Using HSS to Improve Server Login Security

Scenario

Account and password cracking are the most commonly used ways for attackers to intrude or attack servers. Enhancing login security is the first step to protect server security and ensure that services can run properly.

This section describes how to use HSS to improve server login security.

Solution Architecture and Advantages

You can configure common login locations, common login IP addresses, SSH login IP address whitelist, two-factor authentication, weak password check, and login security check to protect login security.

Figure 1 Security hardening for server logins

• Common login location

  After you configure common login IP addresses, HSS will generate alarms on the logins from other login IP addresses.

• Common login IP address

  After you configure common login IP addresses, HSS will generate alarms on the logins from other login IP addresses.

• SSH login IP address whitelist

  The SSH login whitelist controls SSH access to servers, preventing account cracking.

• Two-factor authentication (2FA)

  2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.

• Weak password detection

  Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities. Data and programs will become insecure if their passwords are cracked.

  HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.

• Login security check

  After login security detection policy is configured, you can enable login security check for the target server. HSS will effectively detect brute force attacks, automatically block brute force IP addresses, and trigger and report alarms.

Prerequisites

HSS Professional, Enterprise, Premium, Web Tamper Protection, or Container Edition has been enabled for the server. For details, see HSS Protection Guide.

Limitations and Constraints

• If 2FA is enabled, it can be used only in following scenarios:
  • Linux: The SSH password is used to log in to an ECS, and the OpenSSH version is earlier than 8.
  • Windows: The RDP file is used to log in to a Windows ECS.
• When two-factor authentication is enabled for Windows servers, the User must change password at next logon function is not allowed. To use this function, disable two-factor authentication.
• On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.

Process

1. Log in to the management console.
2. Click in the upper left corner and select the region and project.
3. Click in the upper left corner and choose Security & Compliance > Host Security Service. The HSS console is displayed.
4. Configuring common login locations

   An account can add up to 10 common login locations.

   1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
   2. Choose Security Configuration > Common Login Location tab. The Common Login Location page is displayed.
   3. Choose Add Common Login Location.
      Figure 2 Adding a common login location
      
   4. In the dialog box, select the common login location to be added and the server where the common login location takes effect. After confirming that the information is correct, click OK.

      You can select multiple servers where the common login location takes effect.

   5. Return to the Common Login Locations sub-tab and check the added common login locations.

5. Configuring common login IP addresses
   An account can add up to 20 common login IP addresses.

   1. Choose Security Configuration > Common Login IP Addresses tab. The Common Login IP Addresses page is displayed.
   2. Choose Add Common Login IP Addresses.
      Figure 3 Adding a common login IP address
      
   3. In the dialog box that is displayed, enter a common login IP address and select servers. Confirm the information and click OK.
      

      • The common login IP address must be a public IP address or an IP address segment.
      • You can select multiple servers.
      • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.

   4. Return to the Common Login IP Addresses sub-tab and check the added common login IP addresses.

6. Configuring an SSH login IP address whitelist
   

   • An account can have up to 10 SSH login IP addresses in the whitelist.
   • The SSH IP address whitelist does not take effect for servers running Kunpeng EulerOS (EulerOS with Arm).
   • After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
     • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.

       If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.

     • Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.
   1. Choose Security Configuration > SSH IP Whitelist. The SSH IP Whitelist page is displayed.
   2. Click Add IP Address. The Add IP Address dialog box is displayed.
      Figure 4 Configuring an IP address whitelist
      
   3. In the dialog box that is displayed, enter an IP address to be added to the whitelist and select servers. Confirm the information and click OK.
      

      • The common login IP address must be a public IP address or an IP address segment.
      • You can select multiple servers.
      • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
   4. The SSH IP Whitelist sub-tab and check the added IP whitelist.

7. Configuring 2FA
   1. Choose Two-Factor Authentication tab. The Two-Factor Authentication page is displayed.
   2. Click Enable 2FA in the Operation column of the target server. The Enable 2FA dialog box is displayed.

      Select multiple target servers and click Enable 2FA to enable two-factor authentication for multiple servers in batches.

   3. In the dialog box, select the authentication mode.
      • SMS/Email

        You need to select an SMN topic for SMS and email verification.

        • The drop-down list displays only notification topics that have been confirmed.
        • If there is no topic, click View to create one. For details, see Creating a Topic.
        • During authentication, all the mobile numbers and email addresses specified in the topic will receive a verification SMS or email. You can delete mobile numbers and email addresses that do not need to receive verification messages.
        Figure 5 SMS/Email verification
        
      • Verification code
        Use the verification code you receive in real time for verification.

        Figure 6 Verification code
        
   4. Click OK.
   5. Return to the Two-Factor Authentication tab. Check whether the 2FA Status of the target server changes to Enabled.
      It takes about 5 minutes for the two-factor authentication function to take effect.

      

      When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.

      To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.

8. Configuring weak password detection
   1. In the navigation pane, choose Security Operations > Policies.
   2. Click the name of the target policy group. The policy list page is displayed.
      You can determine the OS and protection version supported by the target policy based on its default policy group description and supported version.

      

      If you need to create a policy group, perform this step after Creating a Policy Group.

   3. Click the Weak Password Detection. The Weak Password Detection dialog box is displayed.
   4. Modify the parameters in the Policy Settings based on the site requirements. For details about the parameters, see Table 1.

      Table 1 Parameter description

      Parameter	Description	Example Value
      Scan Time	Time point when detections are performed. It can be accurate to the minute.	01:00
      Random Deviation Time (Seconds)	Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.	3600
      Scan Days	Days in a week when weak passwords are scanned. You can select one or more days.	Select all of them.
      User-defined Weak Passwords	You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password. Enter only one weak password per line. Up to 300 weak passwords can be added.	test123*

   5. Confirm the information and click OK.

      HSS will perform weak password detection on the server based on the configured policies.

9. Configuring login security check
   1. Click Login Security Check. The Login Security Check dialog box is displayed.
   2. Modify the parameters in the Policy Settings based on the site requirements. For details about the parameters, see Table 2.
      Figure 7 Modifying the security check policy
      

      Table 2 Parameter description

      Parameter	Description	Example Value
      Lock Time (min)	This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.	720
      Check Whether the Audit Login Is Successful	After this function is enabled, HSS reports login success logs. : The function is enabled. : disabled.
      Block Non-whitelisted Attack IP Address	After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).
      Report Alarm on Brute-force Attack from Whitelisted IP Address	After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses. : enabled : disabled
      Whitelist	After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.	192.78.10.3

   3. Confirm the information and click OK.

      HSS will perform login security detection on the server based on the configured policies.