Updated on 2025-10-10 GMT+08:00

Constraints

Server Protection Restrictions

HSS can protect cloud servers. The following types of servers can be protected:
  • Elastic Cloud Server (ECS)
  • Bare Metal Server (BMS)
  • On-premises data center (IDC)

OS Restrictions

Currently, the HSS agent and system vulnerability scan functions are not supported in certain OSs.

For details about the OS restrictions of HSS, see:

  • CentOS 6.x is no longer updated or maintained on the Linux official website, and HSS no longer supports CentOS 6.x or earlier.
  • The meanings of the symbols in the table are as follows:
    • √: supported
    • ×: not supported
Table 1 HSS restrictions on Windows (x86)

OS

Agent

System Vulnerability Scan

Windows Server 2012 R2 Standard 64-bit English (40 GB)

Windows Server 2012 R2 Standard 64-bit Chinese (40 GB)

Windows Server 2012 R2 Datacenter 64-bit English (40 GB)

Windows Server 2012 R2 Datacenter 64-bit Chinese (40 GB)

Windows Server 2016 Standard 64-bit English (40 GB)

Windows Server 2016 Standard 64-bit Chinese (40 GB)

Windows Server 2016 Datacenter 64-bit English (40 GB)

Windows Server 2016 Datacenter 64-bit Chinese (40 GB)

Windows Server 2019 Datacenter 64-bit English (40 GB)

Windows Server 2019 Datacenter 64-bit Chinese (40 GB)

Windows Server 2022 Datacenter 64-bit English (40 GB)

×

Windows Server 2022 Datacenter 64-bit Chinese (40 GB)

×

Windows Server 2022 Standard 64-bit English (40 GB)

×

Windows Server 2022 Standard 64-bit Chinese (40 GB)

×

Table 2 HSS restrictions on Linux (x86)

OS

Agent

System Vulnerability Scan

CentOS 7.4 (64-bit)

CentOS 7.5 (64-bit)

CentOS 7.6 (64-bit)

CentOS 7.7 (64-bit)

CentOS 7.8 (64-bit)

CentOS 7.9 (64-bit)

CentOS 8.1 (64-bit)

×

CentOS 8.2 (64-bit)

×

CentOS 8 (64-bit)

×

Debian 9 (64-bit)

Debian 10 (64-bit)

Debian 11 (64-bit)

Debian 12 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

EulerOS 2.2 (64-bit)

EulerOS 2.3 (64-bit)

EulerOS 2.5 (64-bit)

EulerOS 2.7 (64-bit)

×

EulerOS 2.9 (64-bit)

EulerOS 2.10 (64-bit)

EulerOS 2.11 (64-bit)

EulerOS 2.12 (64-bit)

Fedora 28 (64-bit)

×

Fedora 31 (64-bit)

×

Fedora 32 (64-bit)

×

Fedora 33 (64-bit)

×

Fedora 34 (64-bit)

×

Ubuntu 16.04 (64-bit)

Ubuntu 18.04 (64-bit)

Ubuntu 20.04 (64-bit)

Ubuntu 22.04 (64-bit)

Ubuntu 24.04 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

AlmaLinux 8.4 (64-bit)

AlmaLinux 9.0 (64-bit)

×

AlmaLinux 9.2 (64-bit)

×

AlmaLinux 9.4 (64-bit)

×

Rocky Linux 8.4 (64-bit)

×

Rocky Linux 8.5 (64-bit)

×

RockyLinux 8.6 (64-bit)

RockyLinux 8.10 (64-bit)

Rocky Linux 9.0 (64-bit)

×

RockyLinux 9.4 (64-bit)

RockyLinux 9.5 (64-bit)

HCE 1.1 CentOS-compatible edition (64-bit)

HCE 2.0 standard edition (64-bit)

SUSE Linux Enterprise Server 12 SP5 (64 bit)

SUSE Linux Enterprise Server 15 (64 bit)

×

SUSE Linux Enterprise Server 15 SP1 (64 bit)

SUSE Linux Enterprise Server 15 SP2 (64 bit)

SUSE Linux Enterprise Server 15 SP3 (64 bit)

×

SUSE Linux Enterprise Server 15.5 (64 bit)

×

SUSE Linux Enterprise Server 15 SP6 (64 bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

Kylin V10 (64 bit)

Kylin V10 SP1 (64 bit)

Kylin V10 SP2 (64 bit)

Kylin V10 SP3 (64 bit)

×

UnionTech OS 1050u2e

NOTE:

Currently, file escape detection is not supported.

Table 3 HSS restrictions on Linux (Arm)

OS

Agent

System Vulnerability Scan

CentOS 7.4 (64-bit)

CentOS 7.5 (64-bit)

CentOS 7.6 (64-bit)

CentOS 7.7 (64-bit)

CentOS 7.8 (64-bit)

CentOS 7.9 (64-bit)

CentOS 8.0 (64-bit)

×

CentOS 8.1 (64-bit)

×

CentOS 8.2 (64-bit)

×

CentOS 9 (64-bit)

×

Debian 11 (64-bit)

Debian 12 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

EulerOS 2.8 (64-bit)

EulerOS 2.9 (64-bit)

EulerOS 2.10 (64-bit)

EulerOS 2.11 (64-bit)

EulerOS 2.12 (64-bit)

Fedora 29 (64-bit)

×

Ubuntu 18.04 (64-bit)

Ubuntu 20.04 (64-bit)

Ubuntu 22.04 (64-bit)

Ubuntu 24.04 (64-bit)

NOTE:

Currently, brute-force attack detection is not supported.

×

NeoKylin Linux Advanced Server Operating System V7 (64-bit)

×

Kylin V10 (64 bit)

Kylin V10 SP1 (64 bit)

Kylin V10 SP2 (64 bit)

Kylin V10 SP3 (64 bit)

×

HCE 2.0 standard edition (64-bit)

UnionTech OS V20 (64-bit)

NOTE:

Only UnionTech OS V20 server editions E and D support system vulnerability scan.

UnionTech OS V20 1050e (64-bit)

UnionTech OS V20 1060e (64-bit)

RockyLinux 9.5 (64-bit)

CTyunOS 3-23.01 (64-bit)

Agent Restrictions

  • If third-party security software is installed on the server, uninstall the software before installing the HSS agent. If the third-party security software is incompatible with the HSS agent, the HSS protection functions will be affected.
  • After the agent is installed on the server or container node, the agent may modify the following system files or configurations:
    • Linux system files:
      • /etc/hosts.deny
      • /etc/hosts.allow
      • /etc/rc.local
      • /etc/ssh/sshd_config
      • /etc/pam.d/sshd
      • /etc/docker/daemon.json
      • /etc/sysctl.conf
      • /sys/fs/cgroup/cpu/ (A subdirectory will be created for the HSS process in this directory.)
      • /sys/kernel/debug/tracing/instances (A CSA instance will be created in this directory.)
    • Linux system configurations: iptables rules
    • Windows system configurations:
      • Firewall rules
      • System login event audit policy and the configuration of login security layer and authentication mode
      • Windows Remote Management trusted server list

Restrictions on Brute-force Attack Defense

  • Before you enable protection for a Windows server, enable the Windows firewall to block the source IP addresses of brute-force attacks. If the Windows firewall is not enabled, HSS only generates alarms for detected brute-force attacks, but does not block them.
    • After the Windows firewall is enabled, HSS automatically adds firewall rules hostguard_AllowAnyIn and hostguard_AllowAnyOut to allow all inbound and outbound traffic, so that the firewall will not affect your services. If HSS detects a brute-force attack, it adds an inbound rule to the firewall to block the attack source IP address. This does not affect your servers.
    • Do not disable the Windows firewall when using HSS, or HSS cannot block the source IP addresses of brute-force attacks. Once it is disabled, HSS may fail to block the attack source IP addresses even after you manually enable it again.
  • Brute-force attack detection does not support Debian 12, Ubuntu 24.04, or SUSE Linux Enterprise Server 15 SP6.