DocsICP FilingConsole
官方文档
首页

Defense against brute-force attacks

更新时间:
复制 MD 格式
产品详情
我的收藏

This document explains how to use the defense against brute-force attacks feature to protect your hosts.

How it works

You can enable defense against brute-force attacks by creating a protection policy. After you create a policy, if the number of failed login attempts from an IP address exceeds the specified limit within a set time frame, the policy triggers. The policy then automatically generates an IP blocking rule, which appears on the System Rules tab. This rule blocks the IP address from logging in to the server for a specified period. This rule is automatically enabled upon creation and remains active for the duration specified in the policy.

Create a protection policy

You can create a protection policy to define the specific conditions that trigger a defense action. You can configure multiple policies and apply different ones to different servers based on their use cases.

Important

If you need to add an IP address to an allowlist for brute-force attack protection, click Approved Logon IP and add the IP address. Protection policies do not apply to approved logon IP addresses.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

  4. If you have not authorized Security Center to access your cloud resources, click Authorize Now.

    For more information about authorization, see Service-linked role for Security Center.

  5. Click Create Policy. In the Create Policy panel, configure the protection policy.

    Security Center provides a default protection policy: if more than 80 failed login attempts are detected on a single server within 10 minutes, the source IP address is blocked for 6 hours. You can apply this default policy directly by selecting the target servers. You can also create a custom policy by configuring the parameters described in the following table.

    Parameter

    Description

    Policy Name

    Enter a name for the protection policy.

    Defense Rule:

    Specify the conditions that trigger the policy. If the number of failed login attempts exceeds the threshold within a specified time window, the source IP address is blocked for a specified period. For example: If there are more than 3 failed login attempts within 1 minute, block the IP address for 30 minutes.

    Protection Scenario

    • Required protection: RDP Brute-force Attack and SSH Brute-force Attack. You cannot deselect these options.

    • Optional protection: SQL Server Brute-force Attack. This option helps secure your database and protect sensitive data.

      Important

      For this protection scenario to take effect, you must enable the login auditing option in SQL Server. For more information, see Enable login auditing for SQL Server.

    Set as Default Policy

    Sets this policy as the default, which automatically applies it to all servers that do not have another protection policy.

    Note

    If you select Set as Default Policy, the policy applies to all servers without a specific policy, regardless of whether you select any servers in the Select Server(s): section.

    Select Server(s):

    Select the servers to which this policy applies. You can select servers protected by Security Center or filter servers by name or IP address.

  6. Click OK.

    Important

    Each server can have only one protection policy against brute-force attacks.

    • If a server selected for this policy does not have an existing policy, the new policy is applied successfully.

    • If a selected server already has a policy and you want to replace it with the new one, click OK in the Confirm Changes dialog box.

    • If you apply a new policy to a server that was covered by a previous policy, the number of servers protected by the previous policy decreases.

Manage system rules

A system rule is an IP blocking rule automatically generated when a protection policy triggers. The following steps describe how to view, enable, and disable system rules.

  1. Log on to the Security Center console. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  2. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

  3. On the System Rules subtab, perform operations as needed.

    • View system rules

      You can view the blocked IP, port, effective servers, policy name, block mechanism, expiration time, and status of each rule. Security Center automatically selects the appropriate block mechanism based on the client installation status:

      • Security Center: Prioritizes using the Security Center agent to block login attempts. This mechanism is automatically used if you have the Advanced, Enterprise, or Ultimate edition of Security Center and the Malicious Network Behavior Prevention switch is enabled. For information about how to enable the Malicious Network Behavior Prevention switch, see Proactive Defense.

      • ECS Security Group: When this blocking rule is enabled, a corresponding rule is automatically created in the security group. The rule is automatically deleted when it expires or is disabled.

    • Enable a system rule

      To continue blocking an IP address, you can turn on the switch in the Status column to enable the rule. Re-enabling the rule extends its validity period to two hours from the time you re-enable it.

    • Disable a system rule

      If you confirm that a blocked login attempt was a false positive, you can disable the IP blocking rule to allow access. Turn off the switch in the Status column to disable the rule. The IP address can access the server again approximately one minute after the rule is disabled.

Manage custom rules

You can create custom IP blocking rules to block malicious IP addresses from accessing your cloud assets based on your business needs.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Host Protection > Host-specific Rule Management. In the upper-left corner of the console, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.

  3. On the Host-specific Rule Management page, click the Defense Against Brute-force Attacks tab.

  4. On the Custom Rules subtab, perform operations as needed.

    • Create a custom IP blocking rule

      1. If you have not authorized Security Center to access your cloud resources, click Authorize Now.

        For more information about authorization, see Service-linked role for Security Center.

      2. Click Create Rule. In the Create IP Address Blocking Policy panel, configure the parameters and click OK.

        Parameter

        Description

        Intercepted Object

        Enter the IP address to block.

        All Assets

        Select the servers to which the IP blocking rule applies. You can select multiple servers. You can also search for a specific server by its name or IP address.

        Rule Direction

        Set the direction of traffic to block. You can select Inbound or Outbound.

        Security Group

        Specifies the security group for the IP blocking rule. The default is Security Center Blocking Policy Group. When the rule is enabled, a corresponding rule is automatically created in this security group. The rule is automatically deleted when it expires or is disabled.

        Expiration Time

        Set the validity period for the rule. After the rule expires, its status changes to Disabled.

        After a custom IP blocking rule is created, its default status is Disabled. You must manually enable the rule for it to take effect.

    • View the list and details of custom IP blocking rules

      On the Custom Rules subtab, you can view the blocked IP, number of effective servers, expiration time, rule direction, and status for each rule. You can click Details in the Actions column of a rule to view the list of effective servers. You can also filter the server list by status, such as Disabled, Enabled, Enabling, or Enabling failed.

    • Edit a custom IP blocking rule

      Locate the rule you want to edit and click Edit in the Actions column. In the Edit IP Address Blocking Policy panel, you can modify the effective assets and expiration time. Security Center then applies the changes to the IP blocking rule.

      You can only edit IP blocking rules that are in the Disabled status. To edit an enabled rule, you must first disable it.

    • Enable or disable an IP blocking rule

      You can enable IP blocking rules for IP addresses that pose a risk of brute-force attacks. If you confirm that a rule is blocking legitimate traffic, you can disable it. After a rule is disabled, Security Center no longer blocks access from the specified IP address to your server.

      • Enable: Turn on the Status switch, and then click OK in the Enable IP Address Blocking Policy dialog box. The rule becomes effective and its status changes to Enabling. The more servers the rule applies to, the longer the Enabling status will persist. After the rule is enabled, Security Center blocks malicious traffic as defined in the rule. The following are some of the possible statuses after enabling a rule:

        • Enable Rule: The blocking rule failed to enable on all of its effective servers.

        • Partially Successful: The blocking rule was successfully enabled on some, but not all, of its effective servers.

        You can click Details in the Actions column of a rule to view the details of its effective servers. In the Effective Server panel, you can click Retry in the Actions column for a server with an Enabling failed status to retry enabling the rule.

        Note

        If you enable an expired custom IP blocking rule, its validity period is extended to two hours from the time you re-enable it. If you need to modify the validity period, edit the rule before enabling it.

      • Disable: Turn off the Status switch, and then click OK in the Disable IP Address Blocking Policy dialog box. The IP blocking rule becomes inactive, its status changes to Disabled, and Security Center no longer blocks access from the IP address specified in the rule.

    • Delete a custom IP blocking rule

      You can delete rules that are in the Disabled status. Click Delete in the Actions column of the target rule, and then click OK in the confirmation dialog box.

Enable login auditing for SQL Server

To enable protection against SQL Server brute-force attacks, you must first enable login auditing in SQL Server to record both successful and failed authentication attempts. Logging this information is essential for detecting and confirming password guessing attacks. Follow these steps:

  1. Open SQL Server Management Studio and connect to your SQL Server instance.

  2. In the Object Explorer window on the left, find your SQL Server instance, right-click it, and select Properties.

  3. In the left-side menu of the Server Properties dialog box, click the Security page.

  4. In the Login auditing section of the Security page, select the Both failed and successful logins option.

  5. Click OK and restart your SQL Server instance for the changes to take effect.

Previous:Malicious behavior defenseNext:Approved logon management