Best Practices of Login Security Hardening

Prerequisites

You have purchased an ECS and enabled protection for it.

Login Security Hardening Functions

You can configure common login locations, common login IP addresses, SSH login IP address whitelist, two-factor authentication, weak password check, and login security check to protect login security.

To ensure high login security, you are advised to configure all of these functions.

Two-factor login authentication is supported by the HSS basic edition billed in yearly/monthly mode, by the enterprise or higher edition. Login security check is supported by the HSS enterprise edition or higher. Other protection functions are available in the HSS basic edition.

Figure 1 HSS login security hardening functions

Configuring Common Login Locations

After common login locations are configured, HSS will generate alarms for logins to ECSs in non-common login locations. You can add multiple common login locations for each ECS.

Constraints

An account can add up to 10 common login locations.

Procedure

1. Choose Installation & Configuration and click the Security Configuration tab. Click Common Login Locations and click Add Common Login Location.
   Figure 2 Adding a common login location
   

2. In the dialog box that is displayed, select a geographical location and select servers. Confirm the information and click OK.
3. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login Locations subtab.

Configuring Common Login IP Address

After you configure common login IP addresses, HSS will generate alarms on the logins from other login IP addresses.

Constraint

An account can add up to 20 common login IP addresses.

Procedure

1. Choose Installation & Configuration and click the Security Configuration tab. Click Common Login IP Addresses and click Add Common Login IP Address.
   Figure 3 Adding a common login IP address
   

2. In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
   

   • A common login IP address must be a public IP address or IP address segment.
   • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.

3. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.

Configuring SSH Login IP Address Whitelist

The SSH login whitelist controls SSH access to servers, preventing account cracking.

• An account can have up to 10 SSH login IP addresses in the whitelist.
• The SSH IP address whitelist does not take effect for servers running Kunpeng EulerOS (EulerOS with Arm).
• After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
  • Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH.

    If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.

  • Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.

1. Choose Installation & Configuration and click the Security Configuration tab. Click SSH IP Whitelist and click Add IP Address.
   Figure 4 Configuring an IP address whitelist
   

2. In the dialog box that is displayed, enter an IP address and select servers. Confirm the information and click OK.
   

   • A common login IP address must be a public IP address or IP address segment.
   • Only one IP address can be added at a time. To add multiple IP addresses, repeat the operations until all IP addresses are added.

3. Return to the Security Configuration tab of the Installation & Configuration page. Check whether the added locations are displayed on the Common Login IP Addresses subtab.

Configuring Two-Factor Authentication

2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.

You have to choose an SMN topic for servers where 2FA is enabled. The topic specifies the recipients of login verification codes, and HSS will authenticate login users accordingly.

Prerequisites

• You have created a message topic whose protocol is SMS or email.
• Server protection has been enabled.
• Linux servers require user passwords for login.
• On a Windows server, 2FA may conflict with G01 and 360 Guard (server edition). You are advised to stop them.

Procedure

1. Choose Installation & Configuration > Two-Factor Authentication.
   • Locate the target server and click Enable 2FA in the Operation column.
   • Select multiple target servers and click Enable 2FA to enable two-factor authentication for multiple servers in batches.

2. In the displayed dialog box, select a verification mode.
   • SMS/Email

     You need to select an SMN topic for SMS and email verification.

     • The drop-down list displays only notification topics that have been confirmed.
     • If there is no topic, click View to create one. For details, see Creating a Topic.
     • During authentication, all the mobile numbers and email addresses specified in the topic will receive a verification SMS or email. You can delete mobile numbers and email addresses that do not need to receive verification messages.
     Figure 5 SMS/Email verification
     
   • Verification code
     Use the verification code you receive in real time for verification.

     Figure 6 Verification code
     

3. Click OK.
4. Return to the Two-Factor Authentication tab of the Installation & Configuration page. Check whether the 2FA Status of the target server changes to Enabled.
   It takes about 5 minutes for the two-factor authentication function to take effect.

   

   When you log in to a remote Windows server from another Windows server where 2FA is enabled, you need to manually add credentials on the latter. Otherwise, the login will fail.

   To add credentials, choose Start > Control Panel, and click User Accounts. Click Manage your credentials and then click Add a Windows credential. Add the username and password of the remote server that you want to access.

Configuring Weak Password Detection

Weak passwords are not attributed to a certain type of vulnerabilities, but they bring no less security risks than any type of vulnerabilities.

Data and programs will become insecure if their passwords are cracked.

HSS proactively detects the accounts using weak passwords and generates alarms for the accounts. You can also add a password that may have been leaked to the weak password list to prevent server accounts from using the password.

1. Choose Security Operation > Policies.
   Figure 7 Accessing the policy group page
   

2. Click the name of the target policy group. The policy group page is displayed.
   You can determine the OS and protection version supported by the target policy based on its default Policy Group Name and Supported Version.

   

   If you need to create a policy group, perform this step after Creating a Policy Group.

3. In the policy group list, click the Weak password detection.
4. The Weak Password Detection dialog box is displayed. You can modify the parameters in the Policy Settings area or retain the default values (recommended). For details about the parameters, see Table 1.

   Table 1 Parameter description

   Parameter	Description
   Scan Time	Time point when detections are performed. It can be accurate to the minute.
   Random Deviation Time (s)	Random deviation time of the weak password based on Scan Time. The value range is 0 to 7200s.
   Scan Days	Days in a week when weak passwords are scanned. You can select one or more days.
   User-defined Weak Passwords	You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password. Enter only one weak password per line. Up to 300 weak passwords can be added.

5. Confirm the information and click OK.
6. Choose Asset Management > Servers & Quota, click Servers, select the target servers, and click Apply Policy above the server list.
   

   If you need to deploy the same policy for multiple servers at the same time, ensure that the OS and Edition of the selected servers are the same as those of the target policy.

7. In the policy deployment dialog box, select the target policy group and click OK.
8. After the deployment is complete, choose Security Operations > Policies. Locate the target policy, click the value in the Servers column, and check whether the servers you added are displayed.
   

   After the deployment is complete, wait for about 1 minute and then check whether the deployment is successful.

Configuring Login Security Check

After login security is configured, you can enable login security check for the target server. HSS will effectively detect brute force attacks, automatically block brute force IP addresses, and trigger and report alarms.

Only the enterprise edition and later support login security check. For enterprise edition, the login security check is performed based on the default parameters and custom parameter configuration is not supported.

1. Choose Security Operation > Policies.
   Figure 8 Accessing the policy group page
   

2. Click the name of the target policy group. The policy group page is displayed.
   You can determine the OS and protection version supported by the target policy based on its default Policy Group Name and Supported Version.

   

   If you need to create a policy group, perform this step after Creating a Policy Group.

3. Click Login Security Check from the policy list.
4. The Login Security Check dialog box is displayed. You can modify the parameters in the Policy Settings area or retain the default values. For details about the parameters, see Table 2.
   Figure 9 Modifying the security check policy
   

   Table 2 Parameter description

   Parameter	Description
   Lock Time (min)	This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.
   Check Whether the Audit Login Is Successful	After this function is enabled, HSS reports login success logs. : enabled : disabled
   Block Non-whitelisted Attack IP Address	After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).
   Report Alarm on Brute-force Attack from Whitelisted IP Address	After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses. : enabled : disabled
   Whitelist	After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.

5. Confirm the information and click OK.
6. Choose Asset Management > Servers & Quota, click Servers, select the target servers, and click Apply Policy above the server list.
   

   If you need to deploy the same policy for multiple servers at the same time, ensure that the OS and Edition of the selected servers are the same as those of the target policy.

7. In the policy deployment dialog box, select the target policy group and click OK.
8. After the deployment is complete, choose Security Operations > Policies. Locate the target policy, click the value in the Servers column, and check whether the servers you added are displayed.
   

   After the deployment is complete, wait for about 1 minute and then check whether the deployment is successful.