Enabling Alarm Notifications

After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks facing your servers and web pages. Without this function, you have to log in to the management console to view alarms.

Alarm notification settings are effective only for the current region. To receive notifications from another region, switch to that region and configure alarm notification.
Alarm notifications may be mistakenly blocked. If you have enabled notifications but not received any, check whether they have been blocked as spasms.
The Simple Message Notification (SMN) service is a paid service. For details about the price, see Product Pricing Details.

Prerequisite

Before you configure alarm notification,

If you set Alarm Receiving Settings to Use Message Center settings, to set recipients, go to the Message Center and choose Message Receiving Management > SMS & Email Settings. In the Security area, click Modify in the row where Security event resides.
If you set Alarm Receiving Settings to Use SMN topic settings, you are advised to create a message topic in the SMN service as an administrator. For details, see Publishing a Message.

Enabling Alarm Notifications

Log in to the management console.
In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service (New).

Figure 1 Accessing HSS
In the displayed dialog box, click Try the new edition to switch to the HSS (New) console.
- Currently, HSS is available in the following regions: CN South-Guangzhou, CN-Hong Kong, AP-Bangkok, and AP-Singapore.
- On the HSS (New) console, you can click Back to Old Console in the upper left corner to switch to the HSS (Old) console.
- If cloud scan is not enabled or you access the HSS (New) console for the first time, the Enable Cloud Scan? dialog box is displayed. You are advised to select Enable cloud scan.
  - The cloud scan function is free of charge.
  - After the cloud scan function is enabled, all HSS servers will be scanned. Some HSS quota editions can support only limited scanning capabilities. Therefore, you are advised to purchase the enterprise edition or higher to enjoy all capabilities of the cloud scan function.
  Figure 2 Enabling cloud scan

In the navigation pane, choose Installation & Configuration, and click Alarm Notifications. Table 1 describes the parameters.

Figure 3 Alarm configurations

**Table 1** Alarm configurations
Type	Description	Suggestion
Daily alarm notification	HSS scans the accounts, web directories, vulnerabilities, malicious programs, and key configurations in the server system at 00:00 every day, and sends the summarized detection results to the recipients you set in the Message Center or SMN, depending on which one you chose. To view notification items, click View Default Daily Notification Events.	It is recommended that you receive and periodically check all the content in the daily alarm notification to eliminate risks in a timely manner. Daily alarm notifications contain a lot of check items. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to Email.
Real-time alarm notification	When an attacker intrudes a server, alarms are sent to the recipients you set in the Message Center or SMN, depending on which one you chose. To view notification items, click View Default Real-time Notification Events.	It is recommended that you receive all the content in the real-time alarm notification and view them in time. The HSS system monitors the security of servers in real time, detects the attacker's intrusion, and sends real-time alarm notifications for you to quickly handle the problem. Real-time alarm notifications are about urgent issues. If you want to send the notifications to recipients set in an SMN topic, you are advised to set the topic protocol to SMS.
Severity	Select the severities of alarms that you want to be notified of.	All
Masked Events	Select the events that you do not wish to be notified of. Select events to be masked from the drop-down list box.	Determine the events to be masked based on the description in Alarm Notifications.

Select the alarm notification mode.
- Use Message Center settings
  By default, alarm notifications are sent to the recipients specified in your message center. You can log in to your account to check your recipient settings.
  
  To configure recipients, choose Message Receive Management > SMS & Email Settings. Under the Security category, click Modify in the row where Security event resides.
  
  Figure 4 Editing message recipients
- Use SMN topic settings
  Select an available topic from the drop-down list or click View Topics and create a topic.
  To create a topic, that is, to configure a mobile phone number or email address for receiving alarm notifications, perform the following steps:
  1. Create a topic. For details, see Creating a Topic.
  2. Configure the mobile phone number or email address for receiving alarm notifications, that is, add one or more subscriptions for the created topic. For details, see Adding a Subscription..
  3. Confirm the subscription. After the subscription is added, confirm the subscription as prompted by the received SMS message or email.
    The confirmation message about topic subscription may be regarded as spam. If you do not receive the message, check whether it is intercepted as spam.
  You can create multiple notification topics based on the O&M plan and alarm notification type to receive different types of alarm notifications. For details about topics and subscriptions, see the Simple Message Notification User Guide.
Click Apply. A message will be displayed indicating that the alarm notification is set successfully.

Alarm Notifications

Type	Item	Description
Daily Alarm Notifications The service checks risks in your servers in the early morning every day, summarizes and collects detection results, and sends the results to your mobile phone or email box at 10:00 every day.
Assets	Dangerous ports	Check for high-risk open ports and unnecessary ports.
Vulnerabilities	Critical vulnerabilities	Detect critical vulnerabilities and fix them in a timely manner.
Unsafe settings	Unsafe configurations	Detect unsafe settings of key applications that will probably be exploited by hackers to intrude servers.
Unsafe settings	Common weak passwords	Detect weak passwords in MySQL, FTP, and system accounts.
Intrusions	Malicious programs	Check and handle detected malicious programs all in one place, including web shells, Trojan horses, mining software, worms, and viruses.
	Webshell	Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells. Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files. You can use the manual detection function to detect web shells on servers.
	Reverse shell	Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
	File privilege escalations	Check the file privilege escalations in your system.
	Process privilege escalations	The following process privilege escalation operations can be detected: Root privilege escalation by exploiting SUID program vulnerabilities Root privilege escalation by exploiting kernel vulnerabilities
	Critical file changes	Receive alarms when critical system files are modified.
	File/Directory changes	System files and directories are monitored. When a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.
	Abnormal process behaviors	Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected: Abnormal CPU usage Processes accessing malicious IP addresses Abnormal increase in concurrent process connections
	High-risk command executions	Check executed commands in real time and generate alarms if high-risk commands are detected.
	Abnormal shells	Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
	Brute-force attacks	Check for brute-force attack attempts and successful brute-force attacks. Your accounts are protected from brute-force attacks. HSS will block the attacking hosts when detecting such attacks. Trigger an alarm if a user logs in to the host by a brute-force attack.
	Abnormal logins	Check and handle remote logins. If a user's login location is not any common login location you set, an alarm will be triggered.
	Invalid accounts	Scan accounts on servers and list suspicious accounts in a timely manner.
	Vulnerability escapes	The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
	File escapes	The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
	Abnormal container processes	Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container. The service reports an alarm if it detects that a process not in the whitelist is running in the container.
	Abnormal container startups	Check for unsafe parameter settings used during container startup. Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.
	High-risk system calls	Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.
	Sensitive file access	Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.
	Mining	Detect intrusions, such as bundled software, brute-force attacks, and authentication bypass.
Real-Time Alarm Notifications When an event occurs, an alarm notification is immediately sent.
Intrusions	Malicious programs	Check and handle detected malicious programs all in one place, including web shells, Trojans, mining software, worms, and viruses.
	Web shells	Check whether the files (often PHP and JSP files) detected by HSS in your web directories are web shells. Web shell information includes the Trojan file path, status, first discovery time, and last discovery time. You can choose to ignore warning on trusted files. You can use the manual detection function to detect web shells on servers.
	Reverse shell	Monitor user process behaviors in real time to detect reverse shells caused by invalid connections. Reverse shells can be detected for protocols including TCP, UDP, and ICMP.
	File privilege escalation	Check the file privilege escalations in your system.
	Process privilege escalation	The following process privilege escalation operations can be detected: Root privilege escalation by exploiting SUID program vulnerabilities Root privilege escalation by exploiting kernel vulnerabilities
	Critical file change	Receive alarms when critical system files are modified.
	File/Directory changes	System files and directories are monitored. When a file or directory is modified, an alarm is generated, indicating that the file or directory may be tampered with.
	Abnormal process behavior detection	Check the processes on servers, including their IDs, command lines, process paths, and behavior. Send alarms on unauthorized process operations and intrusions. The following abnormal process behavior can be detected: Abnormal CPU usage Processes accessing malicious IP addresses Abnormal increase in concurrent process connections
	Detecting High-Risk Command Execution	Check executed commands in real time and generate alarms if high-risk commands are detected.
	Abnormal shell detection	Detect actions on abnormal shells, including moving, copying, and deleting shell files, and modifying the access permissions and hard links of the files.
	Exception Stat	Check and handle remote logins. If a user's login location is not any common login location you set, an alarm will be triggered.
	Invalid account	Scan accounts on servers and list suspicious accounts in a timely manner.
	Vulnerability escapes	The service reports an alarm if it detects container process behavior that matches the behavior of known vulnerabilities (such as Dirty COW, brute-force attack, runC, and shocker).
	File escapes	The service reports an alarm if it detects that a container process accesses a key file directory (for example, /etc/shadow or /etc/crontab). Directories that meet the container directory mapping rules can also trigger such alarms.
	Abnormal container processes	Container services are usually simple. If you are sure that only specific processes run in a container, you can add the processes to the whitelist of a policy, and associate the policy with the container. The service reports an alarm if it detects that a process not in the whitelist is running in the container.
	Abnormal container startups	Check for unsafe parameter settings used during container startup. Certain startup parameters specify container permissions. If their settings are inappropriate, they may be exploited by attackers to intrude containers.
	High-risk system calls	Users can run tasks in kernels by Linux system calls. The service reports an alarm if it detects a high-risk call, such as open_by_handle_at, ptrace, setns, and reboot.
	Sensitive file access	Detect suspicious access behaviors (such as privilege escalation and persistence) on important files.
	Mining	Detects intrusions, such as bundled software, brute-force attacks, and authentication bypass.