configure a policy for the configuration assessment feature, Security Center runs configuration checks based on the time range that you specify in the policy. You can also select Scan By Policy to immediately check your cloud services.

      1. In the upper-right corner of the Configuration Assessment page, click Check Policy Settings.

      2. In the Check Policy Settings panel, turn on Automatic Configuration Assessment.

      3. Configure the Detection Cycle: and Detection Time: parameters, select the required check items, and then click OK.

      4. Optional. On the Configuration Assessment page, choose Immediate Scan > Scan by Policy.

        Security Center immediately scans the configurations of cloud services based on the policy that you configure.

    Note

    A full scan requires a long period of time to complete.

We recommend that you handle the detected security risks at the earliest opportunity. For more information, see Use the configuration assessment feature.

Defense rules against brute-force attacks

Security Center provides the feature of protection against brute-force attacks. The feature allows you to configure defense rules to prevent brute-force attacks. You can configure a defense rule to block logon attempts to your server for a period of time if the number of logon failures exceeds the specified threshold within the specified period of time. The feature of protection against brute-force attacks can protect the password of your server account from being cracked.

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management.

  3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

  4. If you have not authorized Security Center to access your cloud resources, click Authorize Immediately.

    For more information, see Service-linked roles for Security Center.

  5. On the Defense policy tab, click Create Policy. In the Create Policy panel, configure the parameters.

    Security Center provides the following default settings in the Create Rule panel: If the number of logon failures from an IP address to the same server reaches 80 within 10 minutes, the IP address is blocked for 6 hours. If you want to retain the default settings, you can directly select servers. If you want to create a custom rule, you can configure the following parameters.

    Parameter

    Description

    Policy Name

    Enter a name for the defense rule.

    Defense Rule:

    Specify a trigger condition for the defense rule. If the number of logon failures from an IP address to a server to which the defense rule is applied exceeds the limit during the statistical period, the defense rule blocks the IP address for the disablement period. For example, if the number of logon failures from an IP address exceeds 3 within 1 minute, the IP address is blocked for 30 minutes.

    Set as Default Policy

    Determine whether to specify the defense rule as a default defense rule. If you select Set As Default Policy, servers that are not protected by defense rules use the defense rule.

    Note

    If you select Set as Default Policy, the defense rule takes effect on all servers that are not protected by defense rules, regardless of whether you select the servers in the Select Server(s): section.

    Select Server(s):

    Select the servers that you want the defense rule to protect. You can select servers from the server list or search for servers by server name or server IP address.

  6. Click OK.

    Important

    You can create only one defense rule against brute-force attacks for each server.

    • If a selected server is not protected by a defense rule, the defense rule that you create takes effect.

    • If a selected server is protected by a defense rule and you want to apply the defense rule that you create to the server, read and confirm the information in the Confirm Changes message, and click OK.

    • If you create a rule for a server to which an existing defense rule is applied, the number of servers to which the existing defense rule is applied decreases.

Web tamper proofing

The feature of web tamper proofing monitors web directories in real time and can restore tampered files or directories based on the backup files. This prevents important website information from being tampered with. Before you can use this feature, you must purchase a specific quota. This quota allows you to enable web tamper proofing for specific servers. For more information, see Step 1: Purchase the quota for web tamper proofing.

  1. The first time you use web tamper proofing, click Add Servers for Protection on the Web Tamper Proofing page.

    If this is not the first time that you use web tamper proofing, click the Management tab on the Web Tamper Proofing page and click Add Server.

  2. In the Add Servers for Protection panel, select the server for which you want to enable web tamper proofing from the server list and click Next.

  3. In the Add Directory step, configure the parameters and click Enable Protection.

    By default, the Whitelist Mode is used. In whitelist mode, you must specify the directories and formats of files that you want to protect. You can click Blacklist Mode to switch to the blacklist mode. In blacklist mode, you must specify the directory that you want to protect, and the subdirectories, formats of files, and files that do not require protection in the protected directory.

    • Whitelist Mode

      In whitelist mode, Security Center intercepts or generates an alert for modifications to the files of the specified formats in the protected directory.

      Parameter

      Description

      Protected Directory

      The server directory that you want to protect. After you specify a directory, Security Center determines whether to intercept modifications to the name, content, or attribute of the files in the directory based on the process whitelist and prevention mode that you specify.

      Enter a value in the /The name of the directory/ format. Example: /tmp/.

      Protected File Formats

      The formats of the files that you want to protect.

      You can select formats from the drop-down list. You can also enter formats that are not displayed in the drop-down list.

      Note

      All formats of files can be added for protection.

      Prevention Mode

      • Interception Mode: Security Center intercepts suspicious processes and abnormal file changes. This ensures the security of websites and files on your server.

      • Alert Mode: Security Center identifies suspicious processes and abnormal file changes and generates alerts.

        Important

        If the operating system or kernel version of your server is not supported by web tamper proofing, Security Center does not generate alerts. In this case, if you set Prevention Mode to Alert Mode, Security Center intercepts suspicious processes. For more information, see Supported versions of operating systems and kernels.

      Local Backup Directory

      The directory in which backup files of the protected directories are stored.

      By default, Security Center uses /usr/local/aegis/bak as the backup directory for Linux servers and C:\Program Files (x86)\Alibaba\Aegis\bak as the backup directory for Windows servers. You can change the default backup directories.

      Important

      If the operating system or kernel version of your server is not supported by web tamper proofing, you do not need to configure the Local Backup Directory parameter. For more information, see Supported versions of operating systems and kernels.

      Configuration example

      If you specify /tmp/ for Protected Directory, xml for Protected File Formats, and Interception Mode for Prevention Mode, Security Center intercepts the modifications to the XML files in the tmp directory.

    • Blacklist Mode

      In blacklist mode, Security Center does not intercept or generate alerts for modifications to the specified subdirectories, files of the specified formats, or specified files in the protected directory. Security Center intercepts and generates an alert for modifications to other subdirectories and files in the protected directory.

      For more information about how to configure the Protected Directory, Prevention Mode, and Local Backup Directory parameters, see Whitelist Mode.

      Parameter

      Description

      Excluded Sub-Directories

      The path to the subdirectories that do not require protection.

      Enter a value in the Subdirectory name/ format. Example: dir1/dir0/.

      Excluded File Formats

      The formats of the files that do not require protection.

      Excluded Files

      The files that do not require protection.

      Enter a value in the Subdirectory name/File name format. Example: dir2/file3.

      Important

      The Excluded Sub-Directories, Excluded File Formats, and Excluded Files parameters are evaluated by using a logical OR.

      Configuration example

      If you specify /tmp/ for Protected Directory, dir1/dir0/ for Excluded Sub-Directories, txt for Excluded File Formats, dir2/file3 for Excluded Files, and Interception Mode for Prevention Mode, the files in the dir1 subdirectory below dir0 in the tmp directory, TXT files in the tmp directory, or the file3 file in the dir2 subdirectory in the tmp directory can be modified. The modifications to other subdirectories and files in the tmp directory are intercepted by Security Center.

  4. Optional. On the Management tab of the Web Tamper Proofing page, find the server that you specify in the Add Servers for Protection panel and click Add Directory in the Actions column to add other directories for protection.

    You can click the image icon next to the server name to view the list of protected directories on the server. You can find a protected directory and click Modify in the Actions column to modify the parameter configurations.

  5. On the Management tab of the Web Tamper Proofing page, find the server that you specify in the Add Servers for Protection panel and click the 开关 icon in the Protection column to enable the web tamper proofing feature for the server.

    The first time you enable this feature for a server, the status in the Status column of the server changes to Initializing, and a progress bar appears. Wait until the feature is enabled. After this feature is enabled, the status of the server changes to Running.

    The following table describes the statuses that are available in the Status column.

    Status

    Description

    Suggestion

    Initializing

    Web tamper proofing is being initialized.

    The first time you enable web tamper proofing for a server, the status is Initializing. Wait until web tamper proofing is enabled.

    Running

    Web tamper proofing is enabled and runs as expected.

    None.

    Exception

    An error occurred during the initialization of web tamper proofing.

    Move the pointer over Exception, view the causes, and then click Retry.

    Not Initialized

    The switch in the Protection column is turned off.

    Turn on the switch in the Protection column.

Anti-ransomware

Security Center provides protection, alerting, and data backup capabilities that prevent ransomware from compromising your core servers. Before you can use the anti-ransomware feature, you must purchase a specific quota. This quota allows you to enable the anti-ransomware feature for specific servers. For more information, see Enable anti-ransomware.

Configure anti-ransomware policies for servers

  1. Purchase the anti-ransomware capacity and authorize your account to use the anti-ransomware feature. For more information, see Enable anti-ransomware.

  2. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. You can select China or Outside China.

  3. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.

  4. On the Anti-ransomware for Servers tab of the Anti-ransomware page, click Create Policy.

  5. In the Create Policy panel, configure the Policy Name, Server Type, and Select Assets parameters.

    Parameter

    Description

    Policy Name:

    The name of the anti-ransomware policy.

    Server Type

    The type of the server to which you want to apply the anti-ransomware policy.

    Backup Route

    The communication method that is used to back up data. If you set Server Type to Server Not Deployed on Alibaba Cloud, you must configure this parameter. Valid values:

    • Internet: If you select this option, you may be charged for Internet bandwidth resources.

    • Internal Network: If you select this option, you must use Alibaba Cloud virtual private clouds (VPCs), Express Connect circuits, or Cloud Enterprise Network (CEN) instances to establish connections between the servers that are not deployed on Alibaba Cloud and the anti-ransomware endpoint in the selected region.

    Region:

    The region in which the server resides or a region in which an anti-ransomware endpoint is available. If you set Server Type to Server Not Deployed on Alibaba Cloud, you must configure this parameter. The selected region specifies the endpoint that is used to access anti-ransomware. To successfully back up data, make sure that the server can access the anti-ransomware endpoint in the selected region. For more information, see Anti-ransomware endpoints.

    Select Assets:

    The assets that you want to protect. You can select an asset, an asset group, or multiple assets from asset groups. To select the assets that you want to protect, perform the following operations:

    • In the Asset Group section, select an asset group. Then, all assets in the group are selected. You can clear assets that do not require protection in the Assets section.

    • In the Assets section, enter the name of an asset in the search box to search for the asset. Fuzzy match is supported.

    Note
    • If you want to apply the anti-ransomware policy to Elastic Compute Service (ECS) instances, you can select ECS instances that reside in different regions. If you want to apply the anti-ransomware policy to the servers that are not deployed on Alibaba Cloud, you must select the servers that reside in the same region.

    • To make sure that the anti-ransomware capacity is effectively utilized, you can add a server to only one policy.

  6. Configure the remaining parameters and click OK.

    Protection Policies: the type of the anti-ransomware policy. Valid values: Recommended Policy and Custom Policy.

    • Recommended Policy: The recommended policy is a built-in anti-ransomware policy of Security Center and cannot be modified. The default values of the following parameters are used:

      • Protected Directories: All directories

      • Exclude specified directories: directories that are excluded from the policy

      • Protected File Types: All File Types

      • Start Time: a point in time within the range of 00:00 to 03:00

      • Backup policy execution interval: One Day

      • Backup data retention period: 7 Days

      • The bandwidth limit of the backup network: 0 MByte/s

        Note

        The value 0 indicates that no limits are imposed on the bandwidth.

    • Custom Policy: a custom policy that you can configure based on your business requirements. You must configure the following parameters: Protected Directories, Exclude specified directories, Protected File Types, Start Time, Backup policy execution interval, Backup data retention period, and The bandwidth limit of the backup network. The following table describes the parameters.

      Parameter

      Description

      Protected Directories:

      The directories that you want to back up. Valid values:

      • Specified directory: Security Center backs up only specified directories of the specified servers. You must enter the addresses of the specified directories for Protect directory address:. Example:

        • Windows server: C:\Program Files (x86)\

        • Linux server: /usr/bin/

        You can enter up to 20 addresses. Security Center runs backup tasks in sequence based on protected directory addresses. If a large number of files are stored at a protected directory address, a large amount of server resources such as CPU and memory resources may be consumed to back up data at the address. In this case, you can split the directory into multiple addresses. Then, backup tasks run in sequence based on the addresses. This helps reduce the server resources that are consumed by each backup task.

      • All directories: Security Center backs up all directories of the specified servers.

      Exclude specified directories:

      The directories that you do not want to back up. Security Center displays default directories that do not need to be backed up. You can add more directories or remove specific directories.

      Protected File Types:

      The type of the files that you want to protect. Valid values:

      • All File Types: Security Center protects all files.

      • Specify file type: Security Center protects files only of the selected file type. You can select file types such as Document and Picture.

        Important

        You can select multiple file types. Security Center protects only files of the selected file types for the specified assets.

      Start Time:

      The time at which you want to start a data backup task.

      Important

      If this is the first time that you back up all data in protected directories based on an anti-ransomware policy, a large number of CPU and memory resources are consumed. To avoid negative impacts on your services, we recommend that you back up data during off-peak hours.

      Backup policy execution interval:

      The time interval between two data backup tasks. Default value: One Day.

      Backup data retention period:

      The retention period of backup data. Default value: 7 Days.

      Important

      The backup data is stored only within the specified retention period. We recommend that you specify the retention period based on your business requirements.

      Valid values:

      • Permanent: The backup data is retained until Security Center expires, you delete the anti-ransomware policy, or you remove the specified server from the anti-ransomware policy.

      • Custom: You can specify a retention period. Valid values: 1 to 65535. Unit: days.

      The bandwidth limit of the backup network:

      The maximum bandwidth that can be consumed by a data backup task. Valid values: 1 to unlimited. Unit: MB/s.

      If you create the anti-ransomware policy for an ECS instance, only internal network bandwidth is consumed. If you create the anti-ransomware policy for a server that is not deployed on Alibaba Cloud, public or internal network bandwidth is consumed. You can configure this parameter to prevent backup tasks from consuming an excessive amount of bandwidth and ensure service stability.

Configure anti-ransomware policies for databases

  1. Log on to the Security Center console. In the top navigation bar, select the region in which your asset resides. You can select China or Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Anti-ransomware.

  3. On the Anti-ransomware page, click the Database extortion virus protection tab and click Create Policies.

  4. In the Database protection strategy panel, create an anti-ransomware policy for a database.

    1. In the Change database step, configure the following parameters and click Next.

      Parameter

      Description

      Policy Name

      The name of the protection policy.

      Type

      • Automatic identification database

        The system automatically identifies the databases that are deployed on your server. We recommend that you select this option.

      • Manually enter the database

        If the database that you want to protect is not displayed in the list of databases after you select Automatic identification database, you can select this option and manually specify the database.

      Database

      The database that you want to protect or the server on which the database resides.

      Database type

      The type of the database that you want to protect. This parameter is required only if you set the Type parameter to Manually enter the database. Valid values:

      • MYSQL

      • ORACLE

      • MSSQL

      Account

      The username of the account that you can use to log on to the database. The account must have the permissions to back up data in the database. If you set the Database type parameter to ORACLE, you do not need to enter the username or password of the database.

      Important

      You must enter the username and password of the database instead of the server.

      Password

      The password of the account that you can use to log on to the database.

    2. In the Protection Policies step, configure the following parameters and click Finished.

      Parameter

      Description

      Protection Policies

      The anti-ransomware policy that you want to use. You can click Use recommendation strategy to use the recommended anti-ransomware policy provided by Security Center. If the recommended anti-ransomware policy cannot meet your business requirements, you can modify the policy.

      Full backup strategy

      The interval at which full backup is performed, the days of a week on which the full backup is performed, and the point in time at which the full backup starts.

      Full backup indicates that you back up all data that exists at a specific point in time. Full backup is time-consuming and requires a large amount of anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Week.

      Note

      The full backup policy and incremental backup policy take effect at the same time and do not affect each other.

      Incremental backup strategy

      The interval at which incremental backup is performed and the point in time at which the incremental backup starts.

      Incremental backup indicates that you back up only the data that is newly generated or modified after the last full or incremental backup. Incremental backup requires less time and less anti-ransomware capacity. We recommend that you set the Interval period parameter to 1 Day.

      Backup data retention time

      The retention period of the backup.

      Backup network bandwidth limit

      The maximum network bandwidth that is allowed during data backup. If you set this parameter to 0, the network bandwidth is unlimited.

      After the anti-ransomware policy for your database is created, Security Center automatically installs the anti-ransomware agent on your server, and the policy enters the Initializing state. After the anti-ransomware agent is installed on your server, Security Center backs up data in your database based on the backup policy that is configured in the anti-ransomware policy.

Virus detection and removal

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Virus Detection and Removal.

  3. If the AliyunServiceRoleForSas service-linked role is not created, click Authorize Now and complete authorization as prompted.

    After the authorization is complete, Security Center automatically creates the AliyunServiceRoleForSas service-linked role. For more information about the AliyunServiceRoleForSas service-linked role, see Service-linked roles for Security Center.

  4. On the Virus Detection and Removal page, perform an immediate scan task or configure a periodic scan task.

    Perform an immediate scan task

    1. On the Virus Detection and Removal page, click Immediate Scan or Scan Again.

    2. In the Scan Settings panel, configure the Scan Mode and Scope parameters.

      Parameter

      Description

      Scan Mode

      Select a scan mode. Valid values:

      • Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.

      • Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.

        Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.

      Scope

      Select the assets that you want to scan. You can select assets based on the following types:

      • All Assets: If you select this option, all assets are scanned.

      • By Asset: If you select this option, you can select the servers that you want to scan.

      • By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.

      • By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

    3. Click OK.

      Security Center performs an immediate scan task based on the specified scan mode and scope. The scan task requires 2 to 5 minutes to complete. Wait until the scan task is complete.

    Configure a periodic scan task

    1. On the Virus Detection and Removal page, click Scan Settings in the upper-right corner.

    2. In the Scan Settings panel, configure the Scan Cycle, Scan Mode, and Scope parameters.

      Parameter

      Description

      Scan Cycle

      Specify the interval and period for automatic scan.

      Scan Mode

      Select a scan mode. Valid values:

      • Quick Scan: In this mode, Security Center automatically scans items such as active processes, startup items, and sensitive directories and files for risks.

      • Custom Directory Scan: In this mode, you can specify the file directories that you want to scan.

        Enter the file directory that you want to scan. Separate multiple directories with line feeds. A single scan operation supports up to 30,000 files. If more than 30,000 files are included in the specified directories, the excess files are not scanned.

      Scope

      Select the assets that you want to scan. You can select assets based on the following types:

      • All Assets: If you select this option, all assets are scanned.

      • By Asset: If you select this option, you can select the servers that you want to scan.

      • By Group: If you select this option, you can select asset groups. Then, Security Center scans all assets in the asset groups. If new assets are added to the asset groups, the assets are automatically scanned by Security Center.

      • By VPC: If you select this option, you can select virtual private cloud (VPCs). Then, Security Center scans all assets that reside in the VPCs. If new assets are added to the VPCs, the assets are automatically scanned by Security Center.

    3. Click OK.

      Security Center automatically scans the specified assets based on the configurations.

  5. Optional. On the Virus Detection and Removal page, click Task Management in the upper-right corner to view the status and progress of the scan task.