Quickly Enabling WTP

Scenario

HSS provides static and dynamic (Tomcat) Web Tamper Protection (WTP) functions. WTP monitors website directories in real time, backs up files, and restores tampered files. In addition, multiple server security protection functions are provided. For details, see Specifications of Different Editions.

This document uses an ECS running EulerOS 2.9 as an example to describe how to quickly protect WTP.

Prerequisites

• The ECS is in the Running state and can access the Internet.
• Ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.)
• The DNS server address of the cloud server has been set to the private DNS server address. For details, see Changing the DNS Server Address of an ECS and Private DNS Server Addresses.
• The available capacity of the disk where the agent is installed must be greater than 300 MB. Otherwise, the agent installation may fail.
• The Security-Enhanced Linux (SELinux) firewall has been disabled. The firewall affects agent installation and should remain disabled until the agent is installed.
• If any third-party security software has been installed on your server, the HSS agent may fail to be installed. In this case, disable or uninstall the software before installing the agent.

Constraints

• 64-bit Huawei Cloud servers and non-Huawei Cloud servers can be protected. 32-bit servers are no longer supported.
• Mainstream OSs are supported. For details, see Supported OSs.
• The HSS agent will be automatically installed on Workspace 23.6.0 or later. If your Workspace version is earlier than 23.6.0, you can manually install the agent by referring to this section.

Step 1: Purchase HSS Quota

1. Log in to the management console.
2. Click in the upper left corner and select the region and project.
3. Click in the upper left corner and choose Security & Compliance > Host Security Service. The HSS console is displayed.
4. In the upper right corner of the Dashboard page, click Buy HSS.
5. Set the parameters for buying HSS as prompted. For details, see Table 1.

   Table 1 Parameters for purchasing HSS

   Parameter	Description
   Billing Mode	Select Yearly/Monthly.
   Region	Select the region of server.
   Edition	Select Web Tamper Protection.
   Enterprise Project	This option is only available when you are logged in using an enterprise account, or when you have enabled enterprise projects. You can contact your service manager to enable this function You can select an enterprise project from the drop-down list. NOTE: Resources and incurred expenses are managed under the enterprise project you selected. Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project. The default option is available in the Enterprise Project drop-down list only after you purchased HSS under your Huawei ID.
   Required Duration	Select 1 month and select Auto-renew. If you select Auto-renew, the system will automatically renew your subscription as long as your account balance is sufficient. The renewal period is the same as the required duration.
   Server Quota	Set the Server Quota to 1.
   Tag	If no predefined tag is available, click View predefined tags to create a predefined tag. If you have predefined tags, click the Tag key and Tag value boxes in sequence to select a predefined tag.
   Quota Management	Select Assigning automatically. After automatic quota binding is enabled, HSS automatically binds available quotas to new servers or container nodes after the agent is installed for the first time. Only the yearly/monthly quotas that you have purchased can be automatically bound. No new order or fee is generated. Servers: Available yearly/monthly quotas are automatically bound in the following sequence: Premium Edition > Enterprise Edition > Professional Edition > Basic Edition. Container nodes: Available yearly/monthly quotas are automatically bound in the following sequence: Container Edition > Premium Edition > Enterprise Edition > Professional Edition > Basic Edition.

6. In the lower right corner of the page, click Next.

   For details about pricing, see Product Pricing Details.

7. After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
8. Click Pay Now and complete the payment.
9. Click Back to Host Security Service Console.

Step 2: Install an Agent

1. Log in to the HSS console, in the navigation pane on the left, choose Installation & Configuration.
2. On the agent management tab, Click the value of Servers Without Agents area to filter the servers that have not installed agents.
3. In the Operation column of a server, click Install Agent.
   Figure 1 Installing an agent
   

4. In the dialog box, click Copy to copy the command for installing the agent.
5. Remotely log in to the server where the agent is to be installed.
6. Run the copied installation command as user root to install the agent on the server.

   If the command output shown in Installation completed is displayed, the agent is successfully installed.

   Figure 2 Installation completed
   

7. Run the following command to check the runtime status of agent:

   service hostguard status

   If the command output shown in Agent running properly is displayed, the agent is running properly.

   Figure 3 Agent running properly
   

Step 3: Enable Protection

1. In the navigation pane, choose Prevention > Web Tamper Protection.
2. On the Servers tab, click Add Server.
3. On the Add Server page, select the target server and click Add and Enable Protection.
   Figure 4 Adding a protected server
   

4. Read the message for adding a protected directory and click .
5. Locate the row containing the target server and click Configure Protection in the Operation column.
6. Add a protected directory.
   1. In the Protected Directory Settings area, click Settings.
   2. In the Protected Directory Settings dialog box, click Add Protected Directory.
      Figure 5 Adding a protected directory
      
   3. Add protected directories based on service requirements. For details about the parameters, see Table 2.

      Table 2 Parameters for adding a protected directory

      Parameter	Description	Example Value
      Protected Directory	Add directories to be protected. Do not add an OS directory as a protected directory. After a directory is added, the files and folders in the protected directory are read-only and cannot be modified directly.	/etc/lesuo
      Excluded Subdirectory	Subdirectories that do not need to be protected in the protected directory, such as temporary file directories. Separate subdirectories with semicolons (;). A maximum of 10 subdirectories can be added.	lesuo/test
      Excluded File Types	Types of files that do not need to be protected in the protected directory, such as log files. To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files. Separate file types with semicolons (;).	log;pid;text
      Local Backup Path	Set this parameter if your server runs the Linux OS. Set a local backup path for files in protected directories. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path. The backup rules are described as follows: The local backup path must be valid and cannot overlap with the protected directory path. Excluded subdirectories and types of files are not backed up. Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory. If WTP detects that a file in a protected directory is tampered with, it immediately uses the backup file on the local server to restore the file.	/etc/backup
      Excluded File Path	Exclude files that do not need to be protected from the protected directory. Separate multiple paths with semicolons (;). A maximum of 50 paths can be added. The maximum length of a path is 256 characters. A single path cannot start with a space or end with a slash (/).	lesuo/data;lesuo/list

   4. Click OK.
   5. In the protected directory list, if Protection Status is Protected, the directory is added successfully.

7. (Optional) Enable remote backup.
   Only Linux servers support the remote backup function. Skip this item for Windows servers.

   1. In the Protected Directory Settings dialog box, click Manage Remote Backup Servers.
      Figure 6 Managing remote backup servers
      
   2. Click Add Backup Server.
   3. Enter the information and click OK. For details about the parameters, see Table 3.

      Table 3 Backup server parameters

      Parameter	Description	Example Value
      Server Name	Name of the remote backup server.	test
      Address	Enter the private IP address of the Huawei Cloud server.	192.168.1.1
      Port	Enter the server port number. Ensure that the port is not blocked by any security group or firewall or occupied.	8080
      Backup Path	Enter a backup path. The content of the protected directory will be backed up to this path. If the protected directories of multiple servers are backed up to the same remote backup server, the data will be stored in separate folders named after agent IDs. Assume the protected directories of the two servers are /hss01 and hss02, and the agent IDs of the two servers are f1fdbabc-6cdc-43af-acab-e4e6f086625f and f2ddbabc-6cdc-43af-abcd-e4e6f086626f, and the remote backup path is /hss01. The corresponding backup paths are /hss01/f1fdbabc-6cdc-43af-acab-e4e6f086625f and /hss01/f2ddbabc-6cdc-43af-abcd-e4e6f086626f. If WTP is enabled for the remote backup server, do not set the remote backup path to any directories protected by WTP. Otherwise, remote backup will fail.	/f1fdbabc-6cdc-43af-acab-e4e6f086625f

   4. In the Protected Directory Settings area, click Settings.
   5. In the Protected Directory Settings dialog box, click Enable Remote Backup.
   6. Select the added remote backup server and click OK.
   7. If Enabled is displayed, remote backup is started.

8. (Optional) Enable dynamic WTP.
   Runtime application self-protection (RASP) is provided for Tomcat applications of JDK 8 on a Linux server. If you do not require RASP of the Tomcat application or the server runs the Windows OS, skip this item.

   1. In the Dynamic WTP area, click .
      Figure 7 Enable dynamic WTP
      
   2. In the dialog box that is displayed, enter the Tomcat bin directory and click OK.
   3. If is displayed, dynamic WTP is enabled.