Methods for Improving ECS Security
Scenarios
If ECSs are not protected, they may be attacked by viruses, resulting in data leakage or data loss.
You can use the methods introduced below to protect your ECSs from viruses or attacks.
Protection Types
ECS can be protected externally and internally.
Type |
Description |
Protection Method |
---|---|---|
External security |
DDoS attacks and Trojan horses or other viruses are common external security issues. To address these issues, you can choose services such as Host Security Service (HSS) and cloud-native anti-DDoS based on your service requirements: |
|
Internal security |
Incorrect ports opening and weak passwords may cause internal security issues. Improving the internal security is the key to improving the ECS security. If the internal security is not improved, external security solutions cannot effectively intercept and block various external attacks. |
Enabling HSS
Host Security Service (HSS) is designed to improve the overall security for ECSs. It helps you identify and manage the assets on your servers, eliminate risks, and defend against intrusions and web page tampering. There are also advanced protection and security operations functions available to help you easily detect and handle threats.
Before using the HSS service, install the HSS agent on your ECSs first so that your ECSs are protected by the HSS cloud protection center. You will be able to check the security statuses and risks (if any) of all ECSs in a region on the HSS console.
We provide different methods for you to install the HSS agent depending on whether your ECSs are to be created or already exist.
- An ECS is already created and HSS is not configured for it.
For an existing ECS without HSS configured, you can manually install an Agent on it.
For details, see Installing the Agent on Huawei Cloud Servers and Enabling Protection.
Monitoring ECSs
Monitoring is key for ensuring ECS performance, reliability, and availability. Using monitored data, you can determine ECS resource utilization. The cloud platform provides Cloud Eye to help you obtain the running statuses of your ECSs. You can use Cloud Eye to automatically monitor ECSs in real time and manage alarms and notifications to keep track of ECS performance metrics.
- Basic monitoring
Basic monitoring does not require the agent to be installed and automatically reports ECS metrics to Cloud Eye. Basic monitoring for KVM ECSs is performed every 5 minutes.
- OS monitoring
By installing the Agent on an ECS, OS monitoring provides system-wide, active, and fine-grained monitoring. OS monitoring for KVM ECSs is performed every minute.
To enable OS monitoring when purchasing an ECS:
Select Enable Detailed Monitoring when purchasing an ECS. After this option is selected, the cloud platform automatically installs the agent required for OS monitoring.
Currently, you can enable OS monitoring only when you purchase ECSs running specific OSs in specific regions.
To enable OS monitoring for a created ECS:
You need to manually install the agent if Enable Detailed Monitoring is not selected during the creation.
For instructions about how to install and configure the Agent, see Agent Installation and Configuration.
- Process monitoring
Process monitoring provides monitoring of active processes on ECSs and it requires the Agent to be installed on the ECSs to be monitored. Processes are monitored at an interval of 1 minute (for KVM ECSs).
After server monitoring is enabled, you can set ECS alarm rules to customize the monitored objects and notification policies and learn about the ECS running status at any time.
Enabling Anti-DDoS
To defend against DDoS attacks, Huawei Cloud provides multiple security solutions. You can select an appropriate one based on your service requirements. Anti-DDoS Service on Huawei Cloud provides three sub-services: Cloud Native Anti-DDoS (CNAD) Basic (also known as Anti-DDoS), CNAD Pro, and Advanced Anti-DDoS (AAD).
Anti-DDoS is free while CNAD Pro and AAD are paid services.
For details about CNAD Pro and AAD, see What Is Anti-DDoS?
If you choose to purchase an EIP when purchasing an ECS, the console will display a message indicating that you have enabled free-of-charge Anti-DDoS protection.
Anti-DDoS defends ECSs against DDoS attacks and sends alarms immediately when detecting an attack. In addition, Anti-DDoS improves the bandwidth utilization to further safeguard user services.
Anti-DDoS monitors the service traffic from the Internet to public IP addresses and detects attack traffic in real time. It then scrubs attack traffic based on user-configured defense policies without service interruptions. It also generates monitoring reports that provide visibility into the security of network traffic.
Backing Up Data Periodically
Data backup is a process of storing all or part of data in different ways to prevent data loss. The following uses Cloud Backup and Recovery (CBR) as an example. For more backup methods, see Overview.
CBR enables you to back up ECSs and disks with ease. In case of a virus attack, accidental deletion, or software or hardware fault, you can restore data to any point in the past when the data was backed up. CBR protects your services by ensuring the security and consistency of your data.
You can use the cloud server backup and cloud disk backup to back up your ECS data.
- Cloud server backup (recommended): Use this backup method if you want to back up the data of all EVS disks (system and data disks) attached to an ECS. This prevents data inconsistency caused by the time difference in creating a backup.
- Cloud disk backup: Use this backup method if you want to back up the data of one or more EVS disks (system or data disk) attached to an ECS. This minimizes backup costs on the basis of data security.
Enhancing the Login Password Strength
Key pair authentication is recommended because it is more secure than password-based authentication.
If you select Password, ensure that the password meets complexity requirements to prevent malicious attacks. For details, see Application Scenarios for Using Passwords.
The system does not periodically change the ECS password. It is recommended that you change your password regularly for security.
The password must conform to the following rules:
- The password must consist of at least 10 characters.
- Do not use easily guessed passwords (for example, passwords in common rainbow tables or passwords with adjacent keyboard characters). The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
- Do not include accounts in passwords, such as administrator, test, root, oracle, and mysql.
- Change the password at least every 90 days.
- Do not reuse the latest five passwords.
- Set different passwords for different applications. Do not use the same password for multiple applications.
Improving the Port Security
You can use security groups to protect the network security of your ECSs. A security group controls inbound and outbound traffic for your ECSs. Inbound traffic originates from the outside to the ECS, while outbound traffic originates from the ECS to the outside.
You can configure security group rules to grant access to or from specific ports. You are advised to disable high-risk ports and only enable necessary ports.
Table 2 lists common high-risk ports. You are advised to change these ports to non-high-risk ports. For details, see Common Ports Used by ECSs.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.