Help Center> Host Security Service (New)> User Guide> Enabling HSS> Enabling HSS> Enabling the Basic/Enterprise/Premium Edition
Updated on 2022-12-19 GMT+08:00

Enabling the Basic/Enterprise/Premium Edition

Before enabling protection on servers, you need to allocate quota to a specified server. If the protection is disabled or the server is deleted, the quota can be allocated to other servers.

For the WTP edition, choose Web Tamper Protection > Server Protection and then enable it. For details, see Enabling the WTP Edition.

To enable the WTP edition, choose Prevention > Web Tamper Protection and click the Servers tab. All the functions of the premium edition are included with the WTP edition.

Check Mode

The HSS system detects all data at 00:00 every day.

After you enable server protection, you can view scan results after the automatic scan in the next early morning, or perform a manual scan immediately.


  • The agent status of the server to be protected is Online. To check the status, choose Cloud Workload Protection Platform > Asset Management > Servers & Quota.
  • You have purchased required edition quotas in your region.
  • To better protect your containers, you are advised to set security configurations.


  • Linux OS

    On servers running the EulerOS with ARM, HSS does not block the IP addresses suspected of SSH brute-force attacks, but only generates alarms.

  • Windows OS
    • Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall during the HSS in-service period. If the Windows firewall is disabled, HSS cannot block brute-force attack IP addresses.
    • If the Windows firewall is manually enabled, HSS may also fail to block brute-force attack IP addresses.

Enabling Protection

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).

    Figure 1 Accessing HSS

  3. In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.

    • Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
    • On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.
    • If cloud scan is not enabled or you access the HSS (New) console for the first time, the Enable Cloud Scan? dialog box is displayed. You are advised to select Enable cloud scan.
      • The cloud scan function is free of charge.
      • After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the cloud scan function.
      Figure 2 Enabling cloud scan

  4. In the navigation pane, choose Asset Management > Servers & Quota. Click the Servers tab.

    Figure 3 Server list

    The server list displays the protection status of only the following servers:

    • Huawei Cloud servers purchased in the selected region
    • Non-Huawei Cloud servers that have been added to the selected region

  5. Select the target server and click Enable.

    You can buy HSS in the pay-per-use or yearly/monthly mode.

    • Only the enterprise edition supports the pay-per-use mode.
    • If the quota is insufficient when you select the yearly/monthly mode, you need to purchase HSS quotas.
    • Yearly/Monthly
      In the displayed dialog box, select an edition, select the Yearly/Monthly mode, allocate the HSS quota, and select I have read and agree to the Host Security Service Disclaimer, as shown in Figure 4.
      Figure 4 Enabling yearly/monthly HSS
      The quotas can be allocated in the following ways:
      • Select Select a quota randomly. to let the system allocate the quota with the longest remaining validity to the server.
      • Select a quota ID and allocate it to a server.
    • On-demand

      In the displayed dialog box, select the On-demand mode, select the edition, and select I have read and agree to the Host Security Service Disclaimer, as shown in Figure 5.

      Figure 5 Enabling on-demand HSS

      The basic edition can be used free of charge for 30 days. The yearly/monthly mode of the basic edition can be used only after purchase.

  6. Click OK. View the server protection status in the server list.

    If the target server has enabled protection, the basic, enterprise, or premium edition has been enabled.

    • Alternatively, on the Quotas tab of the Servers & Quota page, click Bind Server in the Operation column to bind a quota to a server. HSS will automatically enable protection for the server.
    • A quota can be bound to a server to protect it, on condition that the agent on the server is online.

    After HSS is enabled, it will scan your servers for security issues. Check items vary according to the edition you enabled. Figure 6 illustrates more details.

    For details about the differences between editions, see Editions.

    Figure 6 Automatic security check items

Viewing Detection Details

After server protection is enabled, HSS will immediately perform comprehensive detection on the server. The detection may take a long time.

On the left of the protection list, click Risky.
Figure 7 Viewing risky items

Click a server name to go to the details page. On this page, you can quickly check the detected information and risks of the server.

Figure 8 Viewing the detection result

Follow-up Operation

You can manually configure check items, as shown in Figure 9. Configurable items vary according to the edition you enabled.

For details about the differences between versions, see Editions.

Figure 9 Manual check items
Table 1 Manual check items


Check Item


Installation and configuration

  • Common login location/IP address
  • SSH login IP address whitelist
  • Isolate and kill malicious programs

Security Configuration

Intrusion detection

  • Alarm whitelist
  • Login whitelist

Intrusion Detection

Proactive defense

  • Application protection
  • Web page tampering prevention
  • Ransomware prevention
  • File integrity monitoring (FIM)


Security operations

  • Policy management

Security Operations

Security report

  • Subscribe to security reports

Subscribing to a Security Report

Follow-Up Procedure

Disabling HSS

On the Server tab of the Servers & Quotas page, click Disable in the Operation column of a server.

If HSS is disabled, HSS quota status will change from occupied to idle. You can allocate the idle quotas to other servers or unsubscribe the unnecessary quotas to prevent quota waste.

  • Before disabling protection, perform a comprehensive detection on the server, handle known risks, and record operation information to prevent O&M errors and attacks on the server.
  • After protection is disabled, clear important data on the server, stop important applications on the server, and disconnect the server from the external network to avoid unnecessary loss caused by attacks.

Unbinding quota

Choose Asset Management > Servers & Quota, and click the Quotas tab. Click Unbind in the Operation column. The usage status of the unbound quota will change from In use to Idle. HSS will automatically disable protection for the server unbound from the quota.

You can allocate the idle quotas to other servers or unsubscribe the unnecessary quotas to prevent quota waste.