Enabling Protection
To enable protection, allocate a quota to a server or a container. After protection is disabled or the protected server or container is removed, the quota can be allocated to another server or container.
Prerequisites
- HSS can be billed in yearly/monthly or pay-per-use mode. To use yearly/monthly billing, ensure you have purchased sufficient protection quotas. For details, see Purchasing HSS. If you use the pay-per-use billing mode, you do not need to purchase quotas in advance.
- Ensure that the agent has been installed on the server or container node and is online. For details, see Installing the Agent on Huawei Cloud Servers and Installing the Agent on Third-party Servers.
Constraints
- Server
Before you enable protection for a Windows server, enable the Windows firewall to block the source IP addresses of brute-force attacks. If the Windows firewall is not enabled, HSS only generates alarms for detected brute-force attacks, but does not block them.
- After the Windows firewall is enabled, HSS automatically adds firewall rules hostguard_AllowAnyIn and hostguard_AllowAnyOut to allow all inbound and outbound traffic. This ensures that the firewall does not affect your services. If HSS detects a brute-force attack, it adds an inbound rule to the firewall to block the attack source IP address. This does not affect your servers.
- Do not disable the Windows firewall when using HSS, or HSS cannot block the source IP addresses of brute-force attacks. Once it is disabled, HSS may fail to block the attack source IP addresses even after you manually enable it again.
- Container
HSS can only protect Docker, Containerd, CRI-O, Podman, and iSulad containers.
Enabling Protection
Perform the following operations to enable protection based on the edition you need.
Viewing Scan Details
After server protection is enabled, HSS will immediately perform a comprehensive scan on the server. It may take a long time. After the scan is complete, you can check its details.
- Choose Servers tab page. . Locate the server on the
- Check the Risk Level column of the server.
Table 3 Risk status Status
Description
Pending risk detection
The server is neither protected nor scanned.
Safe
No risks were found in the comprehensive scan on the server; or the protection has just been enabled, and no risks have been found yet.
Risky
The server has security risks.
- Hover the cursor over the risk status to view the risk distribution.
You can click a value to go to the details page.
Advanced Protection
HSS provides a series of advanced defense functions. You can enable or use them as required to enhance the security of your servers and containers. For details, see Table 4.
Function |
Description |
Version Restriction |
---|---|---|
Container image security aims to ensure the security of images throughout their lifecycle, including development, deployment, and running. It scans for system vulnerabilities, application vulnerabilities, malicious files, software information, file information, unsafe baseline settings, weak passwords, sensitive information, software compliance issues, and base image information. It helps you identify and fix risks, and ensure images have passed strict checks before being deployed in the production environment, so that your system and applications can run stably and securely. |
Container edition |
|
Cluster environment security scans the resources on the Kubernetes cluster management plane and data plane; identifies infrastructure as code (IaC) risks, vulnerabilities, unsafe settings, configuration compliance, sensitive information, and permissions management issues; and provides solutions, helping you build a comprehensive cluster security system. |
Container edition |
|
To protect your applications with RASP, you simply need to add probes to them, without having to modify application files. |
Premium, WTP, and container editions |
|
The function can detect and defend against ransomware. It can automatically back up data either at a scheduled time, or immediately if ransomware is detected. This can help you defend against ransomware and reduce loss. Ransomware prevention is automatically enabled with the container edition. HSS will deploy honeypot files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data. |
Premium, WTP, and container editions |
|
Application process control helps to enhance the security of applications and processes running on servers. It can automatically identify and analyze application processes, and classify them into trusted, suspicious, and malicious processes. It allows trusted processes to run, and generates alarms for suspicious and malicious processes. This helps to build a secure environment for application processes, and protects servers from untrusted or malicious application processes. |
Premium, WTP, and container editions |
|
This function combines cloud-based and local antivirus mechanisms to scan executable files, compressed files, scripts, documents, images, and audiovisual files for viruses. You can perform quick scan, full-disk scan, and custom scans on servers as needed to detect and remove virus files in a timely manner, enhancing the virus defense of the system. |
Professional, premium, WTP, and container editions |
|
The dynamic port honeypot function is a proactive defense measure. It uses a real port as a honeypot port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify compromised servers, and protect real user resources. |
Premium, WTP, and container editions |
|
The container firewall can isolate pods, workloads, and nodes in a network to prevent lateral movement and minimize permissions, and enhancing security and stability. |
Container edition |
|
HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. |
Container edition |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot