- What's New
- Product Bulletin
- Service Overview
- Billing
- Getting Started
-
User Guide
- Creating a User and Granting Permissions
- Granting Permissions on Associated Cloud Services
- Accessing HSS
- Checking the Dashboard
-
Asset Management
- Asset Management
- Server Fingerprints
- Container Fingerprints
- Server Management
-
Container Management
- Viewing the Container Node Protection Status
- Exporting the Container Node List
- Managing Local Images
- Managing SWR Private Images
- Managing SWR Shared Images
- Managing SWR Enterprise Edition Images
- Viewing Container Information
- Handling Unsafe Containers
- Uninstalling the Agent from a Cluster
- Disabling Protection for Container Edition
- Protection Quota Management
- Risk Management
- Server Protection
-
Container Protection
-
Container Firewalls
- Container Firewall Overview
- Configuring a Network Defense Policy (for a Cluster Using the Container Tunnel Network Model)
- Configuring a Network Defense Policy (for a Cluster Using the VPC Tunnel Network Model)
- Configuring a Network Defense Policy (for a Cluster Using the Cloud Native Network 2.0 Model)
- Container Cluster Protection
-
Container Firewalls
- Detection and Response
- Security Operations
- Installation and Configuration on Servers
- Installation and Configuration on Containers
- Plug-in Settings
- Audit
- Monitoring
- Permissions Management
-
Best Practices
-
Suggestions on How to Fix Official Disclosed Vulnerabilities Provided by HSS
- Git Credential Disclosure Vulnerability (CVE-2020-5260)
- SaltStack Remote Command Execution Vulnerabilities (CVE-2020-11651 and CVE-2020-11652)
- OpenSSL High-risk Vulnerability (CVE-2020-1967)
- Adobe Font Manager Library Remote Code Execution Vulnerability (CVE-2020-1020/CVE-2020-0938)
- Windows Kernel Elevation of Privilege Vulnerability (CVE-2020-1027)
- Windows CryptoAPI Spoofing Vulnerability (CVE-2020-0601)
- Third-Party Servers Accessing HSS Through a Direct Connect and Proxy Servers
- Installing the HSS Agent Using CBH
- Using HSS to Improve Server Login Security
- Using HSS and CBR to Defend Against Ransomware
-
Suggestions on How to Fix Official Disclosed Vulnerabilities Provided by HSS
-
API Reference
- Before You Start
- Calling APIs
-
API Description
-
Asset Management
- Collecting Asset Statistics, Including Accounts, Ports, and Processes
- Querying the Account List
- Querying Open Port Statistics
- Querying the Process List
- Querying the Software List
- Querying Automatic Startup Item Information
- Querying the Server List of an Account
- Querying the Open Port List of a Single Server
- Querying the Server List of the Software
- Querying the Service List of Auto-Started Items
- Obtaining the Account Change History
- Obtaining the Historical Change Records of Software Information
- Obtaining the Historical Change Records of Auto-started Items
- Ransomware Prevention
-
Baseline Management
- Querying the Weak Password Detection Result List
- Querying the Password Complexity Policy Detection Report
- Querying the Result List of Server Security Configuration Check
- Querying the Check Result of a Security Configuration Item
- Querying the Checklist of a Security Configuration Item
- Querying the List of Affected Servers of a Security Configuration Item
- Querying the Report of a Check Item in a Security Configuration Check
- Quota Management
- Intrusion Detection
- Server Management
- Policy Management
- Vulnerability Management
- Web Tamper Protection
- Tag Management
-
Asset Management
- Appendixes
- Change History
-
FAQs
-
About HSS
- What Is Host Security?
- What Is Container Security?
- What Is Web Tamper Protection?
- What Are the Relationships Between Images, Containers, and Applications?
- How Do I Use HSS?
- Can HSS Protect Local IDC Servers?
- Is HSS in Conflict with Any Other Security Software?
- What Are the Differences Between HSS and WAF?
- Can HSS Be Used Across Accounts?
- What Is the HSS Agent?
- Can HSS Be Used Across Clouds?
- Can I Upgrade My HSS Edition?
- Can HSS Automatically Detect and Remove Viruses?
-
Agent
- Is the Agent in Conflict with Any Other Security Software?
- How Do I Uninstall the Agent?
- What Should I Do If Agent Installation Failed?
- How Do I Fix an Abnormal Agent?
- What Is the Default Agent Installation Path?
- How Many CPU and Memory Resources Are Occupied by the Agent When It Performs Scans?
- Do Different HSS Editions Share the Same Agent?
- How Do I View Servers Where No Agents Have Been Installed?
- What Resources Will Be Accessed by the Agent After It Is Installed on a Server?
- How Do I Use Images to Install Agents in Batches?
- What Do I Do If I Cannot Access the Download Link of the Windows Or Linux Agent?
- What Do I Do If Agent Upgrade Fails and the Message "File replacement failed" Is Displayed?
-
Vulnerability Management
- How Do I Fix Vulnerabilities?
- What Do I Do If an Alarm Still Exists After I Fixed a Vulnerability?
- Why a Server Displayed in Vulnerability Information Does Not Exist?
- Do I Need to Restart a Server After Its Vulnerabilities Are Fixed?
- Can I Check the Vulnerability and Baseline Fix History on HSS?
- What Do I Do If Vulnerability Fix Failed?
- Why Can't I Select a Server During Manual Vulnerability Scanning or Batch Vulnerability Fixing?
- What Do I Do If a Vulnerability Scan Fails?
-
Detection & Response
- How Do I View and Handle HSS Alarm Notifications?
- What Do I Do If My Servers Are Subjected to a Mining Attack?
- Why a Process Is Still Isolated After It Was Whitelisted?
- Why an Attack Is Not Detected by HSS?
- Can I Unblock an IP Address Blocked by HSS, and How?
- Why a Blocked IP Address Is Automatically Unblocked?
- How Often Is Malware Scan and Removal?
- What Do I Do If an IP Address Is Blocked by HSS?
- How Do I Defend Against Ransomware Attacks?
- How Do I Add High-risk Command Execution Alarms to the Whitelist?
- Why Doesn't HSS Generate Alarms for Some Web Shell Files?
- Abnormal Logins
-
Brute-force Attack Defense
- How Does HSS Intercept Brute Force Attacks?
- How Do I Handle a Brute-force Attack Alarm?
- How Do I Defend Against Brute-force Attacks?
- How Do I Unblock an IP Address?
- What Do I Do If HSS Frequently Reports Brute-force Alarms?
- What Do I Do If a Huawei Cloud IP Address Trigger a Brute-force Attack Alarm?
- What Do I Do If the Port in Brute-force Attack Records Is Not Updated?
-
Baseline Inspection
- Why Are Weak Password Alarms Generated After the Weak Password Detection Policy Is Disabled?
- How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
- How Do I Set a Proper Password Complexity Policy in a Windows OS?
- How Do I Handle Unsafe Configurations?
- How Do I View Configuration Check Reports?
- How Do I Handle a Weak Password Alarm?
- How Do I Set a Secure Password?
-
Web Tamper Protection
- Why Do I Need to Add a Protected Directory?
- How Do I Modify a Protected Directory?
- What Should I Do If WTP Cannot Be Enabled?
- How Do I Modify a File After WTP Is Enabled?
- What Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?
- What Are the Differences Between the Web Tamper Protection Functions of HSS and WAF?
-
Container Security
- How Do I Disable Node Protection?
- How Do I Enable Node Protection?
- How Do I Enable the API Server Audit for an On-Premises Kubernetes Container?
- What Do I Do If the Container Cluster Protection Plug-in Fails to Be Uninstalled?
- What Do I Do If the Cluster Connection Component (ANP-Agent) Failed to Be Deployed?
- What Do I Do If Cluster Permissions Are Abnormal?
- Ransomware Prevention
-
Security Configurations
- How Do I Clear the SSH Login IP Address Whitelist Configured in HSS?
- What Can I Do If I Cannot Remotely Log In to a Server via SSH?
- How Do I Use 2FA?
- What Do I Do If I Cannot Enable 2FA?
- Why Can't I Receive a Verification Code After 2FA Is Enabled?
- Why Does My Login Fail After I Enable 2FA?
- How Do I Add a Mobile Number or Email Address for 2FA?
- If I Choose to Use Verification Code for 2FA, How Do I Get the Code?
- Will I Be Billed for Alarm Notifications and SMS?
- Why No Topics Are Available for Me to Choose When I Configure Alarm Notifications?
- Can I Disable HSS Alarm Notifications?
- How Do I Modify Alarm Notification Items?
- How Do I Disable the SELinux Firewall?
-
Protection Quota
- How Do I Extend the Validity Period of HSS Quotas?
- How Do I Filter Unprotected Servers?
- Why Can't I Find the Servers I Purchased on the Console?
- What Do I Do If My Quotas Are Insufficient and I Failed to Enable Protection?
- How Do I Allocate My Quota?
- If I Change the OS of a Protected Server, Does It Affect My HSS Quota?
- Why Doesn't an HSS Edition Take Effect After Purchase?
- How Do I Change the Protection Quota Edition Bound to a Server?
-
Others
- How Do I Use the Windows Remote Desktop Connection Tool to Connect to a Windows Server?
- How Do I Check HSS Log Files?
- How Do I Enable Logging for Login Failures?
- How Do I Clear an Alarm on Critical File Changes?
- Is HSS Available as Offline Software?
- Why Can't I View All Projects in the Enterprise Project Drop-down List?
- How Do I Enable or Disable HSS Self-Protection?
- What Do I Do If Windows Self-Protection Cannot Be Disabled?
- Why Is a Deleted ECS Still Displayed in the HSS Server List?
-
About HSS
Creating an Agent Installation Package or Installation Commands Using a Proxy Server
Generate the agent installation command for Linux servers and the agent package for Windows servers using a proxy server.
Creating an Agent Installation Commands Using a Proxy Server (Linux)
- Log in to the proxy server.
- Run the following command to access the /tmp directory:
cd /tmp
- Run the following commands in sequence to check whether the IP address in private_ip.conf is available:
echo `hostname -I` > private_ip.conf
cat private_ip.conf
Figure 1 Viewing IP addressesNOTICE:
- Check whether the IP address in private_ip.conf is available for the proxy server. Ensure that the IP address can be connected by third-party servers.
- If the IP address is not available, manually change it.
- After confirming that the IP address is available, perform the following operations in sequence to generate the installation command:
- Run the following commands in sequence to generate the installation commands:
- x86 RPM software package image:
echo -e "# for Liunx x86 CentOS EulerOS OpenSUSE Fedora\n\ncurl -k -O 'https://private_ip:10180/package/agent/linux/x86/hostguard.x86_64.rpm' && echo 'MASTER_IP=private_ip:10180' > hostguard_setup_config.conf && echo 'SLAVE_IP=private_ip:10180' >> hostguard_setup_config.conf && echo 'ORG_ID=project_id' >> hostguard_setup_config.conf && rpm -ivh hostguard.x86_64.rpm && rm -f hostguard_setup_config.conf && rm -f hostguard*.rpm" > x86_rpm_install.sh
- x86 deb software package image:
echo -e "# for Liunx x86 Ubuntu Debian\n\ncurl -k -O 'https://private_ip:10180/package/agent/linux/x86/hostguard.x86_64.deb' && echo 'MASTER_IP=private_ip:10180' > hostguard_setup_config.conf && echo 'SLAVE_IP=private_ip:10180' >> hostguard_setup_config.conf && echo 'ORG_ID=project_id' >> hostguard_setup_config.conf && dpkg -i hostguard.x86_64.deb && rm -f hostguard_setup_config.conf && rm -f hostguard*.deb" > x86_deb_install.sh
- Arm RPM software package image:
echo -e "# for Liunx ARM CentOS EulerOS OpenSUSE Fedora UOS Kylin\n\ncurl -k -O 'https://private_ip:10180/package/agent/linux/arm/hostguard.aarch64.rpm' && echo 'MASTER_IP=private_ip:10180' > hostguard_setup_config.conf && echo 'SLAVE_IP=private_ip:10180' >> hostguard_setup_config.conf && echo 'ORG_ID=project_id' >> hostguard_setup_config.conf && rpm -ivh hostguard.aarch64.rpm && rm -f hostguard_setup_config.conf && rm -f hostguard*.rpm" > arm_rpm_install.sh
- Arm deb software package image:
echo -e "# for Liunx ARM Ubuntu Debian\n\ncurl -k -O 'https://private_ip:10180/package/agent/linux/arm/hostguard.aarch64.deb' && echo 'MASTER_IP=private_ip:10180' > hostguard_setup_config.conf && echo 'SLAVE_IP=private_ip:10180' >> hostguard_setup_config.conf && echo 'ORG_ID=project_id' >> hostguard_setup_config.conf && dpkg -i hostguard.aarch64.deb && rm -f hostguard_setup_config.conf && rm -f hostguard*.deb" > arm_deb_install.sh
- x86 RPM software package image:
- Run the following command to replace the available IP address:
The command needs to be run without modification.
sed -i "s#private_ip#`cat private_ip.conf`#g" *install.sh && sed -i "s#project_id#`cat /usr/local/hostguard/run/metadata.conf | grep -v enterprise_project_id | grep project_id | cut -d ":" -f 2 | cut -d " " -f 2`#g" *install.sh
NOTE:
- All the five commands must be executed. The last command that is used to change to an available IP address must be executed at last.
- The installation commands in x86_rpm_install.sh are suitable for images managed by the RPM software package in the x86 architecture, such as CentOS, EulerOS, OpenSUSE, and Fedora.
- The installation commands in x86_deb_install.sh are suitable for images managed by the .deb software package in the x86 architecture, such as Ubuntu and Debian.
- The installation commands in arm_rpm_install.sh are suitable for images managed by the RPM software package in the ARM architecture, such as CentOS, EulerOS, OpenSUSE, Fedora, UOS, and Kylin.
- The installation commands in arm_deb_install.sh are suitable for images managed by the .deb software package in the ARM architecture, such as Ubuntu and Debian.
- Run the following commands in sequence to generate the installation commands:
- View the generated installation command, which will be used to install agents on the third-party Linux servers.
Figure 2 Linux installation commands
Creating an Agent Installation Package Using a Proxy Server (Windows)
- Run the following command to access the /tmp directory:
cd /tmp
- Run the following commands in sequence to generate the agent installation package for Windows servers:
curl -k -O https://`cat private_ip.conf`:10180/package/agent/windows/hostguard_setup.exe && echo '[system]' > hostguard_setup_config.ini && echo 'master='`cat private_ip.conf`':10180' >> hostguard_setup_config.ini && echo 'slave='`cat private_ip.conf`':10180' >> hostguard_setup_config.ini && echo 'orgid='`cat /usr/local/hostguard/run/metadata.conf | grep -v enterprise_project_id | grep project_id | cut -d ":" -f 2 | cut -d " " -f 2` >> hostguard_setup_config.ini
zip hostguard_setup.zip hostguard_setup.exe hostguard_setup_config.ini
NOTE:
If the proxy server does not have zip commands, run the following command to install the zip plugin:
yum install -y zip
- View the generated installation package, which will be used to install agents on the third-party Windows servers.
Figure 3 Windows installation package
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.