Quickly Enhancing Server Security
Data and programs on servers without protection will probably be breached or tampered with if the servers are intruded, interrupting your business and causing great loss.
HSS provides all-round protection for servers, including pre-attack prevention, during-attack protection, and real-time or daily alarms.
This section describes how to use HSS to easily detect and eliminate security issues on your servers.
Step 1: Purchase and Enable HSS
Purchase and enable HSS, as shown in Figure 1.
- Purchase HSS quota as needed.
Table 1 Recommended editions Requirement
Recommended Edition
APT attack detection, network protection, secure operations, and user-defined security policies
Premium edition HSS
Security risk prevention, virus and Trojan scan and killing, server vulnerability management, and compliance certification
Enterprise edition HSS
Website and file anti-tampering, hidden link scan, and server security
Web Tamper Protection (WTP) edition HSS
- Install the agent on your servers.
The agent runs scan tasks to scan all servers, monitors server security, and reports collected server information to the cloud protection center.
For more information about the agent, see What Is the HSS Agent?
- On the HSS console, set alarm notifications to yourself updated with risks in your servers and websites (if any).
- Enable protection. For details, see Enabling HSS.
When you enable HSS, a full scan is immediately performed. You can view all the detected issues on the console about 30 minutes later.
Step 2: Check Risk Overview
You can choose Figure 2. For details, see Table 2.
to check overall risk statistics, as shown inThe Dashboard page displays server security status and risks in real time. For details, see Dashboard.
Risk Type |
Description |
---|---|
Risk Statistics |
Number of risks (unsafe settings, intrusions, and vulnerabilities) on protected servers |
Protection Statistics |
Numbers of servers protected with the basic, enterprise, or premium edition and the number of unprotected servers |
Risks in the last 7 or 30 days |
Line chart showing the numbers of asset risks, vulnerabilities, unsafe settings, and intrusions in the last 7 days or 30 days |
Handled risks in the last 7 or 30 days |
Line chart showing the numbers of handled asset risks, vulnerabilities, unsafe settings, and intrusions in the last 7 days or 30 days |
Intrusions in the last 7 days or 30 days |
Pie chart showing the number of intrusions and the percentage of each type of intrusions |
Top 5 unsafe servers in the last 7 days |
The five servers having the highest risks and the number of each type of risks |
Real-time intrusions |
The latest five unhandled risks in the last 24 hours |
Step 3: Handle Risks
Enable HSS and handle risks. Figure 3 shows the process.
- Enable HSS for all your servers. For details, see Enabling the Basic/Professional/Premium Edition.
- Check and handle alarm events, as shown in Figure 4. For details, see Checking and Handling Alarm Events.
The Events page displays the alarm events of the last 30 days. You can check and handle them as needed. The status of a handled event changes from Unhandled to Handled. HSS will no longer collect its statistics or display them on the Dashboard page.
Table 3 Handling alarm events Method
Description
Ignore
Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.
Isolate and kill
If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.
You can click Isolated Files to check and manage isolated files. For details, see Managing Isolated Files.
The following types of alarm events support online isolation and killing:
- Malicious program (cloud scan)
- Abnormal process
NOTE:When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any) within 24 hours.
Mark as handled
Mark the event as handled. You can add remarks for the event to record more details.
Add to login whitelist
Add false alarmed items of the Brute-force attack and Abnormal login types to the login whitelist.
HSS will no longer report alarm on the whitelisted items.
Add to alarm whitelist
Add false alarmed items of the following types to the login whitelist.
HSS will no longer report alarm on the whitelisted items.
- Reverse shell
- Web shell
- Abnormal process behavior
- Process privilege escalation
- File privilege escalation
- High-risk command
- Malicious program
- Manually fix the vulnerabilities based on the suggestions, as shown in Figure 5.
Checking vulnerabilities
HSS detects vulnerabilities and rates their urgency as High, Medium, or Low based on the official vulnerability scores.
- High indicates a vulnerability has high risks. You are advised to evaluate the impact of the vulnerability and fix it as soon as possible.
- Medium or Low indicates a vulnerability does not have direct impact on OS security. You are advised to evaluate the impact and fix the vulnerability when you upgrade your server OS or software.
- If you are sure a vulnerability does not affect your system, click Ignore.
For example, if a vulnerability can be exploited only through an open port, and the port is not enabled on your servers, you can ignore this vulnerability.
Fixing vulnerabilities
Check vulnerability information, and fix or ignore it as needed.
- You can manually fix vulnerabilities one by one or fix them all in one click based on the solution provided, as shown in Figure 5.
For details, see Fixing Vulnerabilities and Verifying the Result.
Before repairing a vulnerability on a server, back up data and configurations of the server to avoid data loss.
- To ignore a vulnerability on a server, click the Affected Servers tab and click Ignore in the Operation column of the server, as shown in Figure 6.
- Go to the Unsafe Settings page, and fix weak password and other unsafe settings, as shown in Figure 7.
Scanning for unsafe settings
HSS checks your server OS and other software for weak password complexity policies and other unsafe settings, and provides suggestions for fixing detected risks.
For details about the baseline check, see Baseline Inspection.
Fixing unsafe settings
Table 4 Unsafe settings and solutions Issue
Description
Solution
Weak passwords
Accounts using weak passwords are exposed to cracking attacks. You can check detected weak passwords on the console.
Generally, passwords that are easy to guess or be cracked in a brute-force attack are regarded weak.
Weak passwords have the following characteristics:
- Too short or simple
- Contains any strings in a common password dictionary or other similar lists on the Internet
- Contains personal information
You are advised to set stronger passwords for detected accounts.
For details, see How Do I Set a Secure Password?
Unsafe password complexity policy
- To monitor the password complexity policy on a Linux server, install the Pluggable Authentication Modules (PAM) on the server. For details, see How Do I Install a PAM in a Linux OS?
- For details about how to modify the password complexity policy on a Linux server, see How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
- For details about how to modify the password complexity policy on a Windows server, see How Do I Set a Secure Password Complexity Policy in a Windows OS?
You are advised to change the password complexity policy as suggested.
The new policy will be used to check password complexity when users set or modify passwords.
Unsafe configuration
Insecure configurations of key applications will probably be exploited by hackers to intrude servers.
Such configurations include insecure encryption algorithms used by SSH and Tomcat startup with root permissions.
Fix settings based on the suggestions provided.
For details, see Unsafe Configurations.
- Check your assets, as shown in Figure 8.
In the early morning every day, HSS collects and displays server asset information about accounts, external port listening, process running, web directories, software, auto-started items, and file changes, helping users check and eliminate asset and security risks.
Step 4: Verify Server Security
Checking server risks
Method |
Scenario |
Check Item |
Operation |
---|---|---|---|
Manual scan |
You need to know the rectification result as soon as possible. |
The following items can be checked in one click:
|
Choose Servers and click Manual Detection in the upper right corner of the page. |
The following items can be separately checked:
|
Choose Servers. In the Operation column of the server list, click View Scan Results.
|
||
Automatic check |
You are not in a hurry to know the verification result. |
|
HSS automatically performs a full scan every early morning. |
Checking security overview
Check risks on the Dashboard page.
If the risks reduced, you have made your servers more secure.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot