Enabling Server Protection

Scenarios

This section describes how to enable the basic, professional, or premium edition for a server.

For details about the related versions, see Features.

Prerequisites

HSS can be billed in yearly/monthly or pay-per-use mode. To use yearly/monthly billing, ensure you have purchased sufficient protection quotas. For details, see Purchasing an HSS Quota. If you use the pay-per-use billing mode, you do not need to purchase quotas in advance.
Ensure that the agent has been installed on the server and is online. For details, see Installing the Agent on Huawei Cloud Servers and Installing the Agent on Third-party Servers.

Constraints

Before you enable protection for a Windows server, enable the Windows firewall to block the source IP addresses of brute-force attacks. If the Windows firewall is not enabled, HSS only generates alarms for detected brute-force attacks, but does not block them.

After the Windows firewall is enabled, HSS automatically adds firewall rules hostguard_AllowAnyIn and hostguard_AllowAnyOut to allow all inbound and outbound traffic. This ensures that the firewall does not affect your services. If HSS detects a brute-force attack, it adds an inbound rule to the firewall to block the attack source IP address. This does not affect your servers.

Do not disable the Windows firewall when using HSS, or HSS cannot block the source IP addresses of brute-force attacks. Once it is disabled, HSS may fail to block the attack source IP addresses even after you manually enable it again.

Enabling the Basic/Professional/Enterprise/Premium Edition

Log in to the management console.
Click in the upper left corner of the page, select a region, and choose Security & Compliance > Host Security Service to go to the HSS management console.
In the navigation pane on the left, choose Asset Management > Servers & Quota.
The server list displays the protection status of only the following servers:
- Huawei Cloud servers purchased in the selected region
- Non-Huawei Cloud servers that have been added to the selected region
Locate a server whose agent status is Online.
Click Enable in the Operation column of a server.
Confirm the server information and select a billing mode.
You can buy HSS in the pay-per-use or yearly/monthly mode.
- Yearly/Monthly
  - Billing Mode: Select Yearly/Monthly.
  - Edition: Select an edition.
  - Select Quota: Select a quota allocation mode.
    - Select a quota randomly: Let the system allocate the quota with the longest remaining validity to the server.
    - Select a quota ID and allocate it to a server.
- Pay-per-use
  - Billing Mode: Select Pay-per-use.
  - Edition: Select an edition.
  - Tags: Select a tag if you want to use it to identify multiple types of cloud resources.
If the version of the agent installed on the Linux server is 3.2.10 or later or the version of the agent installed on the Windows server is 4.0.22 or later, ransomware prevention is automatically enabled with the premium edition. Deploy honeypot files on servers and automatically isolate suspicious encryption processes (there is a low probability that processes are incorrectly isolated). You are also advised to enable backup so that you can restore data in the case of a ransomware attack to minimize losses. For details, see Enabling Ransomware Backup.
Read the Host Security Service Disclaimer and select I have read and agree to the Host Security Service Disclaimer.
Click OK. If the Protection Status of the target server is Enabled, the basic, professional, enterprise or premium edition has been enabled.
- Alternatively, on the Quotas tab of the Servers & Quota page, click Bind Server in the Operation column to bind a quota to a server. HSS will automatically enable protection for the server.
- A quota can be bound to a server to protect it, on condition that the agent on the server is online.
- After HSS is enabled, it will scan your servers for security issues. Check items vary according to the edition you enabled.
  For details about the differences between the editions, see Features.

Viewing Scan Details

After server protection is enabled, HSS will immediately perform a comprehensive scan on the server. It may take a long time. After the scan is complete, you can check its details.

Choose Asset Management > Servers & Quota. Locate the server on the Servers tab page.

Check the Risk Level column of the server.

**Table 1** Risk status
Status	Description
Pending risk detection	The server is neither protected nor scanned.
Safe	No risks were found in the comprehensive scan on the server; or the protection has just been enabled, and no risks have been found yet.
Risky	The server has security risks.

Hover the cursor over the risk status to view the risk distribution.

You can click a value to go to the details page.

Follow-up Operations

HSS provides server protection functions for you to enable as needed. For more information, see Manual configuration.

**Table 2** Manual configuration
Category	Function	Reference
Security configuration	Common login location/IP address SSH login IP address whitelist Isolating and killing malicious programs	Common Security Configuration
Server Protection	Application protection Ransomware prevention Application process control File integrity management Antivirus Dynamic port honeypot	Server Protection
Policy management	Policy management includes asset management, baseline inspection, intrusion detection, and self-protection policies. The intrusion detection policy is disabled by default. You can enable it as needed. If the configuration of a policy does not meet your requirements, you can modify it as needed.	Policy Management