Constraints and Limitations

Server Protection Restrictions

HSS can protect Huawei Cloud servers, third-party cloud servers, and IDCs. The following types of servers can be protected:

• Huawei Cloud
  • ECS
  • BMS
  • Workspace
• Third parties
  • Third-party cloud servers
  • On-premises IDCs

Container Protection Restrictions

Protection Quota Limit

A server or container node can be protected by HSS only after a quota is allocated to it. Each server or container needs a quota.

The restrictions on the quotas are as follows:

• Quotas cannot be used across regions.
  Select a correct region during purchase. For details about how to select a region for different types of servers, see the following table.

  Table 2 Region restrictions on protection quotas

  Category	Server	Region
  Huawei Cloud	ECS BMS Huawei Cloud Workspace	Regions where your ECSs/BMSs/Workspacesare deployed HSS cannot be used across regions. If the server and your protection quota are in different regions, unsubscribe from the quota and purchase a quota in the region where the server is deployed.
  Third parties	Third-party cloud servers On-premises IDCs	The region of quotas for third-party servers varies depending on the HSS access mode. Internet access: The server can access HSS through the Internet. In this case, select the region where the server resides. Direct Connect proxy access: The server cannot access the Internet and need to access HSS through Direct Connect and a proxy. Currently, third-party servers can be connected to HSS through the Direct Connect proxy only in certain regions. For details, see In What Regions Is HSS Available to Non-Huawei Cloud Servers? Purchase HSS in a region where third-party servers can be connected to HSS through a Direct Connect proxy, and then install the HSS agent on the third-party servers.

• A protection quota can be bound to only one server or container node.
• A maximum of 50,000 protection quotas can be purchased in a region.
• After a protection quota is purchased, your server or container is not protected yet. You need to go to the HSS console and install an agent for the server or container and enable protection as prompted.

OS Restrictions

Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.

For details about the OS restrictions of HSS, see:

• HSS restrictions on Windows (x86)
• HSS restrictions on Linux (x86)
• HSS restrictions on Linux (Arm)

• CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
• The meanings of the symbols in the table are as follows:
  • √: supported
  • ×: not supported

Agent Restrictions

• If third-party security software, such as 360 Total Security, Tencent Manager, and McAfee, is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
• After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
  • Linux system files:
    • /etc/hosts.deny
    • /etc/hosts.allow
    • /etc/rc.local
    • /etc/ssh/sshd_config
    • /etc/pam.d/sshd
    • /etc/docker/daemon.json
    • /etc/sysctl.conf
    • /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
    • /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
  • Linux system configurations: iptables rules
  • Windows system configurations:
    • Firewall rules
    • System login event audit policy
    • Windows Remote Management trusted server list

Restrictions on Brute-force Attack Defense

Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS.

If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.