Installing the Agent on an Independent Node

Scenarios

The HSS agent is a piece of software installed on servers to exchange data between the servers and HSS, implementing security detection and protection. You can use the HSS only after installing the agent.

Prerequisites

There is at least one node with an online agent in the VPC of the nodes where the agent is to be installed. Otherwise, install the agent using the command line provided in Installing the Agent on Servers.

Step 1: Prepare the Installation Environment

Ensure your server OS is supported by the agent. For more information, see the table in Supported OSs.

The agent cannot be installed on the OSs that are not in the list.
Ensure the server is running properly.

The agent cannot be installed if the server is not running.
Ensure the capacity of the disk where the agent is to be installed is greater than 300 MB.

If the available space is less than 300 MB, the agent will fail to be installed. The agent installation path cannot be customized. The following default paths are used:
- Linux: /usr/local/hostguard/
- Windows: C:\Program Files\HostGuard
Check whether mandatory ports are enabled in the server security group.
- Huawei Cloud servers
  For servers in regions other than CN East 2 and CN Southwest-Guiyang1, ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.) This port is used to communicate with the HSS server. For details about how to view and modify an outbound ECS security group rule, see Modifying a Security Group.
- Third-party cloud servers
  Ensure the outbound rule of your security group allows access to port 10180 on the 100.125.0.0/16 CIDR block. (This is the default setting.) This port is used to communicate with the HSS server.
Ensure the DNS address of the server is a private DNS server address on the Huawei Cloud.

The agent cannot be downloaded to a private DNS server address outside Huawei Cloud.

For details about how to view and change the DNS server address, see Modifying the DNS (on the Server) or Modifying the DNS Server Address (on the Console).
Uninstall third-party security software.

Third-party security software will probably be incompatible with the HSS agent and affects HSS protection. If third-party security software is installed on your servers, uninstall it before installing the HSS agent.
(Optional) For a Linux server, disable the SELinux firewall.

The SELinux firewall may disrupt agent installation. You can enable it after the agent is successfully installed.

Step 2: Install the Agent on an Independent Node

Log in to the HSS console.
Click in the upper left corner and select a region or project.
In the navigation pane, choose Installation & Configuration > Container Install & Config.
Click the Independent Nodes tab.
Locate the node where the agent is in the Not installed state. Click Install Agent in the Operation column.
On the agent installation page, configure Server Authentication Mode.
- Account and password
  - If Allow direct connection with root permissions is selected:
    The root account can be used to log in to the server. Provide the root user password and login port. HSS will use your root account to install the agent for the server.
  - If Allow direct connection with root permissions is not selected:
    The root account cannot be used to log in to the server. Provide another username and password for login, and the root password for privilege escalation. HSS will use the provided account information to install the agent for the server.
- Key
  Only user-created keys are supported. Click Upload Key and upload a user-created key file in .pem format.
Confirm the information and click OK.

You can view the Agent Status column to check the agent installation status. If the Agent Status is Online, the agent has been installed.

Follow-up Operations

After installing the agent on an independent node, enable protection for the node.

Related Operations

During the environment preparation before the installation, you may need to modify the security group and DNS. The procedures are as follows.

Modifying a Security Group

For Huawei Cloud servers, in regions other than CN East 2 and CN Southwest-Guiyang1, ensure the outbound rule of your security group allows access to the port 10180 on the 100.125.0.0/16 network segment. (This is the default setting.) This port is used to communicate with the HSS server. This section describes how to view and modify ECS security group rules.

Log in to the management console and go to the Buy ECS page.
Click in the upper left corner and select a region or project.
In the ECS list, click the name of an ECS.
On the ECS details page, click the Security Groups tab and click Manage Rule.

Click the Outbound Rules tab and add a rule, as shown in Security group rules.

**Table 1** Security group rules
Priority	Action	Type	Protocol & Port		Destination	Description
1	Allow	IPv4	TCP	10180	100.125.0.0/16	Communicates with the HSS server.

Modifying the DNS (on the Server)

When installing the agent, ensure the DNS server address is the Huawei Cloud private DNS server address. This section describes how to view and change the DNS server address on the server.

Linux server
The following describes how to add the DNS server address to the resolv.conf file using Linux command lines.
1. Log in to the server as user root.
2. Run the following command to open the resolv.conf file:
  vi /etc/resolv.conf
3. Run the following commands to add the DNS address:
  nameserver Huawei_Cloud_Private_DNS_server_address
  
  The private DNS server addresses vary depending on regions. For details, see Private DNS Server Address of Huawei Cloud.
  
  Take CN North-Beijing1 as an example. The complete commands are nameserver 100.125.1.250 and nameserver 100.125.21.250.
  
  Figure 1 Adding the DNS server address
4. Press Esc, enter :wq, and press Enter to save the settings and exit.
Windows server
The following describes how to use the Windows GUI to add the DNS server address.
1. Log in to the server as the administrator.
2. Choose Control Panel > Network and Sharing Center, and click Change adapter settings.
3. Right-click the network in use and choose Properties from the shortcut menu.
4. Double-click Internet Protocol Version 4 (TCP/IPv4).
5. Select Use the following DNS server addresses and enter the Huawei Cloud private DNS server address.
  
  The private DNS server addresses vary depending on regions. For details, see Private DNS Server Address of Huawei Cloud.

Modifying the DNS Server Address (on the Console)

When installing the agent, ensure the DNS server address is the Huawei Cloud private DNS server address. This section uses an ECS as an example to describe how to log in to the console to view and modify DNS configurations.

Log in to the management console and go to the Buy ECS page.
Click in the upper left corner and select a region or project.
In the ECS list, click the name of an ECS.
On the Summary tab of the ECS details page, click the VPC name. The Virtual Private Cloud page is displayed.
Locate the VPC and click the number in the Subnets column.
Click the name of the subnet.

In the Gateway and DNS Information area, view the DNS server addresses used by the ECS.
In the Gateway and DNS Information area, click next to DNS Server Address.
Change the DNS server addresses to the Huawei Cloud private DNS server addresses.

The private DNS server addresses vary depending on regions. For details, see Private DNS Server Address of Huawei Cloud.