Purchasing and Enabling WTP

Scenario

HSS provides static and dynamic (Tomcat) Web Tamper Protection (WTP) functions. WTP monitors website directories in real time, backs up files, and restores tampered files. In addition, multiple server security protection functions are provided. For details, see Product Functions.

Process

Preparations

1. If you perform operations as an IAM user, ensure that the IAM user has been assigned the HSS FullAccess permission. For details, see Creating a User and Granting Permissions .

   When purchasing HSS protection quotas, you need to assign the BSS Administrator and Tenant Guest permissions to IAM users.

2. A Huawei Cloud ECS for which WTP will be enabled is available.

Step 1: Purchase HSS Quota

1. Log in to the management console.
2. Click in the upper left corner and select the region and project.
3. Click in the upper left corner of the page and choose Security & Compliance > HSS.
4. In the upper right corner of the Dashboard page, click Buy HSS.
5. Configure parameters.

   Parameter	Example	Description
   Region	CN-Hong Kong	Select the region of server. After the HSS is purchased, the region cannot be changed. Exercise caution when selecting a region.
   Billing Mode	Yearly/Monthly	WTP supports only the Yearly/Monthly billing mode. Yearly/Monthly is a prepaid billing. You pay in advance for a subscription term, and in exchange, you get a discounted rate. The longer the subscription term, the bigger the discount. For more information, see Pricing Details.
   Edition Specifications	WTP Edition	HSS provides basic, professional, premium, WTP, and container editions. Functions vary depending on editions. For details about functions supported by each edition, see Functions.
   Enterprise Project	default	This parameter is displayed only when you use an enterprise account to purchase protection quotas. It enables unified management of cloud resources by project.
   Tag	Not added	Tags are used to identify server security, facilitating cloud resource classification and management.
   Automatically assign	Not selected	When a server or container node is added and the agent is installed for the first time, it will be bound to an available yearly/monthly quota. Only unused quotas will be bound, and no new order or fee will be generated.
   Required Duration	1 month	Select the required duration. The longer the subscription period, the higher the discount.
   Auto-Renewal	Not selected	The Auto-renew option enables the system to renew your service by the required duration when the service is about to expire.
   Quantity	1	Set the value based on the actual number of servers.

6. In the lower right corner of the page, click Next.
7. After confirming that the order, select I have read and agree to the Host Security Service Disclaimer.
8. Click Pay Now and complete the payment.
9. Click Back to Host Security Service Console to return to the HSS console.

Step 2: Install an Agent

1. In the navigation pane, choose Installation & Configuration > Server Install & Config.
2. In the upper right corner of the page, click Install HSS Agent.
3. Select ECS and click Configure Now.
4. Select an installation mode. For details about the parameters, see Table 1.
   Figure 1 Installing an agent
   

   Table 1 Parameters for installing the agent

   Parameter	Example	Description
   Installation Mode	CLI-based installation	GUI: You need to provide server account password or key for installing the agent. HSS does not save the password file you upload. To install the agent in this mode, ensure there is already an executor ECS, which is an ECS with an online agent in the same VPC as the target ECS. CLI: You need to log in to the server and run commands or scripts. This method is used when you install the agent for the first time.
   Owner Account	Current account	Current account installation: The server and the HSS quota you purchased are under the same account. You can log in to the account to obtain the installation commands or script and install the agent on the server. Cross-account installation: The server and the HSS quota you purchased are not under the same account. You can log in to account A to obtain the installation command or script and install the agent on the target server under account B. After the agent is successfully installed, you can view the target server on the Asset Management > Servers & Quota page of account A.
   Server OS	Linux	Select an OS type based on the server OS.
   Scale	A single	Select the scale based on the number of servers on which the agent is to be installed.

5. (Optional) Select the servers that need to be connected to the current HSS region and click Next.
   • Perform this operation only in the CN East2 and CN Southwest-Guiyang1 regions. HSS will automatically create a VPC endpoint, which occupies an IP address of your VPC subnet. Only one VPC endpoint will be created for each of your VPCs to ensure the communication between your servers and HSS.
   • In other regions, ensure the security groups of your servers allow outbound traffic through port 10180 of the 100.125.0.0/16 CIDR block. This port is used to communicate with HSS.

6. Install the agent as prompted.

   For CN East2 and CN Southwest-Guiyang1 regions, wait until the network communication succeeds (that is, the VPC endpoint is created) before performing the following operations.

   1. On the console page, click in the Install HSS Agent dialog box to copy the installation command.
      Figure 2 Copying the installation command
      
   2. Log in to the server as the root user and paste the installation command.

      If the command output shown in Figure 3 is displayed, the agent has been installed.

      Figure 3 Agent installed
      

7. Wait for 5 to 10 minutes and return to the HSS console. On the Server Install & Config page, click the Agents tab, and click Servers with Agents. Check the agent status of the target server.

   If the Agent Status is Online, the agent is successfully installed.

Step 3: Enable Protection

1. In the navigation pane, choose Server Protection > Web Tamper Protection.
2. On the Servers tab, click Add Server. The Add Server page is displayed.
3. On the Add Server page, select servers and click Next. For more information, see Table 2.
   Figure 4 Selecting servers
   

   Table 2 Parameters for selecting protected servers

   Parameter	Example	Description
   OS	Linux	Select the OS type of the server to be protected by WTP. Linux Windows
   Select Servers	-	Select servers. You can filter the servers by software type or other attributes.
   Select Quota	Yearly/Monthly	The HSS WTP edition supports two billing modes, yearly/monthly and pay-per-use billing, to meet requirements in different scenarios. Yearly/Monthly billing is a prepaid mode in which you pay for the service before using it. Your bill is generated based on the required duration you specify in the order. The longer the subscription term, the bigger the discount. Pay-per-use is a postpaid billing mode. You pay as you go and just pay for what you use. The HSS usage is calculated by the second but billed every hour. With the pay-per-use billing mode, you can easily adapt to resource requirement changes, reducing the risk of over-provisioning resources or lacking capacity. In this mode, there are no upfront commitments required. When selecting the yearly/monthly billing mode, you can select a quota or retain the default value Select a quota randomly.
   Agreement	Select it.	Before enabling WTP, ensure that you have read the Host Security Service Disclaimer. Select I have read and agree to the Host Security Service Disclaimer.

4. On the Add Server page, configure policies. For more information, see Table 3.
   Figure 5 Configuring policies
   

   Table 3 Parameters for configuring rules

   Parameter	Example	Description
   Protected Directory	/etc/lesuo	WTP supports static and dynamic web page protection. Static WTP protects specified directories by locking files in the web file directory in the drive to prevent attackers from modifying the files. Therefore, when configuring a protection policy, you need to specify the directories to be protected. After a directory is protected, the files and folders in the directory will become read-only. The requirements for adding a protected directory are as follows: For Linux, It cannot start with a space, end with a slash (/), or contain semi-colons (;). Up to 256 characters are allowed. A server can have up to 50 protected directories. The folder levels of a protected directory cannot exceed 100. The total folders in protected directories cannot exceed 900,000. For Windows, Up to 256 characters are allowed. The directory name cannot start with a space or end with a backslash (\). It cannot contain the following characters: ;/*?"<>| A server can have up to 50 protected directories. Do not add network directories as protected directories. The reasons are as follows: Inefficient detection A network directory usually contains a large number of files and may reach hundreds of terabytes, severely slowing down a scan. Network bandwidth consumption Accessing a network directory consumes network bandwidth. A large-scale scan may fully occupy the network bandwidth and affect your workloads. For example, the access speed may slow down and the network latency may increase.
   Excluded Subdirectory (Optional)	cache	If a protected directory contains subdirectories that do not need to be protected, you can exclude the subdirectories. The requirements for adding a subdirectory are as follows: Enter a subdirectory name or the relative subdirectory path under a protected directory. If you enter a subdirectory name, all subdirectories that match the name will be excluded, regardless of their levels. A subdirectory name or path cannot start or end with a slash (/) and can contain up to 256 characters. Up to 10 subdirectories can be added. Use semicolons (;) to separate multiple subdirectories.
   Excluded File Path (Optional)	ma.txt	This item is available only for Linux servers. If a protected directory contains files that do not need to be protected, exclude the files. The requirements for adding excluded file paths are as follows: Enter a file name or the relative file path under a protected directory. If you enter a file name, all files that match the name will be excluded, regardless of their levels. A file name or path cannot start or end with a slash (/), and can contain up to 256 characters. Up to 50 files can be added. Use semicolons (;) to separate multiple files.
   Local Backup Path	/etc/backup	This item is available only for Linux servers. Set a local backup path for a protected directory. After WTP is enabled, files in the protected directory are automatically backed up to the local backup path. Once the system detects that a file in the protected directory is tampered with, it immediately uses the local backup to restore the tampered file. The requirements for adding local backup paths are as follows: A local backup path cannot contain semicolons (;), start with a space, or end with a slash (/). Up to 256 characters are allowed. Key system directories are a main attack target and cannot be used as backup paths, including but not limited to /etc/, /bin/, /usr/bin/, /var/spool/, /usr/bin/, /usr/sbin/, /sbin/, /usr/lib/, /lib/, /lib64/, /usr/lib64/, and their subdirectories. Local backup rule description: The local backup path must be valid and cannot overlap with the protected directory path. Excluded subdirectories and types of files are not backed up. Generally, the backup completes within 10 minutes. The actual duration depends on the size of files in the protected directory.
   Excluded File Types	log	If a protected directory contains files of certain types that do not need to be protected, exclude these file types, for example, logs. You can exclude any type of files. To record the running status of servers in real time, exclude the log files in the protected directory. You can set high permission requirements for log read and write, so that attackers cannot view or tamper with log files.
   Type	Intercept	Action taken when file tampering is detected. Alarm: Only alarms are reported. Block: An alarm is reported, and the file is restored to the status before being tampered with.
   Scheduled Protection (Optional)		You can schedule when to disable static WTP. In the unprotected period, you can modify, update, or release web pages. Click to enable scheduled protection and configure the following parameters: Unprotected Time Range A time range when WTP is disabled within a day, for example, 10:05 to 15:35. Requirements: A time range must be at least 5 minutes. Time ranges (except for those starting at 00:00 or ending at 23:59) cannot overlap and must have at least a 5-minute interval. All time ranges are subject to the system time of the server. Unprotected Days of a Week Static WTP is automatically disabled on specified days of a week, for example, Wednesday and Thursday.
   Dynamic WTP (Optional)	, /usr/workspace/apache-tomcat-8.5.15/bin	Dynamic WTP is mainly used to protect Tomcat applications on Linux. It can detect and prevent tampering with dynamic data, such as database data, in real time during application running. Currently, dynamic WTP can protect Tomcat applications using JDK 8, JDK 11, and JDK 17. To enable dynamic WTP, click and enter a complete Tomcat bin directory path, for example, /usr/workspace/apache-tomcat-8.5.15/bin. The system presets the setenv.sh script in the bin directory to configure the startup parameters of the anti-tamper program.
   Configure Privileged Processes (Optional)		A privileged process is a process authorized to modify a protected directory. This feature is compatible with Linux and Windows. However, only Linux OSs using kernel versions 5.10 or later are supported. After WTP is enabled, all files in the protected directory will be set to read-only and cannot be modified. If anyone attempts to modify a file or website, the system will automatically restore it to the status before the modification. You can add privileged processes and use them to modify the files in protected directories or update websites. Ensure the specified privileged processes, which are authorized to access protected directories, are secure and reliable. Click to enable the privileged processes and configure the following parameters: Process File Path The process file path is the complete path of the process. Each privileged process file is separated by a separate line. Up to 10 privileged processes are allowed. Trust Subprocess If Trust Subprocess is enabled, HSS will trust all the subprocesses up to five levels deep in the subdirectories of specified directories, and allow the subprocesses to modify protected directories, and allow the subprocesses to modify protected directories.

5. After the policy is configured, click OK.
6. On the Servers tab, check the the static and dynamic anti-tamper status of the target server

   If the static WTP status is Protected and the dynamic WTP status is , the static and dynamic WTP is enabled successfully. After dynamic WTP is enabled, you need to restart Tomcat to apply the settings.

Follow-Up Procedure

• Modify a file or folder in a protected directory.
  If WTP is enabled, files or folders in the protected directory are read-only and cannot be modified. To modify files or folders in the protected directory, perform the following steps:

  • Add privileged processes: You can add a maximum of 10 privileged processes. For details, see Modifying a WTP Configuration.
  • Enable/Disable scheduled static WTP: In addition to adding a privileged process, you can set periodic static WTP and modify files or folders when WTP is disabled, for details, see Modifying a WTP Configuration.

• Enable active protection for servers.
  WTP provides some proactive functions for servers. These functions are not enabled or not completely enabled when WTP is enabled. You can determine whether to use these functions based on your requirements, the following table Table 4 describes the functions.

  Table 4 Proactive server protection functions

  Function	Description
  Ransomware Prevention	Ransomware is one of the biggest cybersecurity threats today. Ransomware can intrude a server, encrypt data, and ask for ransom, causing service interruption, data leakage, or data loss. Attackers may not unlock the data even after receiving the ransom. HSS provides static and dynamic ransomware prevention. You can periodically back up server data to reduce potential losses. Ransomware prevention is automatically enabled with the container edition. HSS will deploy honeypot files on servers and automatically isolate suspicious encryption processes. You can modify the ransomware protection policy. You are also advised to enable backup so that you can restore data.
  Application Protection	To protect your applications with RASP, you simply need to add probes to them, without having to modify application files.
  Application Process Control	HSS can learn the characteristics of application processes on servers and manage their running. Suspicious and trusted processes are allowed to run, and alarms are generated for malicious processes.
  Virus Scanning and Removal	The virus detection engine scans for virus-infected files on the server. The scanned file types include executable files, compressed files, script files, documents, images, and audiovisual files. You can perform quick scan and full-disk scan on the server as required. You can also customize scan tasks and handle detected virus files in a timely manner to enhance the virus defense capability of your service system.
  Policy Management	HSS comes in multiple editions, including basic, professional, premium, WTP, and container editions. Except for the basic edition, they each have a default protection policy group. A policy group is a collection of policies. These policies can be applied to servers to centrally manage and configure the sensitivity, rules, and scope of HSS detection and protection. You can customize policies for asset management, baseline inspection, and intrusion detection as needed. Some policies in the policy group are not enabled by default. You can enable them as needed.