Help Center> Host Security Service (Old)> Best Practices> Quickly Enhancing Server Security
Updated on 2022-08-30 GMT+08:00

Quickly Enhancing Server Security

Data and programs on servers without protection will probably be breached or tampered with if the servers are intruded, interrupting your business and causing great loss.

HSS provides all-round protection for servers, including pre-attack prevention, during-attack protection, and real-time or daily alarms.

This section describes how to use HSS to easily detect and eliminate security issues on your servers.

Step 1: Purchase and Enable HSS

Purchase and enable HSS, as shown in Figure 1.

Figure 1 Purchasing quota and enabling HSS
  1. Purchase HSS quota as needed.
    Table 1 Recommended editions

    Requirement

    Recommended Edition

    APT attack detection, network protection, secure operations, and user-defined security policies

    Premium edition HSS

    Security risk prevention, virus and Trojan scan and killing, server vulnerability management, and compliance certification

    Enterprise edition HSS

    Website and file anti-tampering, hidden link scan, and server security

    Web Tamper Protection (WTP) edition HSS

  2. Install the agent on your servers.

    The agent runs scan tasks to scan all servers, monitors server security, and reports collected server information to the cloud protection center.

    For more information about the agent, see What Is the HSS Agent?

  3. On the HSS console, set alarm notifications to yourself updated with risks in your servers and websites (if any).
  4. Enable protection. For details, see Enabling HSS.

    When you enable HSS, a full scan is immediately performed. You can view all the detected issues on the console about 30 minutes later.

Step 2: Check Risk Overview

You can choose Host Security Service > Dashboard to check overall risk statistics, as shown in Figure 2. For details, see Table 2.

The Dashboard page displays server security status and risks in real time. For details, see Dashboard.

Figure 2 Host security overview
Table 2 Risk statistics

Risk Type

Description

Risk Statistics

Number of risks (unsafe settings, intrusions, and vulnerabilities) on protected servers

Protection Statistics

Numbers of servers protected with the basic, enterprise, or premium edition and the number of unprotected servers

Risks in the last 7 or 30 days

Line chart showing the numbers of asset risks, vulnerabilities, unsafe settings, and intrusions in the last 7 days or 30 days

Handled risks in the last 7 or 30 days

Line chart showing the numbers of handled asset risks, vulnerabilities, unsafe settings, and intrusions in the last 7 days or 30 days

Intrusions in the last 7 days or 30 days

Pie chart showing the number of intrusions and the percentage of each type of intrusions

Top 5 unsafe servers in the last 7 days

The five servers having the highest risks and the number of each type of risks

Real-time intrusions

The latest five unhandled risks in the last 24 hours

Step 3: Handle Risks

Enable HSS and handle risks. Figure 3 shows the process.

Figure 3 Handling risks
  1. Enable HSS for all your servers. For details, see Enabling the Basic/Professional/Premium Edition.
  2. Check and handle alarm events, as shown in Figure 4. For details, see Checking and Handling Alarm Events.

    Figure 4 Real-time intrusions

    The Events page displays the alarm events of the last 30 days. You can check and handle them as needed. The status of a handled event changes from Unhandled to Handled. HSS will no longer collect its statistics or display them on the Dashboard page.

    Table 3 Handling alarm events

    Method

    Description

    Ignore

    Ignore the current alarm. Any new alarms of the same type will still be reported by HSS.

    Isolate and kill

    If a program is isolated and killed, it will be terminated immediately and no longer able to perform read or write operations. Isolated source files of programs or processes are displayed on the Isolated Files slide-out panel and cannot harm your servers.

    You can click Isolated Files to check and manage isolated files. For details, see Managing Isolated Files.

    The following types of alarm events support online isolation and killing:

    • Malicious program (cloud scan)
    • Abnormal process
    NOTE:

    When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any) within 24 hours.

    Mark as handled

    Mark the event as handled. You can add remarks for the event to record more details.

    Add to login whitelist

    Add false alarmed items of the Brute-force attack and Abnormal login types to the login whitelist.

    HSS will no longer report alarm on the whitelisted items.

    Add to alarm whitelist

    Add false alarmed items of the following types to the login whitelist.

    HSS will no longer report alarm on the whitelisted items.

    • Reverse shell
    • Web shell
    • Abnormal process behavior
    • Process privilege escalation
    • File privilege escalation
    • High-risk command
    • Malicious program

  3. Manually fix the vulnerabilities based on the suggestions, as shown in Figure 5.

    Figure 5 Fixing vulnerabilities

    Checking vulnerabilities

    HSS detects vulnerabilities and rates their urgency as High, Medium, or Low based on the official vulnerability scores.

    • High indicates a vulnerability has high risks. You are advised to evaluate the impact of the vulnerability and fix it as soon as possible.
    • Medium or Low indicates a vulnerability does not have direct impact on OS security. You are advised to evaluate the impact and fix the vulnerability when you upgrade your server OS or software.
    • If you are sure a vulnerability does not affect your system, click Ignore.

      For example, if a vulnerability can be exploited only through an open port, and the port is not enabled on your servers, you can ignore this vulnerability.

    Fixing vulnerabilities

    Check vulnerability information, and fix or ignore it as needed.

    • You can manually fix vulnerabilities one by one or fix them all in one click based on the solution provided, as shown in Figure 5.

      For details, see Fixing Vulnerabilities and Verifying the Result.

      Before repairing a vulnerability on a server, back up data and configurations of the server to avoid data loss.

    • To ignore a vulnerability on a server, click the Affected Servers tab and click Ignore in the Operation column of the server, as shown in Figure 6.
      Figure 6 Affected servers

  4. Go to the Unsafe Settings page, and fix weak password and other unsafe settings, as shown in Figure 7.

    Figure 7 Fixing unsafe settings

    Scanning for unsafe settings

    HSS checks your server OS and other software for weak password complexity policies and other unsafe settings, and provides suggestions for fixing detected risks.

    For details about the baseline check, see Baseline Inspection.

    Fixing unsafe settings

    Table 4 Unsafe settings and solutions

    Issue

    Description

    Solution

    Weak passwords

    Accounts using weak passwords are exposed to cracking attacks. You can check detected weak passwords on the console.

    Generally, passwords that are easy to guess or be cracked in a brute-force attack are regarded weak.

    Weak passwords have the following characteristics:

    1. Too short or simple
    2. Contains any strings in a common password dictionary or other similar lists on the Internet
    3. Contains personal information

    You are advised to set stronger passwords for detected accounts.

    For details, see How Do I Set a Secure Password?

    Unsafe password complexity policy

    You are advised to change the password complexity policy as suggested.

    The new policy will be used to check password complexity when users set or modify passwords.

    Unsafe configuration

    Insecure configurations of key applications will probably be exploited by hackers to intrude servers.

    Such configurations include insecure encryption algorithms used by SSH and Tomcat startup with root permissions.

    Fix settings based on the suggestions provided.

    For details, see Unsafe Configurations.

  5. Check your assets, as shown in Figure 8.

    In the early morning every day, HSS collects and displays server asset information about accounts, external port listening, process running, web directories, software, auto-started items, and file changes, helping users check and eliminate asset and security risks.

    Figure 8 Checking assets
    Table 5 Assets

    Item

    Solution

    Account Information

    You can manage the account information and its change history on all the servers in a unified manner. If unnecessary accounts exist in the system or accounts with super permissions (with the root permission) are found, check whether the accounts are used properly by normal services. If they are not, delete unnecessary accounts or modify account permissions to prevent accounts from being used by hackers.

    Open Ports

    • Manually disabling high-risk ports

      If HSS detects open high-risk ports or unused ports, check whether they are really used by your services. For high-risk ports, check program files. If there are risks, delete or isolate the source files.

      It is recommended that you handle the ports at the Dangerous risk level promptly and handle the ports at the Unknown level based on the actual service conditions.

    • Ignoring risks: If the detected dangerous ports are normal ports being used by services, you can choose to ignore the alarms. Ignored alarms will neither be recorded as unsafe items and nor trigger alarms.

    Processes

    You can quickly check and terminate suspicious application processes on your servers.

    Web Directories

    HSS can detect web directories on servers. You can identify suspicious web directories in a timely manner and terminate suspicious processes.

    Installed Software

    You can manage the software information and its change history on all the servers in a unified manner. You can upgrade the software using old versions, and can delete suspicious and unnecessary software in a timely manner.

    Auto-startup

    You can check the servers, paths, file hashes, and last modification time of auto-started items to find and eliminate Trojans in a timely manner.

Step 4: Verify Server Security

Checking server risks

Verify that detected issues have been fixed, as shown in Table 6.
Table 6 Verification methods

Method

Scenario

Check Item

Operation

Manual scan

You need to know the rectification result as soon as possible.

The following items can be checked in one click:
  • Software information
  • Vulnerabilities
  • Web shells
  • Weak passwords
  • Unsafe configurations

Choose Servers and click Manual Detection in the upper right corner of the page.

The following items can be separately checked:
  • Software
  • Vulnerabilities
  • Weak passwords
  • Unsafe configurations

Choose Servers. In the Operation column of the server list, click View Scan Results.

  • Click Assets. On the Installed Software tab, check whether there are any insecure software.
  • Click Vulnerabilities, and check its software, OS, and Web-CMS vulnerabilities.
  • Click Unsafe Settings. On the Password Risks tab, manually check weak passwords.
  • Click Unsafe Settings. On the Unsafe Configurations tab, manually check unsafe configurations.

Automatic check

You are not in a hurry to know the verification result.

  • A full scan is automatically performed every early morning to check the following items:
    • Software
    • Vulnerabilities
    • Web shells
    • Weak passwords
    • Unsafe configurations
  • For other items, HSS checks them in real time and you can view the verification results shortly after fixing them.

HSS automatically performs a full scan every early morning.

Checking security overview

Check risks on the Dashboard page.

The Dashboard page shows security statistics, as shown in Figure 9.
Figure 9 Security overview
  • Risk Statistics

    Check the changes in the numbers of asset risks, unsafe settings, intrusions, and vulnerabilities.

  • Protection statistics

    Check whether all your servers are protected.

  • Risks

    Check the changes in the numbers of risks.

  • Handled Risks

    Check the changes in the numbers of handled risks.

If the risks reduced, you have made your servers more secure.