What About Lost Password?

Click "Reset Password" on the "Instance Details" page to reset the password successfully by following the prompt.

Password Reset Failed. Is There Any Password Rule?

At present, the password reset rule is that the password must contain 8-16 bit characters, English, numbers and symbols at the same time, and the symbols are only limited to !, @, #, $, %, ^, ,* and ().

Why Can Not I Reset Password for My BCC?

For the security reasons, the rule requirements for password are complex when you reset the password on the Overview page, which must:

• Contain 8-16 bit characters,
• English, numbers and symbols at the same time.
• The symbols are only limited to !, @, #, $, %, ^, ,* and ().

Check whether the new password you specify conforms to this rule. Note: Only special symbols listed in the rule can be used.

Does New Password Take Effect After I Reset Password for Windows Virtual Machine?

For the password reset operation of Windows virtual machine depends on the cloudinit service, it may cause the password reset failure when the cloudinit service is disabled or the operation of the cludinit service is limited when the security management software is installed in the virtual machine.

To ensure that the reset password takes effect, check whether the cloudinit service in the system can operate normally:

1. Log in to the Windows virtual machine, and then click "Start" -> "Management Tools" -> "Service".

2. Double click "Cloud Initialization Service", and then click the "Start" button in the pop-up box.

• If cloudinit starts normally, it indicates that current service is normal, and you can return to the BCC console to reset the password.
• If it prompts an error when cloudinit starts, it indicates that the error occurs in current service. Go to Step 3.

3. Switch the "Login" tab, and check the login identity of cloudinit service to ensure that current identity is "Local System Account". Otherwise, the cloudinit service may not operate normally due to the privilege issues.

4. If you still fail to log in to the Windows virtual machine with the new password, fill in the Ticket to describe the details.

Note:

When you install the security software, actively start the cloudinit service once after installation. See Step 2. At this time, if the security software provides some pop-up prompt, it prompts that the cloudinit service is calling the system command. Select "Pass". Otherwise, the cloudinit service fails to call the system command normally, and the service is not available.

Server is Intruded for Simple Password Setting. What Can I Do in Case of an Intrusion After Antivirus?

You can reset the password on the Baidu AI Cloud console. After you enter the BCC Instance Details page, you can see the "Reset Password" operation.

If the system is infected with the virus or Trojans, you can select "Reinstall Operating System" to clean up the system. Note that this may result in the loss of system disk data!

Furthermore, it is recommended to detect the vulnerability and backdoor in the program to reduce the possibility of intrusion.

How to regularly check the BCC resource status comprehensively?

You can enable the "Cloud Advisor" service to obtain the test reports on security, availability, performance and cost of cloud resources regularly.
The report contains several BCC related test items, such as BCC - hosteye security test result, BCC - low usage rate, BCC - shared image, BCC - availability zone distribution, BCC - SRD test results, BCC - installation of hosteye security agent, BCC - instance stopped, BCC - operating system version and BCC - high usage rate.
To learn about or activate the Cloud Advisor service, go to the Cloud Advisor homepage.

How to Add IP Login Whitelist?

Baidu AI Cloud blocks the IP with incorrect password entry for many times in a short time. If you think that your IP is blocked and you want to unblock the IP, you can search the hosteye security products on the console, and select "Configuration Management" -> "Login Management Settings", and then click "Add Whitelist" to add your local public IP, which can unblock your IP.

In general, the operation takes effect within 10 minutes. If the remote connection still fails after 10 minutes, it indicates that the failure is not caused by our blocking. It is recommended that you submit a computing and network/BCC ticket, describe your problem in detail, and provide the instance ID, instance IP and remote port. Baidu AI Cloud dispatches engineer for troubleshooting.

Is "Network Level Authentication" Required to log in to Windows BCC?

Method 1: For the security reasons, the BCC remote desktop of Windows system enables "Allow Remote Desktop Computer Connections Running with Network Level Authentication Only" by default.

The local Windows server must support the "Network Level Authentication" feature. Otherwise, you fail to log in to the Windows BCC. The test method is as follows: a. Start "Remote Desktop Connection". b. Right click the window's title bar, and then click "About". c. You need to see the "Support Network Level Authentication" in the pop-up window. If you do not see the "Support Network Level Authentication" in above operations, you need to install the corresponding service pack to support this feature.

Method 2: Disable the “Network Identity Authentication” feature. First, the user needs to log in to the Windows BCC server via VNC remotely: a. Input gpedit.msc during running to enter the local group policy setting interface; b. Disable Computer Configuration -- Management Template -- Windows Component -- Remote Desktop Session Server -- Security -- Use Network Identity Authentication to Perform Identity Authentication of Users Connected Remotely -- Setting; c. Open Computer -- Attribute -- Advanced System Setting -- Remote interface and select “Allow connection to the computer that runs the arbitrary version of remote desktop (lower security)”.

A Security Group Is Created to Associate with Original Instance, but There Is Still One in Default Security Group. How to Deal with It?

1. You can delete the security group only when all BCC instances cancel the security group management. It displays how many BCC instances are currently associated with the security group in the "Number of Associated Instances" column of security group list.

2. BCC can be associated with multiple security groups. For example, the security group A is only allowed to access the port 22, while the security group B is allowed to ping the network. In this way, the combination of security groups A and B can access the port 22 and ping the network. When you associate with a new security group, you can manually cancel the security group you do not want to associate with in the "Security Group" page of "BCC Instance Details".

   Note: BCC must be associated with one security group at least.

How to Prevent DDoS and CC Attacks?

Baidu AI Cloud offers the free BSS (Baidu Security Service) products to provide the CC and DDoS attack protection for BCC. You can set appropriate traffic cleaning threshold according to your business characteristics.

How to Deal with IP Under DDoS Attack?

At present, the BCC's DDoS protection threshold is 5 Gbps by default. The BCC's DDoS protection threshold is 5 Gbps in the Mainland region and 1 Gbps in the Hong Kong region. After it triggers the black hole, the IP is blocked by operators for 24 hours.
If you require better DDoS attack protection, it is recommended that you use our advanced DDoS protection service. See Advanced DDoS Protection IP for details.

Can Several BCCs Access Each Other Through SSH Without Password Entry?

You can implement the mutual access of BCCs through the key pair. See Key Pair Documentation for details.

How to Prevent Hackers from Attacking Servers and Websites?

Server security:

1. It is recommended that the ports not required by the business are blocked in the firewall or security group and not open to the publics. See Security Group Documentation.
2. Change the password regularly, and improve the password complexity.
3. Install the anti-virus software in the operating system.
4. Create the snapshot through the automatic snapshot policy regularly. So that the data can be rolled back timely in case of failure. Reference Documentation for [Automatic Snapshot Policy](CDS/Operation Guide/Snapshot Related Operations/Automatic Snapshot.md#Create an Automatic Snapshot Policy#)

For more suggestions on security, you can search the keyword "Security Reinforcement" through Baidu to find corresponding tutorials for reference.

How to Fix Vulnerability of Dirty COW (CVE-2016-5195) Linux?

The memory subsystem of Linux kernel produces the race condition during the processing of copy-on-write (COW). The malicious user can exploit this vulnerability to spoof the system to modify the readable user space code and then execute it. A local user with low privilege can exploit this vulnerability to obtain the write privilege of other read-only memory mapping.

• Vulnerability number: CVE-2016-5195
• Vulnerability hazard: Hackers can obtain the information of users with low privilege through the remote intrusion, and then exploit this vulnerability on the server to realize the local privilege promotion on the full version of Linux system, and obtain the root privilege of the server.

• Scope of influence: This vulnerability can be implemented in all versions of Linux system (Linux kernel > = 2.6.22):

    CentOS 6.5  32-bit/64-bit  
    CentOS 7.1  32-bit/64-bit  
    Debian 7.5  64-bit
    Debian 8.1  64-bit
    Ubuntu Server 12.04.4 LTS 32-bit/64-bit
    Ubuntu Server 14.04.1 LTS 32-bit/64-bit

• Vulnerability fixing scheme:

1. Download the fix-tool-allinone.tarcompression package provided by Baidu AI Cloud to the server.

2. Decompress the compression package.

   root@linux ~]# tar xf fix-tool-allinone.tar.gz

3. Enter thefix-tool-allinonedirectory.

   [root@linux ~]# cd fix-tool-allinone
   [root@linux fix-tool-allinone]# ls
   fix-tool-32-bit.tar.gz  
   fix-tool-64-bit.tar.gz  
   run.sh

4. Run the command run.sh.

   [root@linux fix-tool-allinone]# ./run.sh
   DirtyCow check and fix needs quite some time, please be patient.
   
   pokeball
      (___)
      (o o)_____/
       @@ `     \
        \ ____, /miltank
        //    //
       ^^    ^^
   mmap 7f804ec7f000
   
   madvise 0
   
   ptrace 0
   
   Your kernel is 3.10.0 which IS vulnerable.
   Updating linux kernel to fix DirtyCow vulnerablity!
   Please confirm whether to continue the operation or not.[y/n]

This tool integrates with the Pokemon Program and exploits the DirtyCow vulnerability to modify the files with read-only privilege for ordinary users. This tool creates an ordinary user firstly, copies the test program and test files used by the program to the home directory of ordinary user, and then runs the pokemon program for the vulnerability detection.

If it detects the vulnerability, it outputs above prompt. If you enter 'y', it upgrades the kernel to fix the vulnerability. If you enter 'n', it exits directly.

5. After the kernel upgrading, you need to restart the server manually. If some business causes it is inconvenient to upgrade the kernel immediately, you can enter 'n' after the detection, and then upgrade the kernel when the server is idle.