Constraints and Limitations
Server Protection Restrictions
HSS can protect Huawei Cloud servers, third-party cloud servers, and IDCs. The following types of servers can be protected:
- Huawei Cloud
- Huawei Cloud Elastic Cloud Server (ECS)
- Huawei Cloud Bare Metal Server (BMS)
- Workspace
- Third parties
- Third-party cloud servers
- On-premises IDCs
Container Protection Restrictions
HSS can protect Huawei Cloud cluster containers, third-party cloud cluster containers, and on-premises IDC cluster containers. For details about the supported container types, see Table 1.
Category |
Supported Container Type |
Constraints and Limitations |
---|---|---|
Huawei Cloud |
|
|
Third parties |
|
|
Protection Quota Limit
A server or container node can be protected by HSS only after a quota is allocated to it. Each server or container needs a quota.
The restrictions on the quotas are as follows:
- Quotas cannot be used across regions.
Select a correct region during purchase. For details about how to select a region for different types of servers, see the following table.
Table 2 Region restrictions on protection quotas Category
Server
Region
Huawei Cloud
- ECS
- BMS
- Huawei Cloud Workspace
Regions where your ECSs/BMSs/Workspacesare deployed
HSS cannot be used across regions. If the server and your protection quota are in different regions, unsubscribe from the quota and purchase a quota in the region where the server is deployed.
Third parties
- Third-party cloud servers
- On-premises IDCs
The region of quotas for third-party servers varies depending on the HSS access mode.
- Internet access: The server can access HSS through the Internet. Currently, only certain regions allow servers to connect to HSS through the Internet. For details, see In What Regions Is HSS Available to Non-Huawei Cloud Servers? Select the region nearest to the region of the servers.
- Direct Connect proxy access: The server cannot access the Internet and need to access HSS through Direct Connect and a proxy. This mode has no restrictions on regions. Select the region that you want to connect your servers to.
- A protection quota can be bound to only one server or container node.
- A maximum of 50,000 protection quotas can be purchased in a region.
- After a protection quota is purchased, your server or container is not protected yet. You need to go to the HSS console and install an agent for the server or container and enable protection as prompted.
OS Restrictions
Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.
For details about the OS restrictions of HSS, see:
- CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
- The meanings of the symbols in the table are as follows:
- √: supported
- ×: not supported
OS |
Agent |
System Vulnerability Scan |
---|---|---|
Windows 10 (64-bit) |
√
NOTE:
Only Huawei Cloud Workspace can use this OS. |
× |
Windows 11 (64-bit) |
√
NOTE:
Only Huawei Cloud Workspace can use this OS. |
× |
Windows Server 2012 R2 Standard 64-bit English (40 GB) |
√ |
√ |
Windows Server 2012 R2 Standard 64-bit Chinese (40 GB) |
√ |
√ |
Windows Server 2012 R2 Datacenter 64-bit English (40 GB) |
√ |
√ |
Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB) |
√ |
√ |
Windows Server 2016 Standard 64-bit English (40 GB) |
√ |
√ |
Windows Server 2016 Standard 64-bit Chinese (40 GB) |
√ |
√ |
Windows Server 2016 Datacenter 64-bit English (40 GB) |
√ |
√ |
Windows Server 2016 Datacenter 64-bit Chinese (40 GB) |
√ |
√ |
Windows Server 2019 Datacenter 64-bit English (40 GB) |
√ |
√ |
Windows Server 2019 Datacenter 64-bit Chinese (40 GB) |
√ |
√ |
Windows Server 2022 Datacenter 64-bit English (40 GB) |
√ |
× |
Windows Server 2022 Datacenter 64-bit Chinese (40 GB) |
√ |
× |
OS |
Agent |
System Vulnerability Scan |
---|---|---|
CentOS 7.4 (64-bit) |
√ |
√ |
CentOS 7.5 (64-bit) |
√ |
√ |
CentOS 7.6 (64-bit) |
√ |
√ |
CentOS 7.7 (64-bit) |
√ |
√ |
CentOS 7.8 (64-bit) |
√ |
√ |
CentOS 7.9 (64-bit) |
√ |
√ |
CentOS 8.1 (64-bit) |
√ |
× |
CentOS 8.2 (64-bit) |
√ |
× |
CentOS 8 (64-bit) |
√ |
× |
CentOS 9 (64-bit) |
√ |
× |
Debian 9 (64-bit) |
√ |
√ |
Debian 10 (64-bit) |
√ |
√ |
Debian 11.0.0 (64-bit) |
√ |
√ |
Debian 11.1.0 (64-bit) |
√ |
√ |
Debian 12.0.0 (64-bit) |
√ |
× |
EulerOS 2.2 (64-bit) |
√ |
√ |
EulerOS 2.3 (64-bit) |
√ |
√ |
EulerOS 2.5 (64-bit) |
√ |
√ |
EulerOS 2.7 (64-bit) |
√ |
× |
EulerOS 2.9 (64-bit) |
√ |
√ |
EulerOS 2.10 (64-bit) |
√ |
× |
EulerOS 2.12 (64-bit) |
√ |
× |
Fedora 28 (64-bit) |
√ |
× |
Fedora 31 (64-bit) |
√ |
× |
Fedora 32 (64-bit) |
√ |
× |
Fedora 33 (64-bit) |
√ |
× |
Fedora 34 (64-bit) |
√ |
× |
Ubuntu 16.04 (64-bit) |
√ |
√ |
Ubuntu 18.04 (64-bit) |
√ |
√ |
Ubuntu 20.04 (64-bit) |
√ |
√ |
Ubuntu 22.04 (64-bit) |
√ |
√ |
Ubuntu 24.04 (64-bit) |
√
NOTE:
Currently, brute-force attack detection is not supported. |
× |
Red Hat 7.4 (64-bit) |
√ |
× |
Red Hat 7.6 (64-bit) |
√ |
× |
Red Hat 8.0 (64-bit) |
√ |
× |
Red Hat 8.7 (64-bit) |
√ |
× |
OpenEuler 20.03 LTS (64-bit) |
√ |
√ |
OpenEuler 20.03 LTS SP4 (64-bit) |
√ |
× |
OpenEuler 22.03 LTS SP3 (64-bit) |
√ |
× |
OpenEuler 22.03 LTS (64-bit) |
√ |
× |
OpenEuler 22.03 LTS SP4 (64-bit) |
√ |
× |
AlmaLinux 8.4 (64-bit) |
√ |
√ |
AlmaLinux 9.0 (64-bit) |
√ |
× |
Rocky Linux 8.4 (64-bit) |
√ |
× |
Rocky Linux 8.5 (64-bit) |
√ |
× |
Rocky Linux 9.0 (64-bit) |
√ |
× |
HCE 1.1 (64-bit) |
√ |
√ |
HCE 2.0 (64-bit) |
√ |
√ |
SUSE 12 SP5 (64-bit) |
√ |
√ |
SUSE 15 (64-bit) |
√ |
× |
SUSE 15 SP1 (64-bit) |
√ |
√ |
SUSE 15 SP2 (64-bit) |
√ |
√ |
SUSE 15 SP3 (64-bit) |
√ |
× |
SUSE 15.5 (64-bit) |
√ |
× |
SUSE 15 SP6 (64-bit) |
√
NOTE:
Currently, brute-force attack detection is not supported. |
× |
Kylin V10 (64-bit) |
√ |
√ |
Kylin V10 SP3 (64-bit) |
√ |
× |
UnionTech OS 1050u2e |
√
NOTE:
Currently, file escape detection is not supported. |
√ |
OS |
Agent |
System Vulnerability Scan |
---|---|---|
CentOS 7.4 (64-bit) |
√ |
√ |
CentOS 7.5 (64-bit) |
√ |
√ |
CentOS 7.6 (64-bit) |
√ |
√ |
CentOS 7.7 (64-bit) |
√ |
√ |
CentOS 7.8 (64-bit) |
√ |
√ |
CentOS 7.9 (64-bit) |
√ |
√ |
CentOS 8.0 (64-bit) |
√ |
× |
CentOS 8.1 (64-bit) |
√ |
× |
CentOS 8.2 (64-bit) |
√ |
× |
CentOS 9 (64-bit) |
√ |
× |
EulerOS 2.8 (64-bit) |
√ |
√ |
EulerOS 2.9 (64-bit) |
√ |
√ |
Fedora 29 (64-bit) |
√ |
× |
Ubuntu 18.04 (64-bit) |
√ |
× |
Ubuntu 20.04 (64-bit) |
√ |
√ |
Ubuntu 22.04 (64-bit) |
√ |
√ |
Ubuntu 24.04 (64-bit) |
√
NOTE:
Currently, brute-force attack detection is not supported. |
× |
Kylin V7 (64-bit) |
√ |
× |
Kylin V10 (64-bit) |
√ |
√ |
Kylin V10 SP3 (64-bit) |
√ |
× |
HCE 2.0 (64-bit) |
√ |
√ |
UnionTech OS V20 (64-bit) |
√ |
√
NOTE:
Only UnionTech OS V20 server editions E and D support system vulnerability scan. |
UnionTech OS V20 1050e (64-bit) |
√ |
√ |
UnionTech OS V20 1060e (64-bit) |
√ |
√ |
OpenEuler 22.03 LTS (64-bit) |
√ |
× |
Agent Restrictions
- If third-party security software, such as 360 Total Security, Tencent Manager, and McAfee, is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
- After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
- Linux system files:
- /etc/hosts.deny
- /etc/hosts.allow
- /etc/rc.local
- /etc/ssh/sshd_config
- /etc/pam.d/sshd
- /etc/docker/daemon.json
- /etc/sysctl.conf
- /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
- /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
- Linux system configurations: iptables rules
- Windows system configurations:
- Firewall rules
- System login event audit policy and the configuration of login security layer and authentication mode
- Windows Remote Management trusted server list
- Linux system files:
Restrictions on Brute-force Attack Defense
Authorize the Windows firewall when you enable protection for a Windows server. Do not disable the Windows firewall while you use HSS.
If the Windows firewall is disabled, HSS cannot block the source IP addresses of brute-force attacks. This problem may persist even if the Windows firewall is enabled after being disabled.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot