Enabling Web Tamper Protection
Scenarios
The HSS web tamper protection (WTP) edition can protect dynamic and static web pages from being tampered with, enhancing the security and integrity of website content. It also includes the server protection capabilities of the premium edition, such as asset management, vulnerability detection, baseline check, intrusion detection, and ransomware protection, to detect attacks on servers.
This section describes how to enable WTP.
Prerequisites
- HSS can be billed in yearly/monthly or pay-per-use mode. To use yearly/monthly billing, ensure you have purchased sufficient protection quotas. For details, see Purchasing an HSS Quota. If you use the pay-per-use billing mode, you do not need to purchase quotas in advance.
- Ensure that the agent has been installed on the server and is online. For details, see Installing the Agent on Huawei Cloud Servers and Installing the Agent on Third-party Servers.
Constraints
- After the Windows firewall is enabled, HSS automatically adds firewall rules hostguard_AllowAnyIn and hostguard_AllowAnyOut to allow all inbound and outbound traffic. This ensures that the firewall does not affect your services. If HSS detects a brute-force attack, it adds an inbound rule to the firewall to block the attack source IP address. This does not affect your servers.
- Do not disable the Windows firewall when using HSS, or HSS cannot block the source IP addresses of brute-force attacks. Once it is disabled, HSS may fail to block the attack source IP addresses even after you manually enable it again.
Enabling Web Tamper Protection
WTP can be enabled for one or multiple servers at a time. When you enable WTP for multiple servers at a time, the same protected directory settings will be applied to all of them, and cannot be customized for each server. If these servers have different directories to be protected, you can customize the protected directories or other settings for them separately after WTP is enabled. For details, see Modifying WTP Configuration.
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security & Compliance > Host Security Service to go to the HSS management console.
- In the navigation pane, choose Server Protection > Web Tamper Protection.
Figure 1 Web tamper protection
- On the Servers tab, click Add Server. The Add Server page is displayed.
- On the Add Server page, select servers and click Next. For more information, see Table 1.
Figure 2 Selecting servers
Table 1 Parameters for selecting protected servers Parameter
Description
Example Value
OS
Select the OS type of the server to be protected by WTP.
- Linux
- Windows
Linux
Select Servers
Select servers.
You can filter the servers by software type or other attributes.
-
Select Quota
The HSS WTP edition supports two billing modes, yearly/monthly and pay-per-use billing, to meet requirements in different scenarios.
- Yearly/Monthly billing is a prepaid mode in which you pay for the service before using it. Your bill is generated based on the required duration you specify in the order. The longer you use the service, the more discounts you got.
- Pay-per-use is a postpaid billing mode. You pay as you go and just pay for what you use. The HSS usage is calculated by the second but billed every hour. With the pay-per-use billing mode, you can easily adapt to resource requirement changes, reducing the risk of over-provisioning resources or lacking capacity. In this mode, there are no upfront commitments required.
When selecting the yearly/monthly billing mode, you can select a quota or retain the default value Select a quota randomly.
Yearly/Monthly
Agreement
Before enabling WTP, ensure that you have read the Host Security Service Disclaimer.
Select I have read and agree to the Host Security Service Disclaimer.
Selected
- On the Add Server page, configure policies. For more information, see Table 2.
Figure 3 Configuring policies
- After the policy is configured, click OK.
- On the Servers tab, check the static and dynamic WTP status of the server.
The Protected status indicates protection has been enabled. After dynamic WTP is enabled, restart Tomcat to apply the settings.
Follow-up Operations
HSS provides server protection functions for you to enable as needed. For details, see Table 3.
Type |
Function |
Reference |
---|---|---|
Security configuration |
|
|
Server Protection |
|
|
Policy management |
Policy management includes asset management, baseline inspection, intrusion detection, and self-protection policies. The intrusion detection policy is disabled by default. You can enable it as needed. If the configuration of a policy does not meet your requirements, you can modify it as needed. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot