Quickly Enabling WTP
Scenario
HSS provides static and dynamic (Tomcat) Web Tamper Protection (WTP) functions. WTP monitors website directories in real time, backs up files, and restores tampered files. In addition, multiple server security protection functions are provided. For details, see Specifications of Different Editions.
This document uses an ECS running EulerOS 2.9 as an example to describe how to quickly protect WTP.
Prerequisites
- The ECS is in the Running state and can access the Internet.
- Ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.)
- The DNS server address of the cloud server has been set to the private DNS server address. For details, see Changing the DNS Server Address of an ECS and Private DNS Server Addresses.
- The available capacity of the disk where the agent is installed must be greater than 300 MB. Otherwise, the agent installation may fail.
- The Security-Enhanced Linux (SELinux) firewall has been disabled. The firewall affects agent installation and should remain disabled until the agent is installed.
- If any third-party security software has been installed on your server, the HSS agent may fail to be installed. In this case, disable or uninstall the software before installing the agent.
Constraints
- 64-bit Huawei Cloud servers and non-Huawei Cloud servers can be protected. 32-bit servers are no longer supported.
- Mainstream OSs are supported. For details, see Supported OSs.
- The HSS agent will be automatically installed on Workspace 23.6.0 or later. If your Workspace version is earlier than 23.6.0, you can manually install the agent by referring to this section.
Step 1: Purchase HSS Quota
- Log in to the management console.
- Click in the upper left corner and select the region and project.
- Click in the upper left corner and choose Security & Compliance > Host Security Service. The HSS console is displayed.
- In the upper right corner of the Dashboard page, click Buy HSS.
- Set the parameters for buying HSS as prompted. For details, see Table 1.
Table 1 Parameters for purchasing HSS Parameter
Description
Billing Mode
Select Yearly/Monthly.
Region
Select the region of server.
Edition
Select Web Tamper Protection.
Enterprise Project
This option is only available when you are logged in using an enterprise account, or when you have enabled enterprise projects.
- You can contact your service manager to enable this function
- You can select an enterprise project from the drop-down list.
NOTE:- Resources and incurred expenses are managed under the enterprise project you selected.
- Value default indicates the default enterprise project. Resources that are not allocated to any enterprise projects under your account are listed in the default enterprise project.
- The default option is available in the Enterprise Project drop-down list only after you purchased HSS under your Huawei ID.
Required Duration
Select 1 month and select Auto-renew.
If you select Auto-renew, the system will automatically renew your subscription as long as your account balance is sufficient. The renewal period is the same as the required duration.
Server Quota
Set the Server Quota to 1.
Tag
- If no predefined tag is available, click View predefined tags to create a predefined tag.
- If you have predefined tags, click the Tag key and Tag value boxes in sequence to select a predefined tag.
Quota Management
Select Assigning automatically.
After automatic quota binding is enabled, HSS automatically binds available quotas to new servers or container nodes after the agent is installed for the first time. Only the yearly/monthly quotas that you have purchased can be automatically bound. No new order or fee is generated.
- Servers: Available yearly/monthly quotas are automatically bound in the following sequence: Premium Edition > Enterprise Edition > Professional Edition > Basic Edition.
- Container nodes: Available yearly/monthly quotas are automatically bound in the following sequence: Container Edition > Premium Edition > Enterprise Edition > Professional Edition > Basic Edition.
- In the lower right corner of the page, click Next.
For details about pricing, see Product Pricing Details.
- After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
- Click Pay Now and complete the payment.
- Click Back to Host Security Service Console.
Step 2: Install an Agent
- Log in to the HSS console, in the navigation pane on the left, choose Installation & Configuration.
- On the agent management tab, Click the value of Servers Without Agents area to filter the servers that have not installed agents.
- In the Operation column of a server, click Install Agent.
Figure 1 Installing an agent
- In the dialog box, click Copy to copy the command for installing the agent.
- Remotely log in to the server where the agent is to be installed.
- Run the copied installation command as user root to install the agent on the server.
If the command output shown in Installation completed is displayed, the agent is successfully installed.
- Run the following command to check the runtime status of agent:
service hostguard status
If the command output shown in Agent running properly is displayed, the agent is running properly.
Step 3: Enable Protection
- In the navigation pane, choose Prevention > Web Tamper Protection.
- On the Servers tab, click Add Server.
- On the Add Server page, select the target server and click Add and Enable Protection.
Figure 4 Adding a protected server
- Read the message for adding a protected directory and click .
- Locate the row containing the target server and click Configure Protection in the Operation column.
- Add a protected directory.
- In the Protected Directory Settings area, click Settings.
- In the Protected Directory Settings dialog box, click Add Protected Directory.
Figure 5 Adding a protected directory
- Add protected directories based on service requirements. For details about the parameters, see Table 2.
Table 2 Parameters for adding a protected directory Parameter
Description
Example Value
Protected Directory
Add directories to be protected.
- Do not add an OS directory as a protected directory.
- After a directory is added, the files and folders in the protected directory are read-only and cannot be modified directly.
/etc/lesuo
Excluded Subdirectory
Subdirectories that do not need to be protected in the protected directory, such as temporary file directories.
Separate subdirectories with semicolons (;). A maximum of 10 subdirectories can be added.
lesuo/test
Excluded File Types
Types of files that do not need to be protected in the protected directory, such as log files.
To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.
Separate file types with semicolons (;).
log;pid;text
Local Backup Path
Set this parameter if your server runs the Linux OS.
Set a local backup path for files in protected directories. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path.
The backup rules are described as follows:
- The local backup path must be valid and cannot overlap with the protected directory path.
- Excluded subdirectories and types of files are not backed up.
- Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory.
- If WTP detects that a file in a protected directory is tampered with, it immediately uses the backup file on the local server to restore the file.
/etc/backup
Excluded File Path
Exclude files that do not need to be protected from the protected directory.
Separate multiple paths with semicolons (;). A maximum of 50 paths can be added. The maximum length of a path is 256 characters. A single path cannot start with a space or end with a slash (/).
lesuo/data;lesuo/list
- Click OK.
- In the protected directory list, if Protection Status is Protected, the directory is added successfully.
- (Optional) Enable remote backup.
Only Linux servers support the remote backup function. Skip this item for Windows servers.
- In the Protected Directory Settings dialog box, click Manage Remote Backup Servers.
Figure 6 Managing remote backup servers
- Click Add Backup Server.
- Enter the information and click OK. For details about the parameters, see Table 3.
- In the Protected Directory Settings area, click Settings.
- In the Protected Directory Settings dialog box, click Enable Remote Backup.
- Select the added remote backup server and click OK.
- If Enabled is displayed, remote backup is started.
- In the Protected Directory Settings dialog box, click Manage Remote Backup Servers.
- (Optional) Enable dynamic WTP.
Runtime application self-protection (RASP) is provided for Tomcat applications of JDK 8 on a Linux server. If you do not require RASP of the Tomcat application or the server runs the Windows OS, skip this item.
- In the Dynamic WTP area, click .
Figure 7 Enable dynamic WTP
- In the dialog box that is displayed, enter the Tomcat bin directory and click OK.
- If is displayed, dynamic WTP is enabled.
- In the Dynamic WTP area, click .
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot