Updated on 2023-02-16 GMT+08:00

Enabling the Basic/Enterprise/Premium Edition

After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers and web pages. Without this function, you have to log in to the management console to view alarms.

If you do not set alarm notifications, the system will pop up a dialog box to remind you.

To hide this dialog box, click Set Now or select Do not show again and click Ignore.
  • Alarm notification settings are effective only for the current region. To receive notifications from another region, switch to that region and configure alarm notification.
  • Alarm notifications may be mistakenly intercepted. If you do not receive any alarm notifications, view them in the message interception area.
  • The Simple Message Notification (SMN) service is a paid service. For details about the price, see Product Pricing Details.

Why Do I Need Alarm Notifications?

After the alarm notification function is enabled, HSS will send alarm information via SMS messages to your mobile devices immediately when alarms (on suspicious accounts, unknown ports, vulnerabilities, brute-force attacks, viruses, malicious programs, abnormal shells, web page tampering, ransomware, and so on) are reported. In this way, you can check alarms anytime anywhere and take measures, for example, enhance security, fix vulnerabilities, and manual scan for and kill viruses.

Prerequisites

Before you configure alarm notification,
  • If you select Use Message Center settings, to set recipients, go to the Message Center and choose Message Receiving Management > SMS & Email Settings. In the Security area, click Modify in the row where Security event resides.
  • If you select Use SMN topic settings, you are advised to create a message topic in the SMN service as an administrator. For details, see Publishing a Message.

You can use Message Center settings or SMN topic settings for alarm notifications.

If you use Message Center settings, alarm notifications will be sent to the recipients specified in the Security events message type.

If you use SMN topic settings, you can create a topic and specify recipients for HSS.

Enabling Alarm Notification for the Basic, Enterprise, or Premium Edition

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. On the displayed page, click the Alarm Notifications tab.

    Figure 1 Basic/Enterprise/Premium edition

  4. Select the notification items for Daily Alarm Notifications and Real-Time Alarm Notifications as desired. For more information, see Alarm Notifications.

    Table 1 Notification types

    Notification Type

    Description

    Suggestion on Selecting a Notification Item

    Daily alarm notification

    The HSS system scans the accounts, web directories, vulnerabilities, malicious programs, and key configurations in the server system at 00:00 every day, and sends the summarized detection results to the recipients you set in the Message Center or SMN, whichever you enabled.

    • It is recommended that you receive and periodically check all the content in the daily alarm notification to eliminate risks in a timely manner.
    • Daily alarm notifications contain a lot of check items. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to Email.

    Real-time alarm notification

    When an attacker intrudes a server, HSS sends alarms to the recipients you set in the Message Center or SMN, depending on which one you chose.

    • It is recommended that you receive all the content in the real-time alarm notification and view them in time. The HSS system monitors the security of servers in real time, detects the attacker's intrusion, and sends real-time alarm notifications for you to quickly handle the problem.
    • Real-time alarm notifications are about urgent issues. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to SMS.

  5. Select Use Message Center settings or Use SMN topic settings.

    • Message Center settings

      Go to the Message Center and choose Message Receiving Management > SMS & Email Settings. In the Security area, click Modify in the row where Security event resides.

      Figure 2 Adding or modifying recipients
    • SMN topic settings

      Select an available topic from the drop-down list or click View Topics and create a topic.

      To create a topic, that is, to configure a mobile phone number or email address for receiving alarm notifications, perform the following steps:
      1. Follow the instructions described in Creating a Topic to create a topic.
      2. Configure the mobile phone number or email address for receiving alarm notifications, that is, add one or more subscriptions for the created topic. For details, see Adding a Subscription.
      3. Confirm the subscription. After the subscription is added, confirm the subscription as prompted by the received SMS message or email.

        The confirmation message about topic subscription may be regarded as spam. If you do not receive the message, check whether it is intercepted as spam.

      You can create multiple notification topics based on the O&M plan and alarm notification type to receive different types of alarm notifications. For details about topics and subscriptions, see the Simple Message Notification User Guide.

  6. Click Apply. A message will be displayed indicating that the alarm notification is set successfully.

Alarm Notifications

Notification Type

Item

Description

Daily Alarm Notifications

HSS checks risks in your servers in the early morning every day, summarizes and collects detection results, and sends the results to your mobile phone or email box at 10:00 every day.

Assets

Dangerous port

Check for high-risk open ports and unnecessary ports.

Vulnerabilities

Critical vulnerabilities

Detect critical vulnerabilities and fix them in a timely manner.

Intrusions

Account cracking

Detect brute-force attacks on SSH, RDP, FTP, SQL Server, and MySQL accounts.
  • If the number of brute-force attacks (consecutive incorrect password attempts) from an IP address reaches 5 within 30 seconds, the IP address will be blocked.

    By default, suspicious SSH attackers are blocked for 12 hours. Other types of suspicious attackers are blocked for 24 hours.

  • You can check whether the IP address is trustworthy based on its attack type and how many times it has been blocked. You can manually unblock the IP addresses you trust.

Important file changes

HSS only checks whether directories or files have been modified, not whether they are modified manually or by a process.

Malicious programs

Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.

Web shells

Check whether the files (often PHP and JSP files) in your web directories are web shells.

Reverse shells

Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

Abnormal shells

Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

High-risk command execution

HSS checks executed commands in real time and generates alarms if high-risk commands are detected.

Privilege escalation

HSS detects privilege escalation for processes and files in the current system.

Rootkits

HSS detects suspicious rootkit installation in a timely manner by checking:

Unsafe Settings

Weak passwords

Detect weak passwords in MySQL, FTP, and system accounts.

Unsafe accounts

Check for suspicious and unnecessary accounts on the servers to prevent unauthorized access and operations.

Unsafe configurations

Detect unsafe settings of key applications that will probably be exploited by hackers to intrude servers.

Logins

Remote login attempts

Check and handle remote logins.

If a user's login location is not any common login location you set, an alarm will be triggered.

Real-Time Alarm Notifications

When an event occurs, an alarm notification is immediately sent.

Intrusions

Abnormal logins

Detect abnormal login behavior, such as remote login and brute-force attacks. If abnormal logins are reported, your servers may have been intruded by hackers.

Malicious programs

Check malware, such as web shells, Trojan horses, mining software, worms, and other viruses and variants, and kill them in one click. The malware is found and removed by analysis on program characteristics and behaviors, AI image fingerprint algorithms, and cloud scanning and killing.

Important file changes

HSS only checks whether directories or files have been modified, not whether they are modified manually or by a process.

Web shells

Check whether the files (often PHP and JSP files) in your web directories are web shells.

Reverse shells

Monitor user process behaviors in real time to detect reverse shells caused by invalid connections.

Abnormal shells

Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.

High-risk command execution

HSS checks executed commands in real time and generates alarms if high-risk commands are detected.

Privilege escalation

HSS detects privilege escalation for processes and files in the current system.

Rootkits

HSS detects suspicious rootkit installation in a timely manner by checking:

Logins

Successful logins

This alarm does not necessarily indicate a security issue. If you have selected Successful logins in the Real-Time Alarm Notifications area, HSS will send alarms when detecting any successful logins.

If all the accounts on your HSS are managed by a single administrator, such alarms help them conveniently monitor system accounts.

If the system accounts are managed by multiple administrators, or different servers are managed by different administrators, too many alarms will interrupt O&M personnel. In this case, you are advised to disable the alarm item.

NOTE:

Alarms on this event do not necessarily indicate attacks. Logins from valid IP addresses are not attacks.