Help Center> Elastic Cloud Server> User Guide> Security> Methods for Improving ECS Security
Updated on 2024-04-18 GMT+08:00
View PDF

Methods for Improving ECS Security

Scenarios

If ECSs are not protected, they may be attacked by viruses, resulting in data leakage or data loss.

You can use the methods introduced below to protect your ECSs from viruses or attacks.

Protection Types

ECS can be protected externally and internally.

Table 1 Methods for improving ECS security

Type

Description

Protection Method

External security

DDoS attacks and Trojan horses or other viruses are common external security issues. To address these issues, you can choose services such as Host Security Service (HSS) based on your service requirements:

Internal security

Weak passwords and incorrect ports opening may cause internal security issues. Improving the internal security is the key to improving the ECS security. If the internal security is not improved, external security solutions cannot effectively intercept and block various external attacks.

Enabling HSS

HSS is designed to improve the overall security for ECSs. It helps you identify and manage the information on your ECSs, eliminate risks, and defend against intrusions and web page tampering.

Before using the HSS service, install the HSS agent on your ECSs first so that your ECSs are protected by the HSS cloud protection center. You will be able to check the security statuses and risks (if any) of all ECSs in a region on the HSS console.

We provide different methods for you to install the HSS agent depending on whether your ECSs are to be created or already exist.

  • Scenario 1: An ECS is to be created.

    When you use certain public images to create ECSs, you are advised to use HSS to protect your ECSs.

    Select one of the following options:
    • HSS basic edition (free): provides HSS basic edition (1-month free trial), account cracking protection, weak password detection, and malicious program detection.

      After the free trial period expires, the HSS basic edition quotas will be automatically released, and HSS will not protect your servers.

      If you want to retain or upgrade HSS security capabilities, you are advised to purchase HSS. For details, see Editions and Features.

      This option is selected by default.

    • Advanced HSS edition (paid): provides HSS enterprise edition, vulnerability patches, virus scan and removal, and graded protection.
    • None: Do not use security protection.

    After you enable HSS, the system automatically installs the HSS agent, enables account cracking prevention, and offers host security functions.

    HSS provides basic, enterprise, premium, and WTP editions. For details, see Edition Details.

    If the basic or enterprise edition does not meet service requirements, you can Purchasing an HSS Quota and switch the edition on the HSS console to obtain advanced protection without reinstalling the agent.

    Figure 1 Enabling HSS
  • Scenario 2: An ECS is already created and HSS is not configured for it.

    For an existing ECS without HSS configured, you can manually install an Agent on it.

    For details, see Installing an Agent on the Linux OS and Enabling Protection.

Monitoring ECSs

Monitoring is key for ensuring ECS performance, reliability, and availability. Using monitored data, you can determine ECS resource utilization. The cloud platform provides Cloud Eye to help you obtain the running statuses of your ECSs. You can use Cloud Eye to automatically monitor ECSs in real time and manage alarms and notifications to keep track of ECS performance metrics.

Server monitoring includes basic monitoring, OS monitoring, and process monitoring for servers.
  • Basic monitoring

    Basic monitoring does not require the agent to be installed and automatically reports ECS metrics to Cloud Eye. Basic monitoring for KVM ECSs is performed every 5 minutes.

  • OS monitoring

    By installing the Agent on an ECS, OS monitoring provides system-wide, active, and fine-grained monitoring. OS monitoring for KVM ECSs is performed every minute.

    To enable OS monitoring when purchasing an ECS:

    Select Enable Detailed Monitoring when purchasing an ECS. After this option is selected, the cloud platform automatically installs the agent required for OS monitoring.

    Currently, you can enable OS monitoring only when you purchase ECSs running specific OSs in specific regions.

    Figure 2 Enabling OS monitoring when purchasing an ECS

    To enable OS monitoring for a created ECS:

    You need to manually install the agent if Enable Detailed Monitoring is not selected during the creation.

    For instructions about how to install and configure the Agent, see Agent Installation and Configuration.

  • Process monitoring

    Process monitoring provides monitoring of active processes on ECSs and it requires the Agent to be installed on the ECSs to be monitored. Processes are monitored at an interval of 1 minute (for KVM ECSs).

After server monitoring is enabled, you can set ECS alarm rules to customize the monitored objects and notification policies and learn about the ECS running status at any time.

On the ECS console, click to view monitoring metrics.

Figure 3 Viewing ECS metrics

Enabling Anti-DDoS

To defend against DDoS attacks, Huawei Cloud provides multiple security solutions. You can select an appropriate one based on your service requirements. Anti-DDoS Service on Huawei Cloud provides three sub-services: Cloud Native Anti-DDoS (CNAD) Basic (also known as Anti-DDoS), CNAD Pro, and Advanced Anti-DDoS (AAD).

Anti-DDoS is free while CNAD Pro and AAD are paid services.

For details about CNAD Pro and AAD, see What Is Anti-DDoS?

If you choose to purchase an EIP when purchasing an ECS, the console will display a message indicating that you have enabled free-of-charge Anti-DDoS protection.

Figure 4 Enabling anti-DDoS protection

Anti-DDoS defends ECSs against DDoS attacks and sends alarms immediately when detecting an attack. In addition, Anti-DDoS improves the bandwidth utilization to further safeguard user services.

Anti-DDoS monitors the service traffic from the Internet to public IP addresses and detects attack traffic in real time. It then scrubs attack traffic based on user-configured defense policies without interrupting service running. It also generates monitoring reports that provide visibility into the security of network traffic.

Backing Up Data Periodically

Data backup is a process of storing all or part of data in different ways to prevent data loss. The following uses Cloud Backup and Recovery (CBR) as an example. For more backup methods, see Overview.

CBR enables you to back up ECSs and disks with ease. In case of a virus attack, accidental deletion, or software or hardware fault, you can restore data to any point in the past when the data was backed up. CBR protects your services by ensuring the security and consistency of your data.

To enable CBR when purchasing an ECS:

Set CBR when purchasing an ECS. The system will associate the ECS with a cloud backup vault and the selected backup policy to periodically back up the ECS.

  • Auto assign
    1. Set the name of the cloud backup vault, which is a character string consisting of 1 to 64 characters, including letters, digits, underscores (_), and hyphens (-). For example, vault-f61e. The default naming rule is vault_xxxx.
    2. Enter the vault capacity, which is required for backing up the ECS. The vault capacity cannot be smaller than that of the ECS to be backed up. Its value ranges from the total capacity of the ECS to 10,485,760 in the unit of GB.
    3. Select a backup policy from the drop-down list, or log in to the CBR console and configure a desired one.
  • Use existing
    1. Select an existing cloud backup vault from the drop-down list.
    2. Select a backup policy from the drop-down list, or log in to the CBR console and configure a desired one.
  • Not required: Skip the CBR setting. If you require this function after purchasing the ECS, log in to the CBR console and bind the desired cloud backup vault to your ECS.
    Figure 5 Setting CBR

To back up data for a created ECS:

You can use the cloud server backup and cloud disk backup to back up your ECS data.

  • Cloud server backup (recommended): Use this backup method if you want to back up the data of all EVS disks (system and data disks) attached to an ECS. This prevents data inconsistency caused by the time difference in creating a backup.
  • Cloud disk backup: Use this backup method if you want to back up the data of one or more EVS disks (system or data disk) attached to an ECS. This minimizes backup costs on the basis of data security.

Enhancing the Login Password Strength

Key pair authentication is recommended because it is more secure than password-based authentication. If you select the password-based authentication, ensure that the password meets the strength requirements listed in Table 2 to prevent malicious attacks.

The system does not periodically change the ECS password. It is recommended that you change your password regularly for security.

The password must conform to the following rules:

  • The password must consist of at least 10 characters.
  • Do not use easily guessed passwords (for example, passwords in common rainbow tables or passwords with adjacent keyboard characters). The password must contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters.
  • Do not include accounts in passwords, such as administrator, test, root, oracle, and mysql.
  • Change the password at least every 90 days.
  • Do not reuse the latest five passwords.
  • Set different passwords for different applications. Do not use the same password for multiple applications.
Table 2 Password complexity requirements

Parameter

Requirement

Password
  • Consists of 8 to 26 characters.
  • Contains at least three of the following character types:
    • Uppercase letters
    • Lowercase letters
    • Digits
    • Special characters for Windows: $!@%-_=+[]:./,?
    • Special characters for Linux: !@%-_=+[]:./^,{}?
  • Cannot contain the username or the username spelled backwards.
  • Cannot contain more than two consecutive characters in the same sequence as they appear in the username. (This requirement applies only to Windows ECSs.)
  • Cannot start with a slash (/) for Windows ECSs.

Improving the Port Security

You can use security groups to protect the network security of your ECSs. A security group controls inbound and outbound traffic for your ECSs. Inbound traffic originates from the outside to the ECS, while outbound traffic originates from the ECS to the outside.

You can configure security group rules to grant access to or from specific ports. You are advised to disable high-risk ports and only enable necessary ports.

Table 3 lists common high-risk ports. You are advised to change these ports to non-high-risk ports. For details, see Common Ports Used by ECSs.

Table 3 Common high-risk ports

Protocol

Port

TCP

42, 135, 137, 138, 139, 444, 445, 593, 1025, 1068, 1434, 3127, 3128, 3129, 3130, 4444, 4789, 5554, 5800, 5900, and 9996

UDP

135 to 139, 1026, 1027, 1028, 1068, 1433, 1434, 4789, 5554, and 9996

Periodically Upgrading the Operating System

After ECSs are created, you need to maintain and periodically upgrade the operating system. The officially released vulnerabilities will be released in Security Notices.

Parent topic: Security