Updated on 2022-12-29 GMT+08:00

Security Configuration

After protection is enabled, you can configure the common login locations, common login IP addresses, and the SSH login IP address whitelist. You can also enable automatic isolation and killing of malicious programs.

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).

    Figure 1 Accessing HSS

  3. In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.

    • Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
    • On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.
    • If cloud scan is not enabled or you access the HSS (New) console for the first time, the Enable Cloud Scan? dialog box is displayed. You are advised to select Enable cloud scan.
      • The cloud scan function is free of charge.
      • After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the cloud scan function.
      Figure 2 Enabling cloud scan

Configuring Common Login Locations

After you configure common login locations, HSS will generate alarms on the logins from other login locations. A server can be added to multiple login locations.

  1. Choose Installation & Configuration and click the Security Configuration tab. Click Common Login Locations and click Add Common Login Location.

    Figure 3 Adding a common login location

  2. In the dialog box that is displayed, select a geographical location and select servers. Confirm the information and click OK.

    Figure 4 Configuring common login locations

  3. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login Locations subtab.

Configuring Common Login IP Addresses

After you configure common IP addresses, HSS will generate alarms on the logins from other IP addresses.

  1. Choose Installation & Configuration and click the Security Configuration tab. Click Common Login IP Addresses and click Add Common Login IP Address.

    Figure 5 Adding a common login IP address

  1. In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.

    • A common login IP address must be a public IP address or IP address segment. Otherwise, you cannot remotely log in to the server in SSH mode.
    • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added. Up to 20 IP addresses can be added.
    Figure 6 Entering a common login IP address

  2. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.

Configuring an SSH Login IP Address Whitelist

The SSH login whitelist controls SSH access to servers to prevent account cracking.

  • An account can have up to 10 SSH login IP addresses in the whitelist.
  • The SSH IP address whitelist does not take effect for servers running Kunpeng EulerOS (EulerOS with Arm).
  • After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
    • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.

      If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.

    • Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.
  1. Choose Installation & Configuration and click the Security Configuration tab. Click SSH IP Whitelist and click Add IP Address.

    Figure 7 Configuring an IP address whitelist

  1. In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.

    • A common login IP address must be a public IP address or IP address segment. Otherwise, you cannot remotely log in to the server in SSH mode.
    • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.
    Figure 8 Entering an IP address

  2. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.

Isolating and Killing Malicious Programs

HSS automatically isolates and kills identified malicious programs, such as web shells, Trojans, and worms, removing security risks.

  1. Choose Installation & Configuration and click the Security Configuration tab. Click the Isolation and Killing of Malicious Programs tab and toggle on Isolate and Kill Malicious Programs and Malware Cloud Scan.

    After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the isolation and killing function.

    Figure 9 Enabling isolation and killing

  1. In the confirmation dialog box, click OK to enable the isolation and killing of malicious programs and malware cloud scan.

    Automatic isolation and killing may cause false positives. You can choose Intrusions > Events to view isolated malicious programs. You can cancel the isolation or ignore misreported malicious programs. For details, see Viewing Intrusion Alarms.

    • When a program is isolated and killed, the process of the program is terminated immediately. To avoid impact on services, check the detection result, and cancel the isolation of or unignore misreported malicious programs (if any).
    • If Isolate and Kill Malicious Programs is set to Disable on the Isolation and Killing of Malicious Programs tab, HSS will generate an alarm when it detects a malicious program.

      To isolate and kill the malicious programs that triggered alarms, choose Intrusions > Events and click Malicious program.

Enabling 2FA

  • 2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
  • You have to choose an SMN topic for servers where 2FA is enabled. The topic specifies the recipients of login verification codes, and HSS will authenticate login users accordingly.

Prerequisites

  • You have created a message topic whose protocol is SMS or email.
  • Server protection has been enabled.
  • Linux servers require user passwords for login.
  • To enable two-factor authentication, you need to disable the SELinux firewall.
  • On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.
Constraints and Limitations
  • If 2FA is enabled, you cannot log in to the servers running a GUI Linux OS.
  • If you have enabled 2FA on a Linux server, you cannot log in to it through CBH.
  • If you have enabled 2FA on a server, you cannot log in to the server through CloudShell.
  • 2FA is supported only in Linux OpenSSH versions earlier than 8.

Procedure

  1. On the Two-Factor Authentication tab, select servers and click Enable 2FA. Alternatively, click Enable in the Operation column.

    Figure 10 Enabling 2FA

  2. In the displayed Enable 2FA dialog box, select an authentication mode.

    • SMS/Email

      You need to select an SMN topic for SMS and email verification.

      • The drop-down list displays only notification topics that have been confirmed.
      • If there is no topic, click View to create one. For details, see Creating a Topic.
      • During authentication, all the mobile numbers and email addresses specified in the topic will receive a verification SMS or email. You can delete mobile numbers and email addresses that do not need to receive verification messages.
      Figure 11 SMS/Email
    • Verification code
      Use the verification code you receive in real time for verification.
      Figure 12 Setting Method to Verification code

  3. Click OK. After 2FA is enabled, it takes about 5 minutes for the configuration to take effect.

    When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.

    To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.