Help Center/ Host Security Service/ Best Practices/ Using HSS to Improve Server Login Security

Updated on 2025-01-07 GMT+08:00

View PDF

Using HSS to Improve Server Login Security

Scenario

Account and password cracking are the most commonly used ways for attackers to intrude or attack servers. Enhancing login security is the first step to protect server security and ensure that services can run properly.

This section describes how to use HSS to improve server login security.

Solution Architecture and Advantages

You can configure common login locations, common login IP addresses, SSH login IP address whitelist, two-factor authentication, weak password check, and login security check to protect login security.

Figure 1 Security hardening for server logins

Common login location
After you configure common login IP addresses, HSS will generate alarms on the logins from other login IP addresses.
Common login IP address
After you configure common login IP addresses, HSS will generate alarms on the logins from other login IP addresses.
SSH login IP address whitelist
The SSH login whitelist controls SSH access to servers, preventing account cracking.
Two-factor authentication (2FA)
2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
Weak password detection
Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities. Data and programs will become insecure if their passwords are cracked.

HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.
Login security check
After login security detection policy is configured, you can enable login security check for the target server. HSS will effectively detect brute force attacks, automatically block brute force IP addresses, and trigger and report alarms.

Prerequisites

HSS Professional, Enterprise, Premium, Web Tamper Protection, or Container Edition has been enabled for the server. For details, see HSS Access Overview.

Limitations and Constraints

If 2FA is enabled, it can be used only in following scenarios:
- Linux: The SSH password is used to log in to an ECS, and the OpenSSH version is earlier than 8.
- Windows: The RDP file is used to log in to a Windows ECS.
When two-factor authentication is enabled for Windows servers, the User must change password at next logon function is not allowed. To use this function, disable two-factor authentication.
On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.

Process

Log in to the management console.
Click in the upper left corner and select the region and project.
Click in the upper left corner of the page and choose Security & Compliance > HSS.
Configuring common login locations

An account can add up to 10 common login locations.
1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
2. Choose Security Configuration > Common Login Location tab. The Common Login Location page is displayed.
3. Choose Add Common Login Location.
  Figure 2 Adding a common login location
4. In the dialog box, select the common login location to be added and the server where the common login location takes effect. After confirming that the information is correct, click OK.
  You can select multiple servers where the common login location takes effect.
  Figure 3 Configuring common login locations
5. Return to the Common Login Locations sub-tab and check the added common login locations.
Configuring common login IP addresses
An account can add up to 20 common login IP addresses.
1. Choose Security Configuration > Common Login IP Addresses tab. The Common Login IP Addresses page is displayed.
2. Choose Add Common Login IP Addresses.
  Figure 4 Adding a common login IP address
3. In the dialog box that is displayed, enter a common login IP address and select servers. Confirm the information and click OK.
  The common login IP address must be a public IP address or an IP address segment.
  
  You can select multiple servers.
  
  Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
  Figure 5 Entering a common login IP address
1. Return to the Common Login IP Addresses sub-tab and check the added common login IP addresses.
Configuring an SSH login IP address whitelist
- An account can have up to 10 SSH login IP addresses in the whitelist.
- The SSH IP address whitelist does not take effect for servers running Kunpeng EulerOS (EulerOS with Arm).
- After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
  - Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.
    If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.
  - Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.
1. Choose Security Configuration > SSH IP Whitelist. The SSH IP Whitelist page is displayed.
2. Click Add IP Address. The Add IP Address dialog box is displayed.
  Figure 6 Configuring an IP address whitelist
3. In the dialog box that is displayed, enter an IP address to be added to the whitelist and select servers. Confirm the information and click OK.
  - The common login IP address must be a public IP address or an IP address segment.
  - You can select multiple servers.
  - Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
  Figure 7 Entering an IP address
4. The SSH IP Whitelist sub-tab and check the added IP whitelist.
Configuring 2FA
1. Choose Two-Factor Authentication tab. The Two-Factor Authentication page is displayed.
2. Click Enable 2FA in the Operation column of the target server. The Enable 2FA dialog box is displayed.
  Select multiple target servers and click Enable 2FA to enable two-factor authentication for multiple servers in batches.
  Figure 8 Enabling 2FA
3. In the dialog box, select the authentication mode.
  - SMS/Email
    You need to select an SMN topic for SMS and email verification.
    - The drop-down list displays only notification topics that have been confirmed.
    - If there is no topic, click View to create one. For details, see Creating a Topic.
    - If your topic contains multiple mobile numbers or email addresses, during two-factor authentication,
      - If you use a mobile phone number for verification, all the endpoints (mobile numbers and email addresses) in the topic will receive a verification code.
      - If you use an email address for verification, only this address will receive a verification code.
      You can delete the mobile numbers and email addresses that do not need to receive verification messages.
    Figure 9 SMS/Email verification
  - Verification code
    Use the verification code you receive in real time for verification.
    Figure 10 Setting Method to Verification code
4. Click OK.
5. Return to the Two-Factor Authentication tab. Check whether the 2FA Status of the target server changes to Enabled.
  It takes about 5 minutes for the two-factor authentication function to take effect.
  
  When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.
  
  To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.

Configuring weak password detection

In the navigation pane, choose Security Operations > Policies.
Click the name of the target policy group. The policy list page is displayed.
You can determine the OS and protection version supported by the target policy based on its default policy group description and supported version.

If you need to create a policy group, perform this step after Creating a Policy Group.
Click the Weak Password Detection. The Weak Password Detection dialog box is displayed.

Modify the parameters in the Policy Settings based on the site requirements. For details about the parameters, see Table 1.

Figure 11 Modifying the weak password detection policy

**Table 1** Parameter description
Parameter	Description	Example Value
Scan Time	Time point when detections are performed. It can be accurate to the minute.	01:00
Random Deviation Time (Seconds)	Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.	3600
Scan Days	Days in a week when weak passwords are scanned. You can select one or more days.	Select all of them.
User-defined Weak Passwords	You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password. Enter only one weak password per line. Up to 300 weak passwords can be added.	test123*
Password Complexity Policy Check	A password complexity policy refers to the password rules and standards set on a server. If you enable Password Complexity Policy Check, HSS will check the password complexity policy when you manually perform a baseline check.

Confirm the information and click OK.
HSS will perform weak password detection on the server based on the configured policies.

Configuring login security check

Click Login Security Check. The Login Security Check dialog box is displayed.

Modify the parameters in the Policy Settings based on the site requirements. For details about the parameters, see Table 2.

Figure 12 Modifying the security check policy

**Table 2** Parameter description
Parameter	Description
Lock Time (min)	This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.
Check Whether the Audit Login Is Successful	After this function is enabled, HSS reports login success logs. : enabled : disabled
Block Non-whitelisted Attack IP Address	After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).
Report Alarm on Brute-force Attack from Whitelisted IP Address	After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses. : enabled : disabled
Whitelist	After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.

Confirm the information and click OK.
HSS will perform login security detection on the server based on the configured policies.

Previous topic: Installing the HSS Agent Using CBH

Next topic: Using HSS and CBR to Defend Against Ransomware

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot