Purchasing and Enabling WTP

Scenario

HSS provides static and dynamic (Tomcat) Web Tamper Protection (WTP) functions. WTP monitors website directories in real time, backs up files, and restores tampered files. In addition, multiple server security protection functions are provided. For details, see Product Functions.

This document uses an ECS running EulerOS 2.9 as an example to describe how to purchase and enable WTP.

Step 1: Purchase HSS Quota

1. Log in to the management console.
2. Click in the upper left corner and select the region and project.
3. Click in the upper left corner of the page and choose Security & Compliance > HSS.
4. In the upper right corner of the Dashboard page, click Buy HSS.
5. Set the parameters for buying HSS as prompted.
   • Billing Mode: Select Yearly/Monthly. Only the yearly/monthly billing mode is supported.
   • Region: Select the region where the server is located. In this example, select CN-Hong Kong.
   • Edition: Select Web Tamper Protection.
   • Quantity: Set this parameter based on the number of servers. In this example, set the quantity to 1.
   • Specify other parameters as needed.

6. In the lower right corner of the page, click Next.
7. After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
8. Click Pay Now and complete the payment.
9. Click Back to Host Security Service Console.

Step 2: Install an Agent

1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
2. Choose Agents > Servers Without Agents.
3. In the Operation column of the target server, click Install Agent. The Install Agent dialog box is displayed.
   Figure 1 Installing an agent
   

4. Select and set the server verification information.
   • Server authentication mode: Select a mode. In this example, select Account and password mode.
   • Allow direct connection with root permissions: Whether to allow root direct connection. In this example, select this option.
     • Server Root Password: Set this parameter based on the server information.
     • Server Login Port: Set this parameter based on the actual server login port. In this example, set 22 port.
   Figure 2 Enter the server verification information.
   

5. Click OK to start installation.
6. Choose Servers With Agents page and view the agent status of the target server.

   If the Agent Status is Online, the agent is successfully installed.

Step 3: Enable Protection

1. In the navigation pane, choose Server Protection > Web Tamper Protection.
2. On the Servers tab, click Add Server.
3. On the Add Server page, select the target server and click Add and Enable Protection.
   Figure 3 Adding a protected server
   

4. Read the message for adding a protected directory and click .
   Figure 4 Prompt information
   

5. Locate the row containing the target server and click Configure Protection in the Operation column.
   Figure 5 Protection settings
   

6. Add a protected directory.
   1. In the Protected Directory Settings area, click Settings.
   2. In the Protected Directory Settings dialog box, click Add Protected Directory.
      Figure 6 Adding a protected directory
      
   3. Add protected directories based on service requirements. For details about the parameters, see Table 1.

      Table 1 Parameters for adding a protected directory

      Parameter	Description	Example Value
      Protected Directory	Add directories to be protected. Do not add an OS directory as a protected directory. After a directory is added, the files and folders in the protected directory are read-only and cannot be modified directly.	/etc/lesuo
      Excluded Subdirectory	Subdirectories that do not need to be protected in the protected directory, such as temporary file directories. Separate subdirectories with semicolons (;). A maximum of 10 subdirectories can be added.	lesuo/test
      Excluded File Types	Types of files that do not need to be protected in the protected directory, such as log files. To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files. Separate file types with semicolons (;).	log;pid;text
      Local Backup Path	Set this parameter if your server runs the Linux OS. Set a local backup path for files in protected directories. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path. The backup rules are described as follows: The local backup path must be valid and cannot overlap with the protected directory path. Excluded subdirectories and types of files are not backed up. Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory. If WTP detects that a file in a protected directory is tampered with, it immediately uses the backup file on the local server to restore the file.	/etc/backup
      Excluded File Path	Exclude files that do not need to be protected from the protected directory. Separate multiple paths with semicolons (;). A maximum of 50 paths can be added. The maximum length of a path is 256 characters. A single path cannot start with a space or end with a slash (/).	lesuo/data;lesuo/list

   4. Click OK.
   5. In the protected directory list, if Protection Status is Protected, the directory is added successfully.

7. (Optional) Enable remote backup.
   Only Linux servers support the remote backup function. Skip this item for Windows servers.

   1. In the Protected Directory Settings dialog box, click Manage Remote Backup Servers.
      Figure 7 Managing remote backup servers
      
   2. Click Add Backup Server.
   3. Enter the information and click OK. For details about the parameters, see Table 2.

      Table 2 Backup server parameters

      Parameter	Description	Example Value
      Server Name	Name of the remote backup server.	test
      Address	Enter the private IP address of the Huawei Cloud server as the remote backup server.	192.168.1.1
      Port	Enter the server port number. Ensure that the port is not blocked by any security group or firewall or occupied.	8080
      Backup Path	Enter a backup path. The content of the protected directory will be backed up to this path. If the protected directories of multiple servers are backed up to the same remote backup server, the data will be stored in separate folders named after agent IDs. Assume the protected directories of the two servers are /hss01 and hss02, and the agent IDs of the two servers are f1fdbabc-6cdc-43af-acab-e4e6f086625f and f2ddbabc-6cdc-43af-abcd-e4e6f086626f, and the remote backup path is /hss01. The corresponding backup paths are /hss01/f1fdbabc-6cdc-43af-acab-e4e6f086625f and /hss01/f2ddbabc-6cdc-43af-abcd-e4e6f086626f. If WTP is enabled for the remote backup server, do not set the remote backup path to any directories protected by WTP. Otherwise, remote backup will fail.	/hss01

   4. In the Protected Directory Settings area, click Settings.
   5. In the Protected Directory Settings dialog box, click Enable Remote Backup.
   6. Select the added remote backup server and click OK.
   7. If Enabled is displayed, remote backup is started.

8. (Optional) Enable dynamic WTP.
   Runtime application self-protection (RASP) is provided for Tomcat applications of JDK 8 on a Linux server. If you do not require RASP of the Tomcat application or the server runs the Windows OS, skip this item.

   1. In the Dynamic WTP area, click .
      Figure 8 Enable dynamic WTP
      
   2. In the dialog box that is displayed, enter the Tomcat bin directory and click OK.

      Tomcat bin directory example: /usr/workspace/apache-tomcat-8.5.15/bin

   3. If is displayed, dynamic WTP is enabled.
   4. Restart Tomcat to make the dynamic WTP function take effect.

Follow-Up Procedure

• Modify a file or folder in a protected directory.
  If WTP is enabled, files or folders in the protected directory are read-only and cannot be modified. To modify files or folders in the protected directory, perform the following steps:

  • Adding a privileged process: A maximum of 10 privileged processes can be added. For details, see Adding a Privileged Process.
  • Enabling/Disabling scheduled static WTP: In addition to adding a privileged process, you can set periodic static WTP and modify files or folders when WTP is disabled, for details, see Enabling/Disabling Scheduled Static WTP.

• Enable active protection for servers.
  WTP provides some proactive functions for servers. These functions are not enabled or not completely enabled when WTP is enabled. You can determine whether to use these functions based on your requirements, the following table Table 3 describes the functions.

  Table 3 Proactive server protection functions

  Function	Description
  Ransomware Prevention	Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses. Ransomware prevention is automatically enabled with the WTP edition. Honeypot files are deployed on your server and suspicious encryption programs are automatically isolated. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data.
  Application Protection	To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
  Application Process Control	HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.
  Virus scanning and removal	The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.