Help Center/ Host Security Service/ Getting Started/ Purchasing and Enabling WTP
Updated on 2024-12-03 GMT+08:00
View PDF

Purchasing and Enabling WTP

Scenario

HSS provides static and dynamic (Tomcat) Web Tamper Protection (WTP) functions. WTP monitors website directories in real time, backs up files, and restores tampered files. In addition, multiple server security protection functions are provided. For details, see Product Functions.

The following is an example to describe how to and enable HSS.

  • Server: EulerOS 2.9 Huawei Cloud ECS
  • Protection quotas
    • Billing mode: Yearly/Monthly
    • Edition: WTP
    • Quantity: 1

Process

Procedure

Description

Preparations

After registering a Huawei Cloud and enabling Huawei Cloud services, complete real-name authentication, top up your account, grant permissions to IAM users, and prepare cloud servers to be protected.

Step 1: Purchase HSS Quota

Set the edition, and protection quota for your server.

Step 2: Install an Agent

Install the agent on the target server.

Step 3: Enable Protection

Enable protection for the target server.

Preparations

  1. Before purchasing WTP, create a Huawei account and subscribe to Huawei Cloud. For details, see Registering a Huawei ID and Enabling Huawei Cloud Services and Real-Name Authentication.

    If you have enabled Huawei Cloud services and completed real-name authentication, skip this step.

  2. Ensure that your account has sufficient funds to prevent failures in purchasing HSS protection quotas. For details, see Topping Up an Account.
  3. If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions.

    When purchasing HSS protection quotas, you need to assign the BSS Administrator permission to IAM users.

  4. A Huawei Cloud ECS for which WTP will be enabled is available.

Step 1: Purchase HSS Quota

  1. Log in to the management console.
  2. Click in the upper left corner and select the region and project.
  3. Click in the upper left corner of the page and choose Security & Compliance > HSS.
  4. In the upper right corner of the Dashboard page, click Buy HSS.
  5. Configure parameters.

    Parameter

    Example

    Description

    Billing Mode

    Yearly/Monthly

    WTP supports only the Yearly/Monthly billing mode.

    Yearly/Monthly is a prepaid billing. You pay in advance for a subscription term, and in exchange, you get a discounted rate. The longer the subscription term, the bigger the discount. For more information, see Pricing Details.

    Region

    EU-Dublin

    Select the region of server. After the HSS is purchased, the region cannot be changed. Exercise caution when selecting a region.

    Edition Specifications

    WTP Edition

    HSS provides basic, professional, premium, WTP, and container editions. Functions vary depending on editions. For details about functions supported by each edition, see Functions.

    Enterprise Project

    default

    This parameter is displayed only when you use an enterprise account to purchase protection quotas.

    It enables unified management of cloud resources by project.

    Tag

    Not added

    Tags are used to identify server security, facilitating cloud resource classification and management.

    Automatically assign

    Not selected

    When a server or container node is added and the agent is installed for the first time, it will be bound to an available yearly/monthly quota.

    Only unused quotas will be bound, and no new order or fee will be generated.

    Required Duration

    1 month

    Select the required duration. The longer the subscription period, the higher the discount.

    Auto-Renewal

    Not selected

    The Auto-renew option enables the system to renew your service by the required duration when the service is about to expire.

    Quantity

    1

    Set the value based on the actual number of servers.

  6. In the lower right corner of the page, click Next.
  7. After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
  8. Click Pay Now and complete the payment.
  9. Click Back to Host Security Service Console to return to the HSS console.

Step 2: Install an Agent

  1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
  2. Choose Agents > Servers Without Agents.
  3. In the Operation column of the target server, click Install Agent. The Install Agent dialog box is displayed.

    Figure 1 Installing an agent

  4. Select and set the server verification information.

    Table 1 Parameters for installing the agent

    Parameter

    Example

    Description

    Server Authentication Mode

    Account and Password
    • Account and password: Use the server IP address and password to verify the installation.
    • Key: Authenticate the installation using a cloud key (in DEW) or a user-created key (Linux only).

    Allow direct connection with root permissions

    Select it.

    The root account can be used to directly log in to the server. After you enter the root user password and login port, HSS will use your root account to install the agent for the server.

    Server Root Password

    -

    Set the parameters based on the actual server information.

    Server Login Port

    22

    Enter the actual login port of the server.
    Figure 2 Enter the server verification information.

  1. Click OK to start installation.
  2. Choose Servers With Agents page and view the agent status of the target server.

    If the Agent Status is Online, the agent is successfully installed.

Step 3: Enable Protection

  1. In the navigation pane, choose Server Protection > Web Tamper Protection.
  2. On the Servers tab, click Add Server.
  3. On the Add Server page, select the target server and click Add and Enable Protection.

    Figure 3 Adding a protected server

  4. Read the message for adding a protected directory and click .

    Figure 4 Prompt information

  5. Locate the row containing the target server and click Configure Protection in the Operation column.

    Figure 5 Protection settings

  6. Add a protected directory.

    1. In the Protected Directory Settings area, click Settings.
    2. In the Protected Directory Settings dialog box, click Add Protected Directory.
      Figure 6 Adding a protected directory
    3. Configure protected directories.
      Table 2 Parameters for adding a protected directory

      Parameter

      Example

      Description

      Protected Directory

      /etc/lesuo

      Add directories to be protected.

      • Do not add an OS directory as a protected directory.
      • After a directory is added, the files and folders in the protected directory are read-only and cannot be modified directly.

      Excluded Subdirectory

      lesuo/test

      Subdirectories that do not need to be protected in the protected directory, such as temporary file directories.

      Separate subdirectories with semicolons (;). A maximum of 10 subdirectories can be added.

      Excluded File Types

      log;pid;text

      Types of files that do not need to be protected in the protected directory, such as log files.

      To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.

      Separate file types with semicolons (;).

      Local Backup Path

      /etc/backup

      Set this parameter if your server runs the Linux OS.

      Set a local backup path for files in protected directories. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path.

      The backup rules are described as follows:

      • The local backup path must be valid and cannot overlap with the protected directory path.
      • Excluded subdirectories and types of files are not backed up.
      • Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory.
      • If WTP detects that a file in a protected directory is tampered with, it immediately uses the backup file on the local server to restore the file.

      Excluded File Path

      lesuo/data;lesuo/list

      Exclude files that do not need to be protected from the protected directory.

      Separate multiple paths with semicolons (;). A maximum of 50 paths can be added. The maximum length of a path is 256 characters. A single path cannot start with a space or end with a slash (/).
    4. Click OK.
    5. In the protected directory list, if Protection Status is Protected, the directory is added successfully.

  7. (Optional) Enable remote backup.

    Only Linux servers support the remote backup function. Skip this item for Windows servers.
    1. In the Protected Directory Settings dialog box, click Manage Remote Backup Servers.
      Figure 7 Managing remote backup servers
    2. Click Add Backup Server.
    3. Configure the remote backup server information and click OK.
      Table 3 Backup server parameters

      Parameter

      Example

      Description

      Server Name

      test

      Name of the remote backup server.

      Address

      192.168.1.1

      Enter the private IP address of the Huawei Cloud as the remote backup server.

      Port

      8080

      Enter the server port number. Ensure that the port is not blocked by any security group or firewall or occupied.

      Backup Path

      /hss01

      Enter a backup path. The content of the protected directory will be backed up to this path.

      • If the protected directories of multiple servers are backed up to the same remote backup server, the data will be stored in separate folders named after agent IDs.

        Assume the protected directories of the two servers are /hss01 and hss02, and the agent IDs of the two servers are f1fdbabc-6cdc-43af-acab-e4e6f086625f and f2ddbabc-6cdc-43af-abcd-e4e6f086626f, and the remote backup path is /hss01.

        The corresponding backup paths are /hss01/f1fdbabc-6cdc-43af-acab-e4e6f086625f and /hss01/f2ddbabc-6cdc-43af-abcd-e4e6f086626f.

      • If WTP is enabled for the remote backup server, do not set the remote backup path to any directories protected by WTP. Otherwise, remote backup will fail.
    4. In the Protected Directory Settings area, click Settings.
    5. In the Protected Directory Settings dialog box, click Enable Remote Backup.
    6. Select the added remote backup server and click OK.
    7. If Enabled is displayed, remote backup is started.

  8. (Optional) Enable dynamic WTP.

    Runtime application self-protection (RASP) is provided for Tomcat applications of JDK 8 on a Linux server. If you do not require RASP of the Tomcat application or the server runs the Windows OS, skip this item.
    1. In the Dynamic WTP area, click .
      Figure 8 Enable dynamic WTP
    2. In the dialog box that is displayed, enter the Tomcat bin directory and click OK.

      Tomcat bin directory example: /usr/workspace/apache-tomcat-8.5.15/bin

    3. If is displayed, dynamic WTP is enabled.
    4. Restart Tomcat to make the dynamic WTP function take effect.

Follow-Up Procedure

  • Modify a file or folder in a protected directory.
    If WTP is enabled, files or folders in the protected directory are read-only and cannot be modified. To modify files or folders in the protected directory, perform the following steps:
    • Adding a privileged process: A maximum of 10 privileged processes can be added. For details, see Adding a Privileged Process.
    • Enabling/Disabling scheduled static WTP: In addition to adding a privileged process, you can set periodic static WTP and modify files or folders when WTP is disabled, for details, see Enabling/Disabling Scheduled Static WTP.
  • Enable active protection for servers.
    WTP provides some proactive functions for servers. These functions are not enabled or not completely enabled when WTP is enabled. You can determine whether to use these functions based on your requirements, the following table Table 4 describes the functions.
    Table 4 Proactive server protection functions

    Function

    Description

    Ransomware Prevention

    Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses.

    Ransomware prevention is automatically enabled with the WTP edition. Honeypot files are deployed on your server and suspicious encryption programs are automatically isolated. You can modify the ransomware protection policy.

    Application Protection

    To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.

    Application Process Control

    HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.

    Virus scanning and removal

    The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.