Compute
Elastic Cloud Server
Huawei Cloud Flexus
Bare Metal Server
Auto Scaling
Image Management Service
Dedicated Host
FunctionGraph
Cloud Phone Host
Huawei Cloud EulerOS
Networking
Virtual Private Cloud
Elastic IP
Elastic Load Balance
NAT Gateway
Direct Connect
Virtual Private Network
VPC Endpoint
Cloud Connect
Enterprise Router
Enterprise Switch
Global Accelerator
Management & Governance
Cloud Eye
Identity and Access Management
Cloud Trace Service
Resource Formation Service
Tag Management Service
Log Tank Service
Config
OneAccess
Resource Access Manager
Simple Message Notification
Application Performance Management
Application Operations Management
Organizations
Optimization Advisor
IAM Identity Center
Cloud Operations Center
Resource Governance Center
Migration
Server Migration Service
Object Storage Migration Service
Cloud Data Migration
Migration Center
Cloud Ecosystem
KooGallery
Partner Center
User Support
My Account
Billing Center
Cost Center
Resource Center
Enterprise Management
Service Tickets
HUAWEI CLOUD (International) FAQs
ICP Filing
Support Plans
My Credentials
Customer Operation Capabilities
Partner Support Plans
Professional Services
Analytics
MapReduce Service
Data Lake Insight
CloudTable Service
Cloud Search Service
Data Lake Visualization
Data Ingestion Service
GaussDB(DWS)
DataArts Studio
Data Lake Factory
DataArts Lake Formation
IoT
IoT Device Access
Others
Product Pricing Details
System Permissions
Console Quick Start
Common FAQs
Instructions for Associating with a HUAWEI CLOUD Partner
Message Center
Security & Compliance
Security Technologies and Applications
Web Application Firewall
Host Security Service
Cloud Firewall
SecMaster
Anti-DDoS Service
Data Encryption Workshop
Database Security Service
Cloud Bastion Host
Data Security Center
Cloud Certificate Manager
Edge Security
Situation Awareness
Managed Threat Detection
Blockchain
Blockchain Service
Web3 Node Engine Service
Media Services
Media Processing Center
Video On Demand
Live
SparkRTC
MetaStudio
Storage
Object Storage Service
Elastic Volume Service
Cloud Backup and Recovery
Storage Disaster Recovery Service
Scalable File Service Turbo
Scalable File Service
Volume Backup Service
Cloud Server Backup Service
Data Express Service
Dedicated Distributed Storage Service
Containers
Cloud Container Engine
Software Repository for Container
Application Service Mesh
Ubiquitous Cloud Native Service
Cloud Container Instance
Databases
Relational Database Service
Document Database Service
Data Admin Service
Data Replication Service
GeminiDB
GaussDB
Distributed Database Middleware
Database and Application Migration UGO
TaurusDB
Middleware
Distributed Cache Service
API Gateway
Distributed Message Service for Kafka
Distributed Message Service for RabbitMQ
Distributed Message Service for RocketMQ
Cloud Service Engine
Multi-Site High Availability Service
EventGrid
Dedicated Cloud
Dedicated Computing Cluster
Business Applications
Workspace
ROMA Connect
Message & SMS
Domain Name Service
Edge Data Center Management
Meeting
AI
Face Recognition Service
Graph Engine Service
Content Moderation
Image Recognition
Optical Character Recognition
ModelArts
ImageSearch
Conversational Bot Service
Speech Interaction Service
Huawei HiLens
Video Intelligent Analysis Service
Developer Tools
SDK Developer Guide
API Request Signing Guide
Terraform
Koo Command Line Interface
Content Delivery & Edge Computing
Content Delivery Network
Intelligent EdgeFabric
CloudPond
Intelligent EdgeCloud
Solutions
SAP Cloud
High Performance Computing
Developer Services
ServiceStage
CodeArts
CodeArts PerfTest
CodeArts Req
CodeArts Pipeline
CodeArts Build
CodeArts Deploy
CodeArts Artifact
CodeArts TestPlan
CodeArts Check
CodeArts Repo
Cloud Application Engine
MacroVerse aPaaS
KooMessage
KooPhone
KooDrive
Help Center/ Host Security Service/ Service Overview/ Constraints and Limitations

Constraints and Limitations

Updated on 2025-01-06 GMT+08:00

Server Protection Restrictions

HSS can protect Huawei Cloud servers, third-party cloud servers, and IDCs. The following types of servers can be protected:

  • Huawei Cloud
    • Huawei Cloud Elastic Cloud Server (ECS)
    • Huawei Cloud Bare Metal Server (BMS)
    • Workspace
  • Third parties
    • Third-party cloud servers
    • On-premises IDCs

Container Protection Restrictions

HSS can protect Huawei Cloud cluster containers, third-party cloud cluster containers, and on-premises IDC cluster containers. For details about the supported container types, see Table 1.

Table 1 Container protection restrictions

Category

Supported Container Type

Constraints and Limitations

Huawei Cloud

  • CCE cluster containers
  • Independent containers
  • Supported container runtime: Docker and Containerd
  • Supported cluster editions: CCE standard and Turbo editions
  • Node resource requirements: at least 50 MiB memory and 200m CPU available
  • Resource usage restriction: When an agent is installed in a cluster, HSS creates an HSS namespace in the cluster.

Third parties

  • Alibaba Cloud cluster containers
  • Tencent Cloud cluster containers
  • Microsoft Cloud cluster containers
  • On-premises cluster containers
  • IDC on-premises cluster containers
  • Independent containers
  • Supported cluster orchestration platforms: Kubernetes 1.19 or later
  • Supported node OS: Linux
  • Node specifications: at least 2 vCPUs, 4 GiB memory, 40 GiB system disk, and 100 GiB data disk
  • Clusters of Galera 3.34, MySQL 5.6.51, or earlier versions cannot be protected.

Protection Quota Limit

A server or container node can be protected by HSS only after a quota is allocated to it. Each server or container needs a quota.

The restrictions on the quotas are as follows:

  • Quotas cannot be used across regions.
    Select a correct region during purchase. For details about how to select a region for different types of servers, see the following table.
    Table 2 Region restrictions on protection quotas

    Category

    Server

    Region

    Huawei Cloud

    • ECS
    • BMS
    • Huawei Cloud Workspace

    Regions where your ECSs/BMSs/Workspaces are deployed

    HSS cannot be used across regions. If the server and your protection quota are in different regions, unsubscribe from the quota and purchase a quota in the region where the server is deployed.

    Third parties

    • Third-party cloud servers
    • On-premises IDCs

    The region of quotas for third-party servers varies depending on the HSS access mode.

    • Internet access: The server can access HSS through the Internet. Currently, only certain regions allow servers to connect to HSS through the Internet. For details, see In What Regions Is HSS Available to Non-Huawei Cloud Servers? Select the region nearest to the region of the servers.
    • Direct Connect proxy access: The server cannot access the Internet and need to access HSS through Direct Connect and a proxy. This mode has no restrictions on regions. Select the region that you want to connect your servers to.
  • A protection quota can be bound to only one server or container node.
  • A maximum of 50,000 protection quotas can be purchased in a region.
  • After a protection quota is purchased, your server or container is not protected yet. You need to go to the HSS console and install an agent for the server or container and enable protection as prompted.

OS Restrictions

Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.

For details about the OS restrictions of HSS, see:

NOTE:
  • CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
  • The meanings of the symbols in the table are as follows:
    • √: supported
    • ×: not supported
Table 3 HSS restrictions on Windows (x86)

OS

Agent

System Vulnerability Scan

Windows 10 (64-bit)

NOTE:

Only Huawei Cloud Workspace can use this OS.

×

Windows 11 (64-bit)

NOTE:

Only Huawei Cloud Workspace can use this OS.

×

Windows Server 2012 R2 Standard 64-bit English (40 GB)

Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)

Windows Server 2012 R2 Datacenter 64-bit English (40 GB)

Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)

Windows Server 2016 Standard 64-bit English (40 GB)

Windows Server 2016 Standard 64-bit Chinese (40 GB)

Windows Server 2016 Datacenter 64-bit English (40 GB)

Windows Server 2016 Datacenter 64-bit Chinese (40 GB)

Windows Server 2019 Datacenter 64-bit English (40 GB)

Windows Server 2019 Datacenter 64-bit Chinese (40 GB)

Windows Server 2022 Datacenter 64-bit English (40 GB)

×

Windows Server 2022 Datacenter 64-bit Chinese (40 GB)

×

Table 4 HSS restrictions on Linux (x86)

OS

Agent

System Vulnerability Scan

CentOS 7.4 (64-bit)

CentOS 7.5 (64-bit)

CentOS 7.6 (64-bit)

CentOS 7.7 (64-bit)

CentOS 7.8 (64-bit)

CentOS 7.9 (64-bit)

CentOS 8.1 (64-bit)

×

CentOS 8.2 (64-bit)

×

CentOS 8 (64-bit)

×

CentOS 9 (64-bit)

×

Debian 9 (64-bit)

Debian 10 (64-bit)

Debian 11.0.0 (64-bit)

Debian 11.1.0 (64-bit)

Debian 12.0.0 (64-bit)

×

EulerOS 2.2 (64-bit)

EulerOS 2.3 (64-bit)

EulerOS 2.5 (64-bit)

EulerOS 2.7 (64-bit)

×

EulerOS 2.9 (64-bit)

EulerOS 2.10 (64-bit)

EulerOS 2.11 (64-bit)

EulerOS 2.12 (64-bit)

Fedora 28 (64-bit)

×

Fedora 31 (64-bit)

×

Fedora 32 (64-bit)

×

Fedora 33 (64-bit)

×

Fedora 34 (64-bit)

×

Ubuntu 16.04 (64-bit)

Ubuntu 18.04 (64-bit)

Ubuntu 20.04 (64-bit)

Ubuntu 22.04 (64-bit)

Ubuntu 24.04 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

Red Hat 7.4 (64-bit)

×

Red Hat 7.6 (64-bit)

×

Red Hat 8.0 (64-bit)

×

Red Hat 8.7 (64-bit)

×

OpenEuler 20.03 LTS (64-bit)

OpenEuler 20.03 LTS SP4 (64-bit)

×

OpenEuler 22.03 LTS SP3 (64-bit)

×

OpenEuler 22.03 LTS (64-bit)

×

OpenEuler 22.03 LTS SP4 (64-bit)

×

AlmaLinux 8.4 (64-bit)

AlmaLinux 9.0 (64-bit)

×

Rocky Linux 8.4 (64-bit)

×

Rocky Linux 8.5 (64-bit)

×

Rocky Linux 9.0 (64-bit)

×

HCE 1.1 (64-bit)

HCE 2.0 (64-bit)

SUSE 12 SP5 (64-bit)

SUSE 15 (64-bit)

×

SUSE 15 SP1 (64-bit)

SUSE 15 SP2 (64-bit)

SUSE 15 SP3 (64-bit)

×

SUSE 15.5 (64-bit)

×

SUSE 15 SP6 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

Kylin V10 (64-bit)

Kylin V10 SP3 (64-bit)

×

UnionTech OS 1050u2e

NOTE:

Currently, file escape detection is not supported.

Table 5 HSS restrictions on Linux (Arm)

OS

Agent

System Vulnerability Scan

CentOS 7.4 (64-bit)

CentOS 7.5 (64-bit)

CentOS 7.6 (64-bit)

CentOS 7.7 (64-bit)

CentOS 7.8 (64-bit)

CentOS 7.9 (64-bit)

CentOS 8.0 (64-bit)

×

CentOS 8.1 (64-bit)

×

CentOS 8.2 (64-bit)

×

CentOS 9 (64-bit)

×

EulerOS 2.8 (64-bit)

EulerOS 2.9 (64-bit)

EulerOS 2.10 (64-bit)

EulerOS 2.11 (64-bit)

EulerOS 2.12 (64-bit)

Fedora 29 (64-bit)

×

Ubuntu 18.04 (64-bit)

×

Ubuntu 20.04 (64-bit)

Ubuntu 22.04 (64-bit)

Ubuntu 24.04 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

Kylin V7 (64-bit)

×

Kylin V10 (64-bit)

Kylin V10 SP3 (64-bit)

×

HCE 2.0 (64-bit)

UnionTech OS V20 (64-bit)

NOTE:

Only UnionTech OS V20 server editions E and D support system vulnerability scan.

UnionTech OS V20 1050e (64-bit)

UnionTech OS V20 1060e (64-bit)

OpenEuler 22.03 LTS (64-bit)

×

Agent Restrictions

  • If third-party security software, such as 360 Total Security, Tencent Manager, and McAfee, is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
  • After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
    • Linux system files:
      • /etc/hosts.deny
      • /etc/hosts.allow
      • /etc/rc.local
      • /etc/ssh/sshd_config
      • /etc/pam.d/sshd
      • /etc/docker/daemon.json
      • /etc/sysctl.conf
      • /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
      • /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
    • Linux system configurations: iptables rules
    • Windows system configurations:
      • Firewall rules
      • System login event audit policy and the configuration of login security layer and authentication mode
      • Windows Remote Management trusted server list

Restrictions on Brute-force Attack Defense

Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS.

If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.

We use cookies to improve our site and your experience. By continuing to browse our site you accept our cookie policy. Find out more

Feedback

Feedback

Feedback

0/500

Selected Content

Submit selected content with the feedback