Methods for Improving ECS Security
Scenarios
If ECSs are not protected, they may be attacked by viruses, resulting in data leakage or data loss.
You can use the methods introduced below to protect your ECSs from viruses or attacks.
Protection Types
ECS can be protected externally and internally.
Type |
Description |
Protection Method |
|---|---|---|
External security |
Trojan horses or other viruses are common external security issues. To address these issues, you can choose services such as Host Security Service (HSS) based on your service requirements: |
|
Internal security |
Weak passwords and incorrect ports opening may cause internal security issues. Improving the internal security is the key to improving the ECS security. If the internal security is not improved, external security solutions cannot effectively intercept and block various external attacks. |
Enabling HSS
HSS is designed to improve the overall security for ECSs. It helps you identify and manage the information on your ECSs, eliminate risks, and defend against intrusions and web page tampering.
Before using the HSS service, install the HSS agent on your ECSs first and you will be able to check the ECS security status and risks in a region on the HSS console.
For details, see Installing an Agent on the Linux OS and Enabling the Basic/Enterprise/Premium Edition.
Monitoring ECSs
Monitoring is key for ensuring ECS performance, reliability, and availability. Using monitored data, you can determine ECS resource utilization. The cloud platform provides Cloud Eye to help you obtain the running statuses of your ECSs. You can use Cloud Eye to automatically monitor ECSs in real time and manage alarms and notifications to keep track of ECS performance metrics.
- Basic monitoring
Basic monitoring does not require the agent to be installed and automatically reports ECS metrics to Cloud Eye. Basic monitoring for KVM ECSs is performed every 5 minutes.
- OS monitoring
By installing the Agent on an ECS, OS monitoring provides system-wide, active, and fine-grained monitoring. OS monitoring for KVM ECSs is performed every minute.
To enable OS monitoring for a created ECS:
You need to manually install the agent.
- Process monitoring
Process monitoring provides monitoring of active processes on ECSs and it requires the Agent to be installed on the ECSs to be monitored. Processes are monitored at an interval of 1 minute (for KVM ECSs).
After server monitoring is enabled, you can set ECS alarm rules to customize the monitored objects and notification policies and learn about the ECS running status at any time.
Backing Up Data Periodically
Data backup is a process of storing all or part of data in different ways to prevent data loss. The following uses Cloud Backup and Recovery (CBR) as an example. For more backup methods, see Overview.
CBR enables you to back up ECSs and disks with ease. In case of a virus attack, accidental deletion, or software or hardware fault, you can restore data to any point in the past when the data was backed up. CBR protects your services by ensuring the security and consistency of your data.
To enable CBR when purchasing an ECS:
Set CBR when purchasing an ECS. The system will associate the ECS with a cloud backup vault and the selected backup policy to periodically back up the ECS.
- Auto assign
- Set the name of the cloud backup vault, which is a character string consisting of 1 to 64 characters, including letters, digits, underscores (_), and hyphens (-). For example, vault-f61e. The default naming rule is vault_xxxx.
- Enter the vault capacity, which is required for backing up the ECS. The vault capacity cannot be smaller than that of the ECS to be backed up. Its value ranges from the total capacity of the ECS to 10,485,760 in the unit of GB.
- Select a backup policy from the drop-down list, or log in to the CBR console and configure a desired one.
- Use existing
- Select an existing cloud backup vault from the drop-down list.
- Select a backup policy from the drop-down list, or log in to the CBR console and configure a desired one.
- Do not use: Skip the CBR setting. If you require this function after purchasing the ECS, log in to the CBR console and bind the desired cloud backup vault to your ECS.
Figure 1 Setting CBR
To back up data for a created ECS:
You can use the cloud server backup and cloud disk backup to back up your ECS data.
- Cloud server backup (recommended): Use this backup method if you want to back up the data of all EVS disks (system and data disks) attached to an ECS. This prevents data inconsistency caused by the time difference in creating a backup.
- Cloud disk backup: Use this backup method if you want to back up the data of one or more EVS disks (system or data disk) attached to an ECS. This minimizes backup costs on the basis of data security.
Improving the Port Security
You can use security groups to protect the network security of your ECSs. A security group controls inbound and outbound traffic for your ECSs. Inbound traffic originates from the outside to the ECS, while outbound traffic originates from the ECS to the outside.
You can configure security group rules to grant access to or from specific ports. You are advised to disable high-risk ports and only enable necessary ports.
Table 2 lists common high-risk ports. You are advised to change these ports to non-high-risk ports.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
