Help Center> Host Security Service (Old)> User Guide> Enabling HSS> Step 4: Enable Server Protection> Enabling the Basic/Enterprise/Premium Edition

Updated on 2022-09-08 GMT+08:00

View PDF

Enabling the Basic/Enterprise/Premium Edition

Before enabling HSS, you need to allocate a quota to a specified server. If the service is disabled or the server is deleted, the quota can be allocated to other servers.

For the WTP edition, choose Web Tamper Protection > Server Protection and then enable it. For details, see Enabling the WTP Edition.

The basic edition can protect any number of servers, but only part of the security scan capabilities are available. This edition does not provide protection capabilities, nor does it provide support for DJCP MLPS certification.
To protect your ECSs or pass the DJCP MLPS certification, purchase the enterprise edition or a higher edition (premium edition or Web Tamper Protection edition).

The WTP edition can be enabled only on the Server Protection page of the WTP console. All the functions of the premium edition are included with the WTP edition.

Check Mode

The HSS system detects all data at 00:00 every day.

If you enable server protection before the detection interval, you can view detection results only after the detection is performed at 00:00 of the next day or you perform a manual detection immediately.

Prerequisites

In the server list on the Servers page of the HSS console, the Agent Status of the target server is Online.
You have purchased required edition quotas in your region.
To better protect your containers, you are advised to set security configurations.

Restrictions

Linux OS
On servers running the EulerOS with ARM, HSS does not block the IP addresses suspected of SSH brute-force attacks, but only generates alarms.
Windows OS
- Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall during the HSS in-service period. If the Windows firewall is disabled, HSS cannot block brute-force attack IP addresses.
- If the Windows firewall is manually enabled, HSS may also fail to block brute-force attack IP addresses.

Enabling Protection

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
In the navigation tree on the left, choose Servers.

Figure 1 Server list
The server list displays the protection status of only the following servers:
- HUAWEI CLOUD servers purchased in the selected region
- Non-HUAWEI CLOUD servers that have been added to the selected region
Select the target server and click Enable.
You can buy HSS in pay-per-use or yearly/monthly mode.
- Yearly/Monthly
  In the displayed dialog box, select an edition, select the yearly/monthly mode, and allocate the HSS quota. Select I have read and agree to the Host Security Service Disclaimer.
  Figure 2 Enabling yearly/monthly HSS
  The quotas can be allocated in the following ways:
  - Select Select a quota randomly. to let the system allocate the quota with the longest remaining validity to the server.
  - Select a quota to allocate.
  - Enable protection for servers in batches. The system will automatically allocate quota to them.
- Pay-per-use
  In the displayed dialog box, select the pay-per-use mode and the edition. Select I have read and agree to the Host Security Service Disclaimer.
  
  Figure 3 Enabling pay-per-use HSS
  
  Only the basic and enterprise editions support the pay-per-use mode. The basic edition can be used free of charge for 30 days. The yearly/monthly mode of the basic edition can be used only after purchase. For more information, see Purchase HSS Quota.
Click OK. View the server protection status in the server list.
If the Protection Status of the target server is Enabled, the basic, enterprise, or premium edition has been enabled.
- Alternatively, on the Quotas tab of the Servers page, click Bind Server in the Operation column to bind a quota to a server. HSS will automatically enable protection for the server.
- A quota can be bound to a server to protect it, on condition that the agent on the server is online.
After HSS is enabled, it will scan your servers for security issues. Check items vary according to the edition you enabled. Figure 4 illustrates more details.

For details about the differences between editions, see Editions.

Figure 4 Automatic security check items

Viewing Detection Details

After server protection is enabled, HSS will immediately perform comprehensive detection on the server. The detection may take a long time, which needs your patience.

In the Operation column on the Servers tab, choose More > View Scan Results to view the detection result of a specified server.

Figure 5 Viewing details
Click to enlarge

The details page shows detection results and detected risks.

Figure 6 Viewing the detection result
Click to enlarge

Follow-up Operation

You can manually configure check items, as shown in Figure 7. Configurable items vary according to the edition you enabled.

For details about the differences between editions, see Editions.

Figure 7 Manual check items
Click to enlarge

**Table 1** Manual check items
Function	Check Item	Reference
Security configuration	Common login location/IP address SSH login IP address whitelist Isolating and killing malicious programs	Security Configuration
Intrusion detection	Alarm whitelist Login whitelist	Intrusion Detection
Advanced protection	Application recognition service (ARS) File integrity monitoring (FIM) Ransomware prevention	Advanced Protection
Security operations	Security report Custom policy management	Security Operations

Follow-Up Procedure

Disabling HSS

On the Server tab of the Servers page, click Disable in the Operation column of a server.

If HSS is disabled, HSS quota status will change from occupied to idle. You can allocate the idle quotas to other servers or unsubscribe the unnecessary quotas to prevent quota waste.

Before disabling protection, perform a comprehensive detection on the server, handle known risks, and record operation information to prevent O&M errors and attacks on the server.
After protection is disabled, clear important data on the server, stop important applications on the server, and disconnect the server from the external network to avoid unnecessary loss caused by attacks.

Unbinding quota

Choose Servers and click the Quotas tab. Locate a quota and choose More > Unbind Quota in the Operation column. If a quota is unbound, its status will change from In use to Idle, and it will no longer protect the servers bound to it.

You can allocate the idle quotas to other servers or unsubscribe the unnecessary quotas to prevent quota waste.

If you unsubscribe from a cloud server protected by HSS, the server will not be automatically unbound from the HSS quota immediately. You can manually unbind it. The server will be automatically unbound from the HSS quota 30 days after the Agent goes offline.

Parent topic: Step 4: Enable Server Protection

Previous topic: Step 4: Enable Server Protection

Next topic: Enabling the WTP Edition

Feedback

Was this page helpful?

Helpful Not helpful

Provide feedback

Thank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.

The system is busy. Please try again later.

Which of the following issues have you encountered?

Content is inconsistent with the product UI

Unclear descriptions

Lack of examples or code

Incorrect steps

Can't find what I need

Lack of best practices

Feedback (optional)

0/500

Select at least one type of issue, and enter your comments or suggestions.

Enter a maximum of 500 characters.

Submit Cancel

For any further questions, feel free to contact us through the chatbot.

Chatbot