Best Practices of Login Security Hardening
Account and password cracking are the most commonly used ways for attackers to intrude or attack servers. Enhancing login security is the first step to protect server security and ensure that services can run properly.
Prerequisites
You have purchased an ECS and enabled protection for it.
Login Security Hardening Functions
You can configure common login locations, common login IP addresses, SSH login IP address whitelist, two-factor authentication, weak password check, and login security check to protect login security.
To ensure high login security, you are advised to configure all of these functions.
Two-factor login authentication is supported by the HSS basic edition billed in yearly/monthly mode, by the enterprise or higher edition. Login security check is supported by the HSS enterprise edition or higher. Other protection functions are available in the HSS basic edition.
Configuring Common Login Locations
After common login locations are configured, Host Security Service will generate alarms for logins to ECSs in non-common login locations. You can add multiple common login locations for each ECS.
Constraints
An account can add up to 10 common login locations.
Procedure
- Choose Installation & Configuration and click the Security Configuration tab. Click Common Login Locations and click Add Common Login Location.
Figure 2 Adding a common login location
- In the dialog box that is displayed, select a geographical location and select servers. Confirm the information and click OK.
- Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login Locations subtab.
Configuring Common Login IP Address
After you configure common login IP addresses, Host Security Service will generate alarms on the logins from other login IP addresses.
Constraint
An account can add up to 20 common login IP addresses.
Procedure
- Choose Installation & Configuration and click the Security Configuration tab. Click Common Login IP Addresses and click Add Common Login IP Address.
Figure 3 Adding a common login IP address
- In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
- A common login IP address must be a public IP address or IP address segment.
- Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
- Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.
Configuring SSH Login IP Address Whitelist
The SSH login whitelist controls SSH access to servers, preventing account cracking.
- An account can have up to 10 SSH login IP addresses in the whitelist.
- The SSH IP address whitelist does not take effect for servers running Kunpeng EulerOS (EulerOS with Arm).
- After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
- Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.
If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.
- Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.
- Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.
- Choose Installation & Configuration and click the Security Configuration tab. Click SSH IP Whitelist and click Add IP Address.
Figure 4 Configuring an IP address whitelist
- In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
- A common login IP address must be a public IP address or IP address segment.
- Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
- Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.
Configuring Two-Factor Authentication
2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
You have to choose an SMN topic for servers where 2FA is enabled. The topic specifies the recipients of login verification codes, and Host Security Service will authenticate login users accordingly.
Prerequisites
- You have created a message topic whose protocol is SMS or email.
- Server protection has been enabled.
- Linux servers require user passwords for login.
- On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.
- If 2FA is enabled, you cannot log in to the servers running a GUI Linux.
- If you have enabled 2FA on a Linux server, you cannot log in to it through CBH.
- 2FA is supported only when the OpenSSH version of Linux is earlier than 8.
Procedure
- Choose
.
- Locate the target server and click Enable 2FA in the Operation column.
- Select multiple target servers and click Enable 2FA to enable two-factor authentication for multiple servers in batches.
- In the displayed dialog box, select a verification mode.
- SMS/Email
You need to select an SMN topic for SMS and email verification.
- The drop-down list displays only notification topics that have been confirmed.
- If there is no topic, click View to create one. For details, see Creating a Topic.
- During authentication, all the mobile numbers and email addresses specified in the topic will receive a verification SMS or email. You can delete mobile numbers and email addresses that do not need to receive verification messages.
- Verification code
Use the verification code you receive in real time for verification.
- SMS/Email
- Click OK.
- Return to the Two-Factor Authentication tab of the Installation & Configuration page. Check whether the 2FA Status of the target server changes to Enabled.
It takes about 5 minutes for the two-factor authentication function to take effect.
When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.
To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.
Configuring Weak Password Detection
Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities.
Data and programs will become insecure if their passwords are cracked.
Host Security Service proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.
- Choose
.Figure 5 Accessing the policy group page
- Click the name of the target policy group. The policy group page is displayed.
You can determine the OS and protection version supported by the target policy based on its default Policy Group Name and Supported Version.
If you need to create a policy group, perform this step after Creating a Policy Group.
- In the policy group list, click the Weak password detection.
- The Weak Password Detection dialog box is displayed. You can modify the parameters in the Policy Settings area or retain the default values (recommended). For details about the parameters, see Table 1.
Table 1 Parameter description Parameter
Description
Scan Time
Time point when detections are performed. It can be accurate to the minute.
Random Deviation Time (s)
Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.
Scan Days
Days in a week when weak passwords are scanned. You can select one or more days.
User-defined Weak Passwords
You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password.
Enter only one weak password per line. Up to 300 weak passwords can be added.
- Confirm the information and click OK.
- Choose Apply Policy above the server list.
, click Servers, select the target servers, and click
If you need to deploy the same policy for multiple servers at the same time, ensure that the OS and Edition of the selected servers are the same as those of the target policy.
- In the policy deployment dialog box, select the target policy group and click OK.
- After the deployment is complete, choose Security Operations > Policies. Locate the target policy, click the value in the Servers column, and check whether the servers you added are displayed.
After the deployment is complete, wait for about 1 minute and then check whether the deployment is successful.
Configuring Login Security Check
After login security is configured, you can enable login security check for the target server. HSS will effectively detect brute force attacks, automatically block brute force IP addresses, and trigger and report alarms.
Only the enterprise edition and later support login security check. For enterprise edition, the login security check is performed based on the default parameters and custom parameter configuration is not supported.
- Choose
.Figure 6 Accessing the policy group page
- Click the name of the target policy group. The policy group page is displayed.
You can determine the OS and protection version supported by the target policy based on its default Policy Group Name and Supported Version.
If you need to create a policy group, perform this step after Creating a Policy Group.
- Click Login Security Check from the policy list.
- The Login Security Check dialog box is displayed. You can modify the parameters in the Policy Settings area or retain the default values. For details about the parameters, see Table 2.
Table 2 Parameter description Parameter
Description
Lock Time (min)
This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.
Cracking Behavior Determination Threshold (s)
This parameter is used together with Cracking Behavior Determination Threshold (Login Attempts). The value range is 5 to 3,600.
For example, if this parameter is set to 30 and Cracking Behavior Determination Threshold (Login Attempts) is set to 5, the system determines that an account is cracked when the same IP address fails to log in to the system for five times within 30 seconds.
Cracking Behavior Determination Threshold (Login Attempts)
This parameter is used together with Cracking Behavior Determination Threshold. The value range is 1 to 36,000.
Threshold for slow brute force attack (second)
This parameter is used together with Threshold for slow brute force attack (failed login attempt). The value range is 600 to 86,400s.
For example, if this parameter is set to 3600 and Threshold for slow brute force attack (failed login attempt) is set to 15, the system determines that an account is cracked when the same IP address fails to log in to the system for fifteen times within 3,600 seconds.
Threshold for slow brute-force attack (failed login attempt)
This parameter is used together with Threshold for slow brute force attack (second). The value range is 6 to 100.
Check Whether the Audit Login Is Successful
- After this function is enabled, HSS reports login success logs.
- : enabled
- : disabled
Block Non-whitelisted Attack IP Address
After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).
Report Alarm on Brute-force Attack from Whitelisted IP Address
- After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses.
- : enabled
- : disabled
Whitelist
After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.
- After this function is enabled, HSS reports login success logs.
- Confirm the information and click OK.
- Choose Apply Policy above the server list.
, click Servers, select the target servers, and click
If you need to deploy the same policy for multiple servers at the same time, ensure that the OS and Edition of the selected servers are the same as those of the target policy.
- In the policy deployment dialog box, select the target policy group and click OK.
- After the deployment is complete, choose Security Operations > Policies. Locate the target policy, click the value in the Servers column, and check whether the servers you added are displayed.
After the deployment is complete, wait for about 1 minute and then check whether the deployment is successful.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.