Today I would like to share with you about how to secure your Alibaba Cloud ECS instances. Recently, I had been going through a lot about security issues with my servers, hence writing this blog to keep a record of what security measurement that I had done.
If you are an Alibaba Cloud user, have you ever seen or use the feature of Security Center that you may find in the cloud dashboard? It is free to use, and not sure if you have received any email notification about the security threat or risk about your server that need action? The email subject usually are "Threat Detection Service Unhandled Vulnerabilities Weekly Report" or "Threat Detection Service Security Events Notification".
If you have received any of the email notification related to Threat Detection, I would advice you to login to your Alibaba Cloud Console and go to the Security Center to check out what had happened to your server.
Security Center basic edition is free to use but with limited feature. If your budget allow and host business critical public facing servers, I strongly recommend subscribe the protection service. You save the hassles from monitoring and attack prevention.
Notice the Urgent Vulnerabilities suggestion on top of the dashboard? You can simply click it to enter the detail page, and then scan all your servers to check if any of them prone to any of the suggested vulnerabilities.
After done the vulnerabilities scanning, go to the Alert section to check out what had happened to your servers. You may find the list of all the threat detection on your servers here.
If you had read my previous post about my servers were attacked and injected with crypto mining scripts call Donald and Trump, then now you can see all the attack trails are showing in the Security Center. If you encountered the similar problem with crypto mining software injection, you may want to checkout my previous post to learn how to remove them HERE.
The cron job details also had been tracked successfully.
You also can further trace who actually logged in to your server and injected the script. From there, it tells the crypto mining scripts were not simply injected out from no where. Someone actually obtained the correct password to access my server. The details reveal the IP and location of the attacker.
I have another server being attacked by ransomware. The server crypto wallet and SQL Server database had been encrypted. Luckily it was just a test server, there is no impact to me.
From the Security Center, I can see that the server was being accessed through normal RDP.
We also can see how and what the attacker done to my server, first he download a ransomware script from some website and then execute some powershell command to perform the encryption.
In summary, whatever the hacker had done to the server cannot be undone. I do not blame the hacker, I blame myself for being careless. Also, the root cause investigation had been narrowed down to password access to the server to inject script and ransomware. Therefore, I suspect the strong password generator website that I usually use actually keep a copy of generated password in their database.
https://strongpasswordgenerator.com/
https://passwordsgenerator.net/
I strongly suggest anyone of you stop using the online random password generator. Prevention is very important. Lesson learned and I shall further strengthen the servers security and redesign my network architecture. In my new network architecture design, all the servers are locked down. In order to RDP or SSH access to the servers, I must connect to a proxy server first in order to access other servers. With this setup, proxy server become the only target to be attacked. Therefore, I only need to manage and monitor only one server.
Also, pay attention closely to the email alert sent by the Alibaba Cloud Security Center. When illegal logon activity happen, we need to take action immediately to investigate.
I also recommend you to subscribe the Security Center at least Advanced package. You may check out the package difference here. You can also click at this LINK to get a discount for the subscription.
If you are an Alibaba Cloud user, have you ever seen or use the feature of Security Center that you may find in the cloud dashboard? It is free to use, and not sure if you have received any email notification about the security threat or risk about your server that need action? The email subject usually are "Threat Detection Service Unhandled Vulnerabilities Weekly Report" or "Threat Detection Service Security Events Notification".
If you have received any of the email notification related to Threat Detection, I would advice you to login to your Alibaba Cloud Console and go to the Security Center to check out what had happened to your server.
Security Center basic edition is free to use but with limited feature. If your budget allow and host business critical public facing servers, I strongly recommend subscribe the protection service. You save the hassles from monitoring and attack prevention.
Notice the Urgent Vulnerabilities suggestion on top of the dashboard? You can simply click it to enter the detail page, and then scan all your servers to check if any of them prone to any of the suggested vulnerabilities.
After done the vulnerabilities scanning, go to the Alert section to check out what had happened to your servers. You may find the list of all the threat detection on your servers here.
If you had read my previous post about my servers were attacked and injected with crypto mining scripts call Donald and Trump, then now you can see all the attack trails are showing in the Security Center. If you encountered the similar problem with crypto mining software injection, you may want to checkout my previous post to learn how to remove them HERE.
The cron job details also had been tracked successfully.
You also can further trace who actually logged in to your server and injected the script. From there, it tells the crypto mining scripts were not simply injected out from no where. Someone actually obtained the correct password to access my server. The details reveal the IP and location of the attacker.
I have another server being attacked by ransomware. The server crypto wallet and SQL Server database had been encrypted. Luckily it was just a test server, there is no impact to me.
We also can see how and what the attacker done to my server, first he download a ransomware script from some website and then execute some powershell command to perform the encryption.
In summary, whatever the hacker had done to the server cannot be undone. I do not blame the hacker, I blame myself for being careless. Also, the root cause investigation had been narrowed down to password access to the server to inject script and ransomware. Therefore, I suspect the strong password generator website that I usually use actually keep a copy of generated password in their database.
https://strongpasswordgenerator.com/
https://passwordsgenerator.net/
I strongly suggest anyone of you stop using the online random password generator. Prevention is very important. Lesson learned and I shall further strengthen the servers security and redesign my network architecture. In my new network architecture design, all the servers are locked down. In order to RDP or SSH access to the servers, I must connect to a proxy server first in order to access other servers. With this setup, proxy server become the only target to be attacked. Therefore, I only need to manage and monitor only one server.
Also, pay attention closely to the email alert sent by the Alibaba Cloud Security Center. When illegal logon activity happen, we need to take action immediately to investigate.
I also recommend you to subscribe the Security Center at least Advanced package. You may check out the package difference here. You can also click at this LINK to get a discount for the subscription.