Function Overview

Host Security Service (HSS) is designed to protect server workloads in hybrid clouds and multi-cloud data centers. It provides host security functions, Container Guard Service (CGS), and Web Tamper Protection (WTP).

HSS can collect server asset fingerprints, including information about ports, processes, web applications, web services, web frameworks, and auto-started items. You can centrally check server asset information and detect risky assets in a timely manner based on the server fingerprints.

HSS can collect container asset fingerprints, including container clusters, services, workloads, accounts, ports, and processes. You can centrally check container asset information and detect risky assets in a timely manner based on the container fingerprints.

HSS proactively checks weak password complexity policies and other unsafe settings, and provides suggestions for fixing detected risks.

HSS detects Linux, Windows, Web-CMS, and application vulnerabilities and provides a vulnerability overview, including host vulnerability detection details, vulnerability statistics, vulnerability type distribution, top 5 vulnerabilities, and top 5 risky servers, helping you learn host vulnerabilities in real time.

HSS scans the images that are running or displayed in your image list, and provides suggestions on how to fix vulnerabilities and malicious files.

HSS protects running applications. You simply need to add probes to applications, without having to modify application files.

So far, only Java applications on Linux servers can be protected.

HSS reports alarms on 13 types of intrusions, including brute-force attacks, process exceptions, web shells, abnormal logins, and malicious processes. You can learn all these events on the HSS console and eliminate security risks in your assets in a timely manner.
HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of servers with alarms, handled alarms, unhandled alarms, blocked IP addresses, and isolated files.
The Events page displays the alarm events generated in the past 30 days. You can manually clear, ignore, whitelist, or isolate and kill alarmed items.

HSS provides free health check for ECSs that are not protected by HSS, and for the CCE clusters where free health check is enabled. HSS generates security reports on the risks in servers and containers.

HSS uses advanced AI and machine learning technologies and integrates a range of antivirus engines to detect and kill malicious programs on your servers.
If you enable Isolate and Kill Malicious Programs, HSS will automatically isolate and kill identified malicious programs, such as web shells, Trojans, and worms, removing security risks.
If you do not enable it, HSS will generate alarms on suspicious programs but will not handle them. You can choose Intrusions > Events, click Malicious program (cloud scan), and isolate and kill alarmed programs.

HSS can detect new files and running processes in real time, control risks in new files, dynamically generate bait files for proactive defense, accurately identify ransomware, and periodically back up servers based on user-defined policies.

HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them, and can recover isolated files anytime.

FIM checks the files in your OSs, applications, and other components for tampering, helping you meet PCI-DSS requirements. FIM compares files with their versions in the previous scan to check whether files have been modified, and whether the modifications are suspicious.
FIM checks the integrity of Linux files and manages operations on them, including:
- Create and delete files
- Modify files (changes in file size, ACLs, and content hashes)

HSS provides flexible policy management capabilities. Users can customize security detection rules as required to meet host security requirements in different application scenarios.

Static WTP monitors website directories in real time, backs up files, and restores tampered files using the backup, protecting websites from Trojans, malicious links, and tampering.
You can add the Windows and Linux processes you trust to the whitelist. Whitelisted processes will not be blocked by WTP functions.
Dynamic WTP protects your data while Tomcat is running, detecting dynamic data tampering in databases.

2FA requires users to provide verification codes before they log in. The codes will be sent to their mobile phones or email boxes.
You have to choose an SMN topic when you log in to an ECS where 2FA is enabled. The topic specifies the recipients of verification codes, and HSS will authenticate login users accordingly.

The SSH login whitelist controls SSH access to servers, effectively preventing account cracking.
After you configure an SSH login IP address whitelist, SSH logins will be allowed only from whitelisted IP addresses.
- Before enabling this function, ensure that all IP addresses that need to initiate SSH logins are added to the whitelist. Otherwise, you cannot remotely log in to your server using SSH. If your service needs to access a server, but not necessarily via SSH, you do not need to add its IP address to the whitelist.
- Exercise caution when adding an IP address to the whitelist. This will make HSS no longer restrict access from this IP address to your servers.

After you configure common login locations and IP addresses, HSS will generate alarms on the logins from other login locations or IP addresses. A server can be added to multiple login locations.

To reduce false alarms, import events to and export events from the whitelist. Whitelisted events will not trigger alarms.

After alarm notification is enabled, you can receive alarm notifications sent by HSS to learn about security risks in your servers and web pages. Without this function, you have to log in to the management console to view alarms.
Alarm notification settings are effective only for the current region. To receive notifications from another region, switch to that region and configure alarm notification.

You can create a server group and add servers to it. You can check the numbers of servers, unsafe servers, and unprotected servers in a group.

You can subscribe to daily, weekly, monthly, and custom reports, which are stored for six months. The reports show your server security trends and key security events and risks.

After creating a batch agent installation task, the system will install the agents automatically. You can enable protection for the target servers after the agents are installed successfully.

You can isolate, suspend, kill, and restore containers with medium or higher security risks to prevent them from affecting secure containers.

The HSS container firewall controls and intercepts network traffic inside and outside a container cluster to prevent malicious access and attacks.

HSS can control different types of application processes on servers. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.

HSS can check for non-compliance baseline issues, vulnerabilities, and malicious files when a container image is started and report alarms on or block container startup that has not been unauthorized or may incur high risks. You can configure container cluster protection policies to block images with vulnerabilities, malicious files, non-compliant baselines, or other threats, hardening cluster security.

The function uses the virus detection engine to scan virus files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audio and video files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of the service system.

HSS can collect statistics on the servers and risks under your organization member accounts. If your account is managed by an organization, you can view the number of servers under all the member accounts in the organization, as well as the number of vulnerabilities, baselines, and alarms of the servers.

The dynamic port honeypot function is a deception trap. It uses a real port as a bait port to induce attackers to access the network. In the horizontal penetration scenario, the function can effectively detect attackers' scanning, identify faulty servers, and protect real resources of the user.

Keep track of the operations and activities in your container clusters, gaining insight into every phase of the container lifecycle, including creating, starting, stopping, and destroying containers; as well as the communication and transmission between containers. Find and handle security problems through audit and analysis in a timely manner, ensuring the security and stability of container clusters.

On the first day of each month, HSS generates a security operations summary report for last month. You can learn the asset security status and security configurations, analyze past security operations, and harden configurations and improve O&M efficiency accordingly.