Help Center> Host Security Service (New)> User Guide> Accessing HSS> Enabling Protection
Updated on 2024-06-28 GMT+08:00
View PDF

Enabling Protection

To enable protection, allocate a quota to a server or a container. After protection is disabled or the protected server or container is removed, the quota can be allocated to another server or container.

Prerequisites

  • Server
    • Choose Asset Management > Servers & Quota. The Agent Status of a server is Online, and the Protection Status of the server is Unprotected.
    • You have purchased required edition quotas in your region.
  • Container
    • Choose Asset Management > Containers & Quota. The Agent Status of the node is Online and the Protection Status is Unprotected.
    • You have purchased required edition quotas in your region.

Constraints and Limitations

  • Server
    • On servers running the EulerOS with Arm, HSS does not block the IP addresses suspected of SSH brute-force attacks, but only generates alarms.
    • Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS. If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.
  • Container

    Currently, HSS can only protect Docker and Containerd running containers.

Enabling the Basic/Professional/Enterprise/Premium Edition

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. In the navigation pane on the left, choose Asset Management > Servers & Quota.

    The server list displays the protection status of only the following servers:

    • Huawei Cloud servers purchased in the selected region
    • Non-Huawei Cloud servers that have been added to the selected region

  4. Click Enable in the Operation column of a server.
  5. Confirm the server information and select a billing mode.

    You can buy HSS in the pay-per-use or yearly/monthly mode.
    • Yearly/Monthly
      • Billing Mode: Select Yearly/Monthly.
      • Edition: Select an edition.
      • Select Quota: Select a quota allocation mode.
        • Select a quota randomly: Let the system allocate the quota with the longest remaining validity to the server.
        • Select a quota ID and allocate it to a server.
    • Pay-per-use
      • Billing Mode: Select Pay-per-use.
      • Edition: Select an edition.
      • Tags: Select a tag if you want to use it to identify multiple types of cloud resources.
    • If the quota is insufficient when you select the yearly/monthly mode, you need to purchase HSS quotas.
    • If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the premium edition. Deploy honeypot files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.

  6. Read the Host Security Service Disclaimer and select I have read and agree to the Host Security Service Disclaimer.
  7. Click OK. If the Protection Status of the target server is Enabled, the basic, professional, enterprise or premium edition has been enabled.

    • Alternatively, on the Quotas tab of the Servers & Quota page, click Bind Server in the Operation column to bind a quota to a server. HSS will automatically enable protection for the server.
    • A quota can be bound to a server to protect it, on condition that the agent on the server is online.
    • After HSS is enabled, it will scan your servers for security issues. Check items vary according to the edition you enabled.

      For details about the differences between editions, see Editions.

Enabling Web Tamper Protection

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. In the navigation pane, choose Server Protection > Web Tamper Protection. On the Web Tamper Protection page, click Add Server.

    Figure 1 Adding protected servers

  4. On the Add Server page, click the Available Servers tab. Select the target server, select a quota from the drop-down list or retain the default value, and click Add and Enable Protection.
  5. You can check the server protection status on the Web Tamper Protection page.

    • Choose Server Protection > Web Tamper Protection. If the Protection Status of the server is Protected, WTP has been enabled.
    • Choose Asset Management > Servers & Quota and click the Servers tab. If the protection status of the target server is Enabled and the Edition/Expiration Date of it is Web Tamper Protection, the WTP edition is enabled.
    • To enable WTP protection for a server, you can also choose Asset Management > Servers & Quota, click the Quotas tab, and click Bind Server.
    • The web tamper protection provided by the HSS WTP edition takes effect only after you specify the directories to be protected. For more information, see Adding a Protected Directory.
    • If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the WTP edition. Deploy bait files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.
    • After WTP is enabled for a website, if you need to update the website, add a privileged process or temporarily disable WTP. Enable WTP after the update is complete. Otherwise, the website will fail to be updated. Your website is not protected while WTP is disabled. Enable it immediately after updating your website.

Enabling Container Protection

  1. Log in to the management console.
  2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > Host Security Service.
  3. In the navigation pane, choose Asset Management > Containers & Quota.
  4. In the row containing the desired server, click Enable Protection in the Operation column. The confirmation dialog box is displayed.

    Figure 2 Enabling container protection

  5. Confirm the node information and select a billing mode.

    You can buy quota in pay-per-use or yearly/monthly mode.

    • Yearly/Monthly
      • Billing Mode: Select Yearly/Monthly.
      • Select Quota: Select a quota allocation mode.
        • Select a quota randomly: Let the system allocate the quota with the longest remaining validity to the server.
        • Select a quota ID and allocate it to a server.
    • Pay-per-use
      • Billing Mode: Select Pay-per-use.
      • Tags: Select a tag if you want to use it to identify multiple types of cloud resources.
    • A container security quota protects one cluster node.
    • If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the container edition. Deploy bait files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.

  6. Read the Host Security Service Disclaimer and select I have read and agree to the Container Guard Service Disclaimer.
  7. Click OK. If the Protection Status of the node changes to Protected, protection has been enabled.

Viewing Detection Details

After server protection is enabled, HSS will immediately perform comprehensive detection on the server. The detection may take a long time.

  1. In the navigation tree on the left, choose Asset Management > Servers & Quota.
  2. On the left of the protection list, click Unsafe Servers.

    Figure 3 Viewing risky items

  1. Click a server name to go to the details page. On this page, you can quickly check the detected information and risks of the server.

    Figure 4 Viewing the detection result

Follow-up Procedure

HSS provides server and container defense functions for you to enable as needed. For more information, see Manual configurations.

Table 1 Manual configurations

Category

Function

Reference

Security Configurations
  • Common login location/IP address
  • SSH login IP address whitelist
  • Isolate and kill malicious programs

Common Security Configuration

Server Protection
  • Application protection
  • Ransomware prevention
  • Application process control
  • File Integrity Monitoring (FIM)
  • Virus scan
  • Dynamic port honeypot

Server Protection

Container Protection
  • Container firewall
  • Container cluster protection

Container Protection
Parent Topic: Accessing HSS