Server Fingerprint Overview

What Is a Server Fingerprint?

A company may have hundreds, or even thousands of servers running in its IT environment. The information about the ports, accounts, software, and other assets on the servers often change due to O&M operations, making it difficult for O&M personnel to track them in real time. Unmonitored assets and security blind spots may be exploited by attackers and incur risks.

HSS server fingerprint management collects important asset information on servers, including its accounts, open ports, processes, software, auto-started items, web applications, web services, web frameworks, websites, middleware, kernel modules, and databases, to help you learn the asset status of each server, improve O&M efficiency, and eliminate security blind spots.

Server Fingerprint Collection Items

Asset types whose server fingerprints can be collected include accounts, open ports, processes, software, auto-started items, web applications, web services, web frameworks, websites, middleware, kernel modules, and databases. For details, see Server Fingerprint Collection Items.

**Table 1** Server fingerprint collection items
Asset Type	Collection Description	Collected Information	Supported OS
Accounts	Collect server system accounts to help you identify suspicious accounts.	Real-time account information: account name, number of associated servers, server name and IP address, login permission, root permission, user group, user directory, and user startup shell Historical account information: account name, number of associated servers, server name and IP address, change status, login permission, root permission, user group, user directory, and user startup shell	Linux and Windows
Open ports	Collect ports in the server system to help you identify risky ports. For details about the risky ports defined by HSS, see High-risk port list.	Port number, protocol type, number of associated servers, server name and IP address, listening IP address, status, process PID, and program file	Linux and Windows
Processes	Collect processes running in the server system to help you detect abnormal processes (such as hidden processes and unknown hash processes). If a process has been inactive for 30 consecutive days, it will be automatically removed from the process list.	Process path, number of associated servers, server name and IP address, startup parameter, startup time, running user, file permission, process PID, and file hash	Linux and Windows
Software	Collect software information in the server system to help you count software assets and identify insecure software versions. The following software types support data collection: Linux: information about the software installed by a package manager (such as rpm and dpkg) Windows: software information in the registry	Real-time software information: software name, number of associated servers, server name and IP address, and software version Software change history: software name, number of associated servers, server name and IP address, change status, and software version	Linux and Windows
Auto-started items	Collect auto-started services, startup folders, pre-loaded dynamic libraries, Run registry keys, and scheduled tasks in the server system, helping you detect abnormal auto-started items in time and quickly locate Trojans.	Real-time auto-started item information: auto-started item name, type, number of servers, server name and IP address, path, file hash, and the user who ran it Historical auto-started item information: server name and IP address, path, file hash, and the user who ran it	Linux and Windows
Websites	Collect information about web content directories and externally accessible websites, helping you comprehensively learn the website structure and access paths and preventing unauthorized access. Information about the following websites can be collected: Linux-based Apache, Nginx, and Tomcat.	Website name, number of servers, server name and IP address, external domain name, external port, URL, web directory, directory permission, directory UID, last directory modification time, SSL certificate, certificate issuer, certificate user, certificate issuing time, certificate expiration time, and associated PID	Linux
Web frameworks	Collect information about the development framework used by web pages to help you identify framework vulnerabilities. The following types of web frameworks run on Linux and support data collection: Java language framework: Struts, Struts 2, Spring, Hibernate, WebWork, Quartz, Velocity, Turbine, FreeMarker, fleXive, Stripes, Vaadin, Vert.x, Wicket, ZKoss, Jackson, Fastjson, Shiro, MyBatis, Jersey, and JFinal Python framework: Django, Flask, Tornado, web.py, and web2py PHP language framework: Webasyst, KYPHP, CodeIgniter, InitPHP, SpeedPHP, ThinkPHP, and OneThink Go framework: Gin, Beego, Fasthttp, Iris, and Echo	Web framework name, number of servers, server name and IP address, version, path, associated PID, and process path	Linux
Middleware	Collect all Python packages, npm packages, JAR packages loaded by the Java process, and their nested JAR packages in the server system, helping you learn service support components and identify abnormal components.	Middleware name, number of servers, server name and IP address, version number, path, associated PID, and process path	Linux and Windows
Kernel module	Collect program modules loaded to the kernel layer of the OS, helping you identify underlying running behaviors and prevent underlying intrusions.	Module name, number of servers, version number, source code version number, module description, driver file path, file size, file permission, file user ID, file creation time, last modification time, and file hash	Linux
Web services	Collect details about the software that provides web content access for external systems, helping you learn the website hosting service settings and prevent vulnerabilities and unsafe settings. The following types of web services support data collection: Linux: Apache, Nginx, Tomcat, Weblogic, WebSphere, JBoss, Wildfly, and Jetty Windows: Tomcat	Web service name, number of servers, server name and IP address, version, software directory, directory permission, directory UID, last modification time of a directory, configuration file, associated PID, and process path	Linux and Windows
Web applications	Collect details about the software that is used to push and publish web content, helping you learn the content transmission channels and prevent application vulnerabilities. The following types of web applications support data collection: Linux: PHPMailer, PHPMyadmin, DedeCMS, WordPress, ThinkPHP, BigTree, JPress, Jenkins, Zabbix, Discuz!, and ThinkCMF. Windows: Chanjet	Web application name, number of servers, server name and IP address, version, software directory, directory permission, directory UID, last modification time of a directory, configuration file, associated PID, and process path	Linux and Windows
Databases	Collect details about data storage software, helping you manage important data storage media and prevent database vulnerabilities and unsafe settings. The following types of databases support data collection: Linux: MySQL, Redis, Oracle, MongoDB, Memcache, PostgreSQL, HBase, DB2, Sybase, Dameng database management system, and KingbaseES database management system. Windows: MySQL	Database name, number of servers, server name and IP address, version, software directory, directory permission, directory UID, last modification time of a directory, configuration file, associated PID, and process path	Linux and Windows

Server Fingerprint Collection Methods

Server fingerprints can be collected automatically or manually. You can set the automatic collection period or manually collect fingerprints as required.

Automatic collection

After the HSS enterprise edition or higher is enabled on the server, HSS automatically collects the fingerprints of all assets. For details, see Table 2. The start time of the automatic collection period is the time when the agent is successfully installed or restarted.

If you are using the HSS premium edition or higher, you can customize the interval for automatically collecting data of middleware, web frameworks, kernel modules, web applications, websites, web services, and databases. For details, see Asset Discovery.

**Table 2** Asset types and frequencies of automatic collection
Asset Type	Automatic Collection Frequency
Accounts	Automatic collection every hour
Open ports	Automatic collection every 30 seconds
Processes	Automatic collection every hour
Software	Automatic collection every day
Auto-started items	Automatic collection every hour
Websites	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Web frameworks	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Middleware	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Kernel module	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Web services	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Web applications	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)
Databases	Once a week, at 04:10 a.m. every Monday (with a random delay of up to 1 hour)

Manual collection
To check the latest asset fingerprints, use the one-click collection function provided by HSS to collect server fingerprints.
- For details about how to manually collect the fingerprints of all servers, see Manually Collecting the Latest Asset Fingerprints of All Servers.
- For details about how to manually collect information about the web applications, web services, web frameworks, websites, middleware, kernel modules, or databases on a single server, see Manually Collecting the Latest Asset Fingerprints of a Single Server.

Notes and Constraints

The server fingerprint function is available in HSS enterprise, premium, WTP, and container editions. For details about how to purchase and upgrade HSS, see Purchasing an HSS Quota and Upgrading a Protection Quota.