The server list on the Servers page displays the protection status of only the servers used in the selected region.
-Viewing Server Protection Status
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security > . The page is displayed. - In the navigation pane, choose Asset Management > Servers & Quota. On the Servers tab, view the protection status of the server. For more information, see Table 1.
If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
+Viewing Server Protection Status
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > . The page is displayed.
- In the navigation pane, choose Asset Management > Servers & Quota. On the Servers tab, view the protection status of the server. For more information, see Table 1.-
If your servers are managed by enterprise projects, you can select the target enterprise project to view or operate the asset and detection information.
Figure 1 Server protection status-
+- To check the protection status of a server, enter a server name, server ID, or IP address in the search box above the server protection list.
- On the left of the server protection list, select a server protection edition or an asset importance category to view the protection status of each type of servers.
Figure 1 Server protection status+
- Searching for a server
To check the protection status of a server, enter a server name, server ID, or IP address in the search box above the server protection list.
+ - Viewing servers of a certain type
On the left of the server protection list, select a server protection edition or an asset importance category to view the protection status of each type of servers.
+ - Viewing server protection information
The Protection Status column indicates whether a server is protected. The protection status of a server is determined by Agent Status and Server Status. You can view the server risk detection status in the Risk Level column. For details about the preceding parameters, see Table 1.
-Table 1 Protection status description Parameter
++ -Table 1 Protection description Parameter
Description
+Description
Agent Status
+Server Status
- Not installed: The agent has not been installed or successfully started.
Click Install Agent and install the agent as prompted.
+HSS can only protect running servers. If the server is in the Stopped or other state, you cannot perform security checks or fix risks on the server.
+
Agent Status
+- Not installed: The agent has not been installed or successfully started.
Click Install Agent and install the agent as prompted.
- Online: The agent is running properly.
- Offline: The communication between the agent and the HSS server is abnormal, and HSS cannot protect your servers.
Protection Status
+Protection Status
- Enabled: The server is fully protected by HSS.
- Unprotected: HSS is disabled for the server. After the agent is installed, click Enable in the Operation column to enable protection.
- Enabled: The server is fully protected by HSS.
- Unprotected: HSS is disabled for the server. After the agent is installed, click Enable in the Operation column to enable protection.
- Protection interrupted: The server is shut down, the agent is offline, or the agent is uninstalled.
Scan Results
+Scan Results
- Risky: The host has risks.
- Safe: No risks are found.
- Pending risk detection: HSS is not enabled for the server.
- Risky: The server has risks.
- Safe: No risks are found.
- Pending risk detection: HSS is not enabled for the server.
Viewing the WTP Status
- Log in to the management console and go to the HSS page.
- Choose Prevention > Web Tamper Protection and click Servers to view the protection status of the servers.
To check the protection status of a target server, enter a server name, server ID, or IP address in the search box above the protection list, and click
+
.Viewing the WTP Status
- Log in to the management console and go to the HSS page.
- Choose Prevention > Web Tamper Protection and click Servers to view the protection status of the servers.
To check the protection status of a target server, enter a server name, server ID, or IP address in the search box above the protection list, and click
.Figure 2 Servers protected by WTP
Table 2 Statuses Parameter
@@ -71,15 +80,10 @@ -Exporting the Server List
- Log in to the management console and go to the HSS page.
- Choose . The Servers tab page is displayed.
- Click
in the upper right corner of the Server tab page to export the details of the server list.- The details of up to 1000 servers can be exported at a time.
-Figure 3 Exporting the server list-
diff --git a/docs/hss/umn/hss_01_0004.html b/docs/hss/umn/hss_01_0004.html index 88767879f..beaaf1c4e 100644 --- a/docs/hss/umn/hss_01_0004.html +++ b/docs/hss/umn/hss_01_0004.html @@ -3,6 +3,8 @@-Parent topic: Server Management+Parent topic: Server ManagementBasic Concepts
+Account Cracking
Account cracking refers to the intruder behavior of guessing or cracking the password of an account.
Baseline
A baseline specifies the minimum security configuration requirements that the OS and database configurations must meet in terms of account management, password policy configuration, authorization management, service management, configuration management, network configuration, and permission management. HSS provides the cloud security practice baseline and the general security standard baseline detection to meet diverse security compliance requirements.
+Weak Password
A weak password can be easily cracked.
+Malicious Program
A malicious program, such as a web shell, Trojan, worm, or virus, is developed with attack or illegal remote control intents.
@@ -13,6 +15,8 @@Ransomware often uses a range of algorithms to encrypt the victim's files and demand a ransom payment to get the decryption key. Digital currencies such as Bitcoin are typically used for the ransoms, making tracing and prosecuting the attackers difficult.
Ransomware interrupts businesses and can cause serious economic losses. We need to know how it works and how we can prevent it.
Two-Factor Authentication
Two-factor authentication (2FA) refers to the authentication of user login by the combination of the user password and a verification code.
+Web Tamper Protection
Web Tamper Protection (WTP) is an HSS edition that protects your files, such as web pages, documents, and images, in specific directories against tampering and sabotage from hackers and viruses.
Cluster
A cluster consists of one or more ECSs (also known as nodes) in the same subnet. It provides a computing resource pool for running containers.
@@ -23,6 +27,8 @@+Container
A container is the instance of an image and can be created, started, stopped, deleted, and suspended.
Container Runtime
Container runtime, one of the most important components of Kubernetes, manages the lifecycle of images and containers. kubelet interacts with a container runtime through the Container Runtime Interface (CRI) to manage images and containers.
+Security Policy
A security policy indicates the security rule that must be followed for a running container. If a container violates a security policy, a container exception is displayed on the Runtime Security page of the CGS management console.
Project
Projects are used to group and isolate OpenStack resources, including computing, storage, and network resources. A project can be a department or a project team.
diff --git a/docs/hss/umn/hss_01_0005.html b/docs/hss/umn/hss_01_0005.html index afaaa2247..f8803fb2e 100644 --- a/docs/hss/umn/hss_01_0005.html +++ b/docs/hss/umn/hss_01_0005.html @@ -55,7 +55,7 @@diff --git a/docs/hss/umn/hss_01_0006.html b/docs/hss/umn/hss_01_0006.html index 64cc8e320..8d5c1a3bb 100644 --- a/docs/hss/umn/hss_01_0006.html +++ b/docs/hss/umn/hss_01_0006.html @@ -525,7 +525,7 @@-Parent topic: Permissions Management+Parent topic: Using IAM to Grant Access to HSSdiff --git a/docs/hss/umn/hss_01_0007.html b/docs/hss/umn/hss_01_0007.html index a1b6efcdd..2cbc26e69 100644 --- a/docs/hss/umn/hss_01_0007.html +++ b/docs/hss/umn/hss_01_0007.html @@ -8,7 +8,7 @@-Parent topic: Permissions Management+Parent topic: Using IAM to Grant Access to HSSdiff --git a/docs/hss/umn/hss_01_0008.html b/docs/hss/umn/hss_01_0008.html index fdea4f164..f6653982e 100644 --- a/docs/hss/umn/hss_01_0008.html +++ b/docs/hss/umn/hss_01_0008.html @@ -2,20 +2,22 @@-Parent topic: Agent FAQs+Parent topic: AgentHow Does HSS Intercept Brute Force Attacks?
Types of Detectable Brute Force Attacks
HSS can detect the following types of brute force attacks:
-- Windows: SqlServer (automatic interception is not supported currently) and Rdp
- Linux: MySQL, vfstp, and SSH
If MySQL or VSFTP is installed on your server, after HSS is enabled, the agent will add rules to iptables to prevent MySQL and VSFTP brute force attacks. When detecting a brute-force attack, HSS will add the source IP address to the blocking list. The added rules are highlighted below.-Figure 1 Added rules+
- Windows: SQL Server (automated blocking is not supported) and RDP
- Linux: MySQL, vfstpd, and SSH
If MySQL, vfstpd, or SSH is installed on your server, after HSS is enabled, the agent will add rules to iptables to prevent brute force attacks. If a brute-force attack is detected, its source IP address will be added to the blocking list.
+- Added MySQL rule: IN_HIDS_MYSQLD_DENY_DROP
- Added vfstpd rule: IN_HIDS_VSFTPD_DENY_DROP
- Added SSH rule: If SSH on the server does not support the TCP Wrapper interception mode, the SSH uses iptables for interception. Therefore, the IN_HIDS_SSHD_DENY_DROP rule will be added to iptables. If you have configured an SSH login whitelist, the IN_HIDS_SSHD_DENY_DROP and IN_HIDS_SSHD_WHITE_LIST will be added to iptables.
Take the MySQL database as an example. Figure 1 shows the new rule.
Existing iptables rules are used for blocking brute-force attacks. You are advised to keep them. If they are deleted, HSS will not be able to protect MySQL or VSFTP from brute-force attacks.
+ Existing iptables rules are used for blocking brute-force attacks. You are advised to keep them. If they are deleted, HSS will not be able to protect MySQL, vfstpd, or SSH from brute-force attacks.
How Brute Force Attacks Are Intercepted
Brute-force attacks are a type of common intrusion attacks. Attackers submit many server passwords until eventually guessing correctly and gaining control over a server.
HSS uses brute-force detection algorithms and an IP address blacklist to effectively prevent brute-force attacks and block attacking IP addresses. The blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
- -If HSS detects account cracking attacks on servers using Kunpeng EulerOS (EulerOS with ARM), it does not block the source IP addresses and only generates alarms. The SSH login IP address whitelist does not take effect for such servers.
+ If HSS detects account cracking attacks on servers using Kunpeng EulerOS (EulerOS with Arm), it does not block the source IP addresses and only generates alarms. The SSH login IP address whitelist does not take effect for such servers.
Alarm Policies
- If a hacker successfully cracks the password and logs in to a server, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack and risks of account hacking are detected, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack is detected and failed, and no unsafe settings (such as weak passwords) are detected on the server, no real-time alarms will be sent. HSS will summarize all attacks in a day in its daily alarm report. You can also view blocked attacks on the Detection > Alarms page of the HSS console.
-Alarm Policies
- If a hacker successfully cracks the password and logs in to a server, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack and risks of account hacking are detected, a real-time alarm will be immediately sent to specified recipients.
- If a brute-force attack is detected and failed, and no unsafe settings (such as weak passwords) are detected on the server, no real-time alarms will be sent. HSS will summarize all attacks in a day in its daily alarm report. You can also view blocked attacks on the Intrusion Detection > Alarms page of the HSS console.
Viewing Brute Force Cracking Detection Results
- Log in to the management console.
- In the navigation pane, choose .
- View the brute force cracking detection result of the server or container.
- View the brute force cracking detection result of the server.
- Click the Server Alarms tab.
- In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected server.
- Click View Details in the Blocked IP Addresses area to view the blocked attack source IP address, attack type, blocking status, blocking times, blocking start time, and latest blocking time.
- Blocked indicates the brute-force attack has been blocked by HSS.
- Canceled indicates you have unblocked the source IP address of the brute force attack.
The default blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
+Viewing Brute Force Cracking Detection Results
- Log in to the management console.
- In the navigation pane, choose .
- View the brute force cracking detection result of the server or container.
- View the brute force cracking detection result of the server.
- Click the Server Alarms tab.
- In the Alarm Types area, select Abnormal User Behavior > Brute-force attacks to view alarm event records on the protected server.
- Click View Details in the Blocked IP Addresses area to view the blocked attack source IP address, attack type, blocking status, blocking times, blocking start time, and latest blocking time.
- Blocked indicates the brute-force attack has been blocked by HSS.
- Canceled indicates you have unblocked the source IP address of the brute force attack.
The default blocking duration is 12 hours. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
Can I Unblock an IP Address Blocked by HSS, and How?
Whether you can unblock an IP address depends on why it was blocked. An IP address will be blocked if it is regarded as the source of a brute-force attack, listed in the common IP blacklist, or not in the IP whitelist you set.
-Brute-force Attack IP Address
- If a brute force attack is detected, HSS blocks the attack source IP address for 12 hours by default. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
- If you are sure that a source IP address can be trusted, you can manually unblock it. Choose Detection > Alarms, click View Details under Blocked IP Addresses, and unblock the IP address in the displayed slide-out panel.
If you manually unblocked an IP address, but incorrect password attempts from this IP address exceed the threshold again, this IP address will be blocked again.
+Brute-force Attack IP Address
- If a brute force attack is detected, HSS blocks the attack source IP address for 12 hours by default. If a blocked IP address does not perform brute-force attacks in the default blocking duration, it will be automatically unblocked.
- If you are sure that a source IP address can be trusted, you can manually unblock it. Choose Intrusion Detection > Alarms, click View Details under Blocked IP Addresses, and unblock the IP address in the displayed slide-out panel.
If you manually unblocked an IP address, but incorrect password attempts from this IP address exceed the threshold again, this IP address will be blocked again.
IP Address in the Common IP Blacklist
You cannot manually unblock such IP addresses.
@@ -10,7 +10,7 @@diff --git a/docs/hss/umn/hss_01_0014.html b/docs/hss/umn/hss_01_0014.html index 87637cd9b..ab5c1ba00 100644 --- a/docs/hss/umn/hss_01_0014.html +++ b/docs/hss/umn/hss_01_0014.html @@ -3,7 +3,7 @@-Parent topic: Intrusions+Parent topic: Intrusion DetectionWhat Can I Do If I Enabled Dynamic WTP But Its Status Is Enabled but not in effect?
diff --git a/docs/hss/umn/hss_01_0021.html b/docs/hss/umn/hss_01_0021.html deleted file mode 100644 index 8d645968f..000000000 --- a/docs/hss/umn/hss_01_0021.html +++ /dev/null @@ -1,53 +0,0 @@ - - -Dynamic WTP protects your Tomcat applications.
For this function to take effect, ensure that:
-- There are Tomcat applications running on your servers.
- Your servers run the Linux OS.
- The setenv.sh file has been automatically generated in the tomcat/bin directory (usually 20 minutes after you enable dynamic WTP). If the file exists, restart Tomcat to make dynamic WTP take effect.
- There are Tomcat applications running on your servers.
- Your servers run the Linux OS.
- The setenv.sh file has been automatically generated in the tomcat/bin directory (usually 20 minutes after you enable dynamic WTP). If the file exists, restart Tomcat to make dynamic WTP take effect.
If the status of dynamic WTP is Enabled but not in effect after you enable it, perform the following operations:
- Check whether the setenv.sh file has been generated in the tomcat/bin directory.
- If the setenv.sh file exists, check whether Tomcat has been restarted.
WTP Edition
--The WTP edition provides web tamper protection capabilities for your servers.
--Web Tamper Protection Principles
---Prerequisite
- The agent has been installed on the servers to be protected, the agent status is Online, and the protection status is Unprotected.
-Configuring Protected Directories
You can add up to 50 directories to be protected. For details, see Adding a Protected Directory.
-To record the running status of the server in real time, exclude the log files in the protected directory. You can grant high read and write permissions for log files to prevent attackers from viewing or tampering with the log files.
--Procedure
- Log in to the management console.
- Click
in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose Protection > Web Tamper Protection. On the Web Tamper Protection page, click the Servers tab.Figure 1 Entering the page for protected directory settings-
- Click Add Server. In the displayed dialog box, select servers.-
Selected servers must be equal to or fewer than the available quotas.
-Figure 2 Adding protected servers-
- Click Add and Enable Protection and check the protection status. Choose Protection > Web Tamper Protection. On the Web Tamper Protection page, click the Servers tab. If the Protection Status of the server is Protected, WTP has been enabled.-
- After WTP is enabled, configure protected directories for WTP to take effect. For details, see Adding a Protected Directory.
- Dynamic WTP can only be enabled for Linux servers, and can only be used after Tomcat is restarted.
- You can check the server protection status on the Web Tamper Protection page.The premium edition will be enabled when you enable WTP. You can perform the following operations to check the protection status:-
- Choose Prevention > Web Tamper Protection. If the Protection Status of the server is Protected, WTP has been enabled.
-- diff --git a/docs/hss/umn/hss_01_0023.html b/docs/hss/umn/hss_01_0023.html index 77d3498f9..b33a201ab 100644 --- a/docs/hss/umn/hss_01_0023.html +++ b/docs/hss/umn/hss_01_0023.html @@ -4,7 +4,7 @@--Parent topic: Enabling Protection-To manage servers by group, you can create a server group and add servers to it.
You can check the numbers of servers, unsafe servers, and unprotected servers in a group.
Creating a Server Group
After creating a server group, you can add servers to the group for unified management.
-- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane, choose , click Server Groups in the Server list, and click Create Server Group.Figure 1 Accessing the page of server groups+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- In the navigation pane, choose , click Server Groups in the Server list, and click Create Server Group.Figure 1 Accessing the page of server groups
- In the Create Server Group dialog box, enter a server group name and select the servers to be added to the group.
- A server group name must be unique, or the group will fail to be created.
- A name cannot contain spaces. It contains only letters, digits, underscores (_), hyphens (-), dots (.), asterisks (*), and plus signs (+). The length cannot exceed 64 characters.
Figure 2 Creating a server group@@ -28,7 +28,7 @@
diff --git a/docs/hss/umn/hss_01_0024.html b/docs/hss/umn/hss_01_0024.html index 3ebffb4da..0f1602b31 100644 --- a/docs/hss/umn/hss_01_0024.html +++ b/docs/hss/umn/hss_01_0024.html @@ -1,11 +1,11 @@ --Parent topic: Server Management+Parent topic: Server ManagementDeploying a Policy
+Deploying a Protection Policy
You can quickly configure and start server scans by using policy groups. Simply create a group, add policies to it, and apply this group to servers. The agents deployed on your servers will scan everything specified in the policies.
-Precautions
- When you enable the enterprise edition, the policy group of this edition (including weak password and website shell detection policies) takes effect for all your servers by default.
- When you enable the premium edition alone or the premium edition included with the WTP edition, the policy group of this edition takes effect by default.
To create your own policy group, you can copy the policy group of premium edition and add or remove policies in the copy.
Creating a Policy Group
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose
- Copy a policy group.
- Select the tenant_linux_premium_default_policy_group policy group. Locate the row that this policy group resides, click Copy in the Operation column.Figure 1 Copying a Linux policy group+
Creating a Policy Group
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- In the navigation tree on the left, choose
- Copy a policy group.
- Select the tenant_linux_premium_default_policy_group policy group. Locate the row that this policy group resides, click Copy in the Operation column.Figure 1 Copying a Linux policy group
- Select the tenant_windows_premium_default_policy_group policy group. Click Copy in the Operation column.Figure 2 Copying a Windows policy group
- Select the tenant_linux_premium_default_policy_group policy group. Locate the row that this policy group resides, click Copy in the Operation column.
- In the dialog box displayed, enter a policy group name and description, and click OK. -
- The name of a policy group must be unique, or the group will fail to be created.
- The policy group name and its description can contain only letters, digits, underscores (_), hyphens (-), and spaces, and cannot start or end with a space.
- Click OK.
- Click the name of the policy group you just created. The policies in the group will be displayed.
Figure 4 Policy group details
- Click a policy name and modify its settings as required. For details, see Configuring Policies.
- Enable or disable the policy by clicking the corresponding button in the Operation column. You can click
to refresh the page.Applying a Policy Group
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose and click Servers.
- Select one or more servers for which you want to deploy a policy, and .Figure 5 Applying a policy+
Applying a Policy Group
- Log in to the management console and go to the HSS page.
- In the navigation pane, choose and click Servers.
- Select one or more servers for which you want to deploy a policy, and click .Figure 5 Applying a policy
- In the dialog box that is displayed, select a policy group and click OK.@@ -23,7 +23,7 @@
- Old policies applied to a server will become invalid if you apply new policies to the server.
- Policies are applied to the servers within 1 minute.
- Policies applied to offline servers will not take effect until the servers are online.
- In a deployed policy group, you can enable, disable, or modify policies.
- A policy group that has been deployed cannot be deleted.
diff --git a/docs/hss/umn/hss_01_0025.html b/docs/hss/umn/hss_01_0025.html index ca399c96b..d5e4afe52 100644 --- a/docs/hss/umn/hss_01_0025.html +++ b/docs/hss/umn/hss_01_0025.html @@ -1,6 +1,6 @@ --Parent topic: Server Management+Parent topic: Server ManagementRisk Prevention
+Prediction
-
diff --git a/docs/hss/umn/hss_01_0026.html b/docs/hss/umn/hss_01_0026.html
index 5b23a6c13..0737bb5a7 100644
--- a/docs/hss/umn/hss_01_0026.html
+++ b/docs/hss/umn/hss_01_0026.html
@@ -1,106 +1,81 @@
- To skip the checks on high-risk command execution, privilege escalations, reverse shells, abnormal shells, or web shells, manually disable the corresponding policies in the policy groups on the Policies page. HSS will not check the servers associated with disabled policies.
- Other detection items cannot be manually disabled.
- Servers that are not protected by HSS do not support operations related to alarms and events.
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose Detection > Alarms and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+Viewing Server Alarms
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- In the navigation pane on the left, choose and click Server Alarms.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
Figure 1 Server alarms+
- Viewing the container alarms of a certain type
In the Event Types area, select an alarm event type to view the corresponding alarm event list. In the alarm list, you can view the alarm name, alarm threat level, and affected servers.
+ - Viewing the alarms of a certain type or ATT&CK phase
In the Alarms to Be Handled area, you can select an alarm type and an ATT&CK phase to view the alarms of the selected type. For details, see ATT&CK attack phase description.
+- Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) is a framework that helps organizations understand the cyber adversary tactics and techniques used by threat actors across the entire attack lifecycle.
+Table 1 Alarm statistics Parameter
+-Table 1 ATT&CK phases ATT&CK Phase
Description
+Description
Enterprise Project
+Reconnaissance
Select an enterprise project and view alarm details by enterprise project.
+Attackers seek vulnerabilities in your system or network.
Time range
+Initial Access
You can select a fixed time period or customize a time period to filter alarms. Only alarms generated within 30 days can be queried.
-The options are as follows:
-- Last 24 hours
- Last 3 days
- Last 7 days
- Last 30 days
- Custom
Attacker try to enter your system or network.
Server Alarms
+Execution
Affected Servers
-Number of servers for which alarms are generated.
+Attackers try to run malicious code.
Alarms to be Handled
+Persistence
Number of alarms to be handled.
-By default, all alarms to be handled are displayed.
+Attackers try to maintain their foothold.
Handled Alarms
+Privilege Escalation
Number of handled alarms.
+Attackers try to obtain higher permissions.
Blocked IP Addresses
+Defense Evasion
Number of blocked IP addresses. You can click the number to check blocked IP address list.
-The blocked IP address list displays the server name, attack source IP address, login type, blocking status, number of blocks, blocking start time, and the latest blocking time.
-If a valid IP address is blocked by mistake (for example, after O&M personnel enter incorrect passwords for multiple times), you can manually unblock it. If a server is frequently attacked, you are advised to fix its vulnerabilities in a timely manner and eliminate risks.
-NOTICE:+- After a blocked IP address is unblocked, HSS will no longer block the operations performed by the IP address.
- A maximum of 10,000 IP addresses can be blocked for each type of software.
If your Linux server does not support ipset, a maximum of 50 IP addresses can be clocked for MySQL and vsftp.
-If your Linux server does not support ipset or hosts.deny, a maximum of 50 IP addresses can be blocked for SSH.
-
Attackers try to avoid being detected.
Isolated Files
+Credential Access
HSS can isolate detected threat files. Files that have been isolated are displayed on a slide-out panel on the Server Alarms page. You can click Isolated Files on the upper right corner to check them.
-You can recover isolated files. For details, see Managing Isolated Files.
+Attackers try to steal account names and passwords.
Container Alarms
+Command and Control
Affected Servers
-Number of servers for which alarms are generated.
+Attackers try to communicate with compromised machines to control them.
Alarms to be Handled
+Impact
Number of alarms to be handled.
-By default, all alarms to be handled are displayed.
-Handled Alarms
-Number of handled alarms
-Threats
-Displays the statistics on alarms by severity.
-- Critical
- High
- Medium
- Low
Top 5 Events
-Displays the top 5 alarm types and their quantities.
+Attackers try to manipulate, interrupt, or destroy your system or data.
- Click an alarm event in the list of event types to view the affected servers and occurrence time of the event. The following information is displayed:
- Total number of alarms
- Number of each type of alarms
- Click an alarm name to view its details.
+- Viewing the details of a server alarm
+You can click the alarm name of an event to view the alarm details.
+diff --git a/docs/hss/umn/hss_01_0028.html b/docs/hss/umn/hss_01_0028.html index 261d899b2..36f127a38 100644 --- a/docs/hss/umn/hss_01_0028.html +++ b/docs/hss/umn/hss_01_0028.html @@ -3,7 +3,7 @@-Parent topic: Intrusion Detection+Parent topic: HSS AlarmsManaging the Alarm Whitelist
You can configure the alarm whitelist to reduce false alarms. Events can be deleted from the whitelist.
Whitelisted events will not trigger alarms.
-On the Alarms page, you can add falsely reported alarms to the alarm whitelist. After an alarm is added to the whitelist, HSS will not generate alarms or collect statistics on it.
+On the Alarms page, you can add falsely reported alarms to the alarm whitelist. After an alarm is added to the whitelist, HSS will not generate alarms on it.
Adding Events to the Alarm Whitelist
Table 1 Configuring the alarm whitelist Method
Checking the Alarm Whitelist
Perform the following steps to check the alarm whitelist:
-- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation pane on the left, choose .
- Click Alarm Whitelist to view the added alarm whitelist. For more information, see Table 2.
+
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- In the navigation pane on the left, choose Intrusion Detection > Whitelists.
- Click the Alarm Whitelist tab to view the whitelist. For more information, see Table 2.
Table 2 Parameter description Parameter Name
Description
@@ -35,9 +35,19 @@Name of the alarm whitelist type.
SHA256
+Whitelist Field
Hash value of the target file.
+Whitelisted file field
+Wildcard
+Logic used by a whitelisted rule, which can be Equals or Contains.
+Whitelist Rule
+Whitelisted rule ID
Description
@@ -60,9 +70,8 @@ -Related Operations
Removing alarms from the whitelist
-To remove an alarm from the whitelist, select it and click Delete.
- diff --git a/docs/hss/umn/hss_01_0029.html b/docs/hss/umn/hss_01_0029.html index ea4641f89..8c6bf16b1 100644 --- a/docs/hss/umn/hss_01_0029.html +++ b/docs/hss/umn/hss_01_0029.html @@ -2,13 +2,13 @@- Exercise caution when performing this operation. Whitelisted alarms cannot be restored after removal, and will be reported once triggered.
- After an alarm is deleted from the whitelist, the handling status of the events associated with the alarm is not updated. To change the status, choose Detection > Alarms, click Handle in the Operation column of an event, and select Remove from whitelist.
Removing an Alarm from the Whitelist
To remove an alarm from the whitelist, select it and click Delete.
+ - Exercise caution when performing this operation. Whitelisted alarms cannot be restored after removal, and will be reported once triggered.
- After an alarm is deleted from the whitelist, the handling status of the events associated with the alarm is not updated. To change the status, choose Intrusion Detection > Alarms, click Handle in the Operation column of an event, and select Remove from whitelist.
Managing Login Whitelist
You can configure the IP addresses of destination servers, login IP addresses, login usernames, and user behaviors in the Login Whitelist.
- - If the destination server IP address, login IP address, and username of a login are all whitelisted, this login will be allowed without checking.
- After an IP address is added to a whitelist by following the instructions in Adding Login Whitelist, the alarms (if any) that have been generated for the IP address will not be automatically cleared. Handle the alarms by referring to Viewing Server Alarms.
You can add Login Whitelist in either of the following ways:
- Add it to the Login Whitelist when handling false alarms of the Brute-force attack and Abnormal login types. For details, see Viewing Server Alarms.
- On the Login Whitelist page, add Login Whitelist.
Adding Login Whitelist
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- Choose to access the Whitelists page, and click Add.Figure 1 Adding Login Whitelist+
+ - If the destination server IP address, login IP address, and username of a login are all whitelisted, this login will be allowed without checking.
- After an IP address is added to a whitelist by following the instructions in Adding Login Whitelist, the alarms (if any) that have been generated for the IP address will not be automatically cleared. Handle the alarms by referring to Viewing Server Alarms.
Adding Login Whitelist
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- Choose Intrusion Detection > Whitelists. Click Login Whitelist and click Add.Figure 1 Adding Login Whitelist
- On the displayed page, enter the server IP address, login IP address, and login username.
-
Table 1 Login security whitelist parameters Parameter
+Table 1 Login Whitelist parameters Parameter
Description
- Click OK.
-Other Operations
Removing Login Whitelist
-To delete a Login Whitelist, select the Login Whitelist to you want to delete and click Delete, or click Delete in the Operation column of the server IP address you want to delete in the Login Whitelist.
+diff --git a/docs/hss/umn/hss_01_0030.html b/docs/hss/umn/hss_01_0030.html index 0ac8c1771..6dc2a9e5d 100644 --- a/docs/hss/umn/hss_01_0030.html +++ b/docs/hss/umn/hss_01_0030.html @@ -4,19 +4,9 @@Removing an Item from the Login Whitelist
To remove a server IP address from the Login Whitelist, select it and click Delete above the list, or click Delete in its Operation column.
Exercise caution when performing the deletion operation because it cannot be rolled back.
diff --git a/docs/hss/umn/hss_01_0042.html b/docs/hss/umn/hss_01_0042.html index 0f46088ec..d016100f4 100644 --- a/docs/hss/umn/hss_01_0042.html +++ b/docs/hss/umn/hss_01_0042.html @@ -10,11 +10,13 @@-
-
- Server Alarms
+ - HSS Alarms
- - Viewing Server Alarms
-
- - Handling Server Alarms
-
- - Managing Isolated Files
-
- - Container Alarm Events
-
- - Viewing Container Alarms
-
- - Handling Container Alarms
+ - Container Alarms
- Whitelist Management
diff --git a/docs/hss/umn/hss_01_0032.html b/docs/hss/umn/hss_01_0032.html
index 5926333f6..abe15d141 100644
--- a/docs/hss/umn/hss_01_0032.html
+++ b/docs/hss/umn/hss_01_0032.html
@@ -6,25 +6,23 @@
- About HSS
- - Agent FAQs
-
- - Brute-force Attack Defense
-
- - Weak Passwords and Unsafe Accounts
-
- - Intrusions
-
- - Abnormal Logins
-
- - Unsafe Settings
+ - Agent
- Vulnerability Management
+ - Intrusion Detection
+
+ - Abnormal Logins
+
+ - Brute-force Attack Defense
+
+ - Baseline Inspection
+ - Web Tamper Protection
- - Container Guard Service
+ - Container Security
- - Ransomware Protection
+ - Ransomware Prevention
- Security Configurations
diff --git a/docs/hss/umn/hss_01_0036.html b/docs/hss/umn/hss_01_0036.html
index 6f224fac1..441b29ec0 100644
--- a/docs/hss/umn/hss_01_0036.html
+++ b/docs/hss/umn/hss_01_0036.html
@@ -13,7 +13,7 @@
- Check whether the server network is normal.
- If yes, go to 4.
- If no, After the server can access the network, check the agent status.
- Restart the agent process.
- Windows
- Log in to the server as user administrator.
- Open the Task Manager.
- On the Services tab page, select HostGuard.
- Right-click the service and choose Restart.
- Linux
Run the following command in the CLI as user root to restart the agent:
-service hostguard restart
+service hostguard restart
If the following information is displayed, the restart is successful:root@HSS-Ubuntu32:~#service hostguard restart Stopping Hostguard... Hostguard stopped @@ -28,7 +28,7 @@ Hostguard is running
diff --git a/docs/hss/umn/hss_01_0037.html b/docs/hss/umn/hss_01_0037.html index cdd239063..2391a6217 100644 --- a/docs/hss/umn/hss_01_0037.html +++ b/docs/hss/umn/hss_01_0037.html @@ -2,7 +2,7 @@-Parent topic: Agent FAQs+Parent topic: AgentIs the Agent in Conflict with Any Other Security Software?
Yes, it may be in conflict with DenyHosts.
-- Symptom: The IP address of the login host is identified as an attack IP address but can not be unblocked.
- Cause: HSS and DenyHosts both block possible attack IP addresses, but HSS can not unblock the IP addresses that were blocked by DenyHosts.
- Handling method: Stop DenyHosts.
- Procedure
- Log in as user root to ECS.
- Run the following command to check whether DenyHosts has been installed:
+
- Symptom: The IP address of the login server is identified as an attack IP address and blocked by HSS. After the IP address is unblocked, it still cannot be used for login.
- Cause: HSS and DenyHosts both block possible attack IP addresses, but HSS can not unblock the IP addresses that were blocked by DenyHosts.
- Handling method: Stop DenyHosts.
- Procedure
- Log in to the server as the root user.
- Run the following command to check whether DenyHosts has been installed:
If information similar to the following is displayed, DenyHosts has been installed:
- Run the following command to stop DenyHosts: @@ -12,7 +12,7 @@
diff --git a/docs/hss/umn/hss_01_0038.html b/docs/hss/umn/hss_01_0038.html index c20218f32..71162bc8c 100644 --- a/docs/hss/umn/hss_01_0038.html +++ b/docs/hss/umn/hss_01_0038.html @@ -10,13 +10,11 @@-Parent topic: Agent FAQs+Parent topic: Agent - How Do I Defend Against Brute-force Attacks?
- - What Do I Do If the Account Cracking Prevention Function Does Not Take Effect on Some Accounts for Linux Servers?
- - How Do I Unblock an IP Address?
- What Do I Do If HSS Frequently Reports Brute-force Alarms?
- - What Do I Do If My Remote Server Port Is Not Updated in Brute-force Attack Records?
+ - What Do I Do If the Port in Brute-force Attack Records Is Not Updated?
- Windows
- Scenarios
-
- Editions and Features
+- Features
+
+- Provided Free of Charge
- HSS Permissions Management
-
- Constraints and Limitations
+- Constraints and Limitations
- Related Services
diff --git a/docs/hss/umn/hss_01_0043.html b/docs/hss/umn/hss_01_0043.html index ab9bc5b08..8403db6f7 100644 --- a/docs/hss/umn/hss_01_0043.html +++ b/docs/hss/umn/hss_01_0043.html @@ -1,7 +1,7 @@
How Do I Install a PAM and Set a Proper Password Complexity Policy in a Linux OS?
-Installing a PAM
Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running in your system.
+Installing a PAM
Your password complexity policy cannot be checked if no pluggable authentication module (PAM) is running on your servers. If PAM is not installed on a server, HSS will prompt you to install it on the Password Complexity Policy Detection tab of the Prediction > Baseline Checks page.
For Debian or Ubuntu, run the apt-get install libpam-cracklib command as the administrator to install a PAM.
@@ -76,7 +76,7 @@ A PAM is installed and running by default in CentOS, Fedora, and EulerOS.
- Debian and Ubuntu
@@ -84,7 +84,7 @@- Run the following command to edit the /etc/pam.d/common-password file:
vi /etc/pam.d/common-password
- Find the following information in the file: -
- Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
+ - Add the following parameters and their values: minlen, dcredit, ucredit, lcredit, and ocredit. If the file already has these parameters, change their values. For details, see Table 1.
Example:
password requisite pam_cracklib.so retry=3 minlen=8 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 difok=3
diff --git a/docs/hss/umn/hss_01_0044.html b/docs/hss/umn/hss_01_0044.html index b0dce4189..ce6306913 100644 --- a/docs/hss/umn/hss_01_0044.html +++ b/docs/hss/umn/hss_01_0044.html @@ -4,7 +4,7 @@-Parent topic: Unsafe Settings+Parent topic: Baseline InspectionAfter HSS is enabled, you can configure HSS policies based on your service requirements.
-Constraints
- The enterprise, premium, WTP, or container edition is enabled.
- For the default policy groups, you are advised to retain their default configurations.
- Modifications on a policy take effect only in the group it belongs to.
Accessing the Policies Page
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > HSS. The HSS page is displayed.
- In the navigation tree on the left, choose Security Operation > Policies. On the displayed page, Policy group parameters describes the fields.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
+Accessing the Policies Page
- Log in to the management console.
- Click in the upper left corner of the page, select a region, and choose Security > Host Security Service. The HSS page is displayed.
- In the navigation tree on the left, choose Security Operation > Policies. On the displayed page, Policy group parameters describes the fields.
If your servers are managed by enterprise projects, you can select an enterprise project to view or operate the asset and scan information.
@@ -104,12 +100,6 @@Table 1 Policy group parameters Parameter
@@ -16,7 +16,7 @@Policy Group
Name of a policy group The preset policy group names are as follows:
-- tenant_linux_container_default_policy_group: preset Linux policy of the container edition. You can copy this policy group and create a new one based on it.
- tenant_linux_enterprise_default_policy_group is the default Linux policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_windows_enterprise_default_policy_group: preset Windows policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_linux_premium_default_policy_group: preset Linux policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- tenant_windows_premium_default_policy_group: preset Windows policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- tenant_linux_container_default_policy_group: preset Linux policy of the container edition. You can copy this policy group and create a new one based on it.
- tenant_linux_enterprise_default_policy_group is the default Linux policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_windows_enterprise_default_policy_group: preset Windows policy of the enterprise edition. This policy group can only be viewed, and cannot be copied or deleted.
- tenant_linux_premium_default_policy_group: preset Linux policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- tenant_windows_premium_default_policy_group: preset Windows policy of the premium edition. You can create a policy group by copying this default group and modify the copy.
- wtp_ServerName is a WTP edition policy group. It is generated by default when WTP is enabled for a server.
ID
@@ -34,6 +34,11 @@HSS edition supported by a policy group.
Supported OS
+OS supported by the policy.
+Associated Servers
To view details about the servers associated with a policy group, click the number in the Servers column of the group.
@@ -44,7 +49,7 @@- Click the name of the policy group to access the policy detail list.
- You can click Enable or Disable in the Operation column of a policy. After a policy is disabled, the detection of the policy is not performed.
- You can modify the policy by clicking its name.
+- Click the name of a policy to modify it. The following sections describe the policies.
Asset Discovery
- Click Asset Discovery.
- On the displayed page, modify the settings as required. For more information, see Table 2.Figure 1 Modifying the asset discovery policy@@ -54,14 +59,10 @@
Software Scanned
+Scan Time
- Software name. A name can contain a maximum of 5,000 characters without any space. Use commas (,) to separate software names.
- If this parameter is not specified, information about all installed software will be retrieved as its value.
Software Search Path
-Path for software search. This parameter is not required for Windows servers.
+Fixed time for automatic assets scan.
+- Accounts: Linux accounts are automatically checked every hour, and Windows accounts are checked in real time.
- Open ports are automatically checked every 30 seconds.
- Processes are automatically checked every hour.
- Installed software is automatically checked once a day.
- Auto-startup items are automatically checked every hour.
Scanned Web Directories
@@ -69,11 +70,6 @@Specifies a web directory to be scanned.
Scanned Web Directory Depth
-Specifies the level depth for web directory scanning.
-Days in a week when weak passwords are scanned. You can select one or more days.
Detection Break Time (ms)
-Interval between the checks of two accounts. The value range is 0 to 2,000.
-For example, if this parameter is set to 50, the system checks /bin/ls every 50 milliseconds.
-User-defined Weak Passwords
You can add a password that may have been leaked to this weak password text box to prevent server accounts from using the password.
@@ -147,8 +137,6 @@System Default Baseline Library
The detection baseline has been configured in the system. You only need to select the baseline you want to scan. All parameters are in their default values and cannot be modified.
-The parameters are as follows:
-- Scan: You can select this check box to execute the corresponding baseline policy. By default, this check box is not selected.
- Baseline Name
- Type
- Baseline Library Hash
- Keyword
- OS Type
- OS Name: name of the OS to be checked. This parameter is left empty by default.
- Allowed Executable Item ID: executable items allowed during baseline detection. This parameter is left empty by default.
- Select the baseline to be detected or customize a baseline.
- Confirm the information and click OK.
-Web Shell Detection
If User-defined Scan Paths is not specified, the website paths in your assets are scanned by default. If User-defined Scan Paths is specified, only the specified paths are scanned.
+-Web Shell Detection
If User-defined Scan Paths is not specified, the website paths in your assets are scanned by default. If User-defined Scan Paths is specified, website paths and the specified paths are scanned.
- Click Web Shell Detection.
- On the Web Shell Detection page, modify the settings as required. For more information, see Table 5.Figure 4 Modifying the web shell detection policy
- Confirm the information and click OK.
File Protection
- Click File Protection.
- On the File Protection page, modify the policy. For more information, see Table 6.Figure 5 Modifying the file protection policy+
File Protection
- Click File Protection.
- On the File Protection page, modify the policy. For more information, see Table 6.Figure 5 Modifying the file protection policy-
Table 6 Parameter description Parameter
++Table 6 Parameter description Parameter
Description
+Description
File Privilege Escalation
+File Privilege Escalation
- Detects privilege escalation.
: enabled
: disabled
- Detects privilege escalation.
- : enabled
- : disabled
- Ignored File Path: Files to be ignored. Start the path with a slash (/) and do not end it with a slash (/). Each path occupies a line. No spaces are allowed between path names.
File Integrity
+File Integrity
- Detects the integrity of key files.
: enabled
: disabled
- Detects the integrity of key files.
- : enabled
- : disabled
- File Paths: Configure the file paths.
Important File Directory Change
+Important File Directory Change
- Detects the directory change of key files.
: enabled
: disabled
- Detects the directory change of key files.
- : enabled
- : disabled
- Enable Audit: enables the audit detection function. If the function is enabled and inotify usage exceeds the limit, some file directory changes cannot be detected.
: enabled
: disabled
- Session IP Whitelist: If the file process belongs to the sessions of the listed IP addresses, no audit applies.
- Unmonitored File Types: File types that do not need to be monitored.
- Unmonitored File Paths: File paths that do not need to be monitored.
- Monitoring Login Keys: enables the function of monitoring login keys.
: enabled
: disabled
Directory Monitoring Mode
+Directory Monitoring Mode
- Directory monitoring mode.
- File or Directory Path: Some file or directory monitoring paths are preset in the system. You can modify the file change type to be detected and add the file or directory paths to be monitored.
- Directory monitoring mode.
- Some file or directory monitoring paths are preset in the system. You can modify the file change type to be detected and add the file or directory paths to be monitored.
- File or Directory Path: path of the file or directory to be monitored. Up to 50 paths can be added. Ensure the specified paths are valid.
- Alias: alias of a file or directory path. You can enter a name that is easy to distinguish.
- Monitor Subdirectory: If this option is selected, all files in the corresponding subdirectories are monitored. If it is not selected, subdirectories are not monitored.
- Monitor Creation, Monitor Deletion, Monitor Movement, and Monitor Modification: Select them as needed.
- Confirm the information and click OK.
-Login Security Check
- Click Login Security Check.
- In the displayed Login Security Check page, modify the policy content. describes the parameters.Figure 6 Modifying the security check policy- -
Table 7 Parameter description Parameter
+-HIPS Detection
- Click HIPS Detection.
- Modify the policy content. For more information, see Table 7.
+
-Table 7 HIPS detection policy parameters Parameter
Description
+Description
Block Attacking IP Address
+Auto Blocking
After the function of blocking attacking IP addresses is enabled, HSS blocks the brute-force IP address logins.
-The agent modifies system configurations to block the source IP addresses of account cracking attacks.
-
: enabled
: disabled
If this function is enabled, abnormal changes on registries, files, and processes will be automatically blocked to prevent reverse shells and high-risk commands.- : enabled
: disabled
Lock Time (Min.)
+Trusted Processes
This parameter is used to determine how many minutes the brute-force attacks are locked. The value range is 1 to 43,200 min. (Login is not allowed in the lockout duration.)
-Cracking Behavior Determination Threshold (s)
-This parameter is used together with Cracking Behavior Determination Threshold (Login Attempts). The value range is 5 to 3,600.
-For example, if this parameter is set to 30 and Cracking Behavior Determination Threshold (Login Attempts) is set to 5, the system determines that an account is cracked when the same IP address fails to log in to the system for five times within 30 seconds.
-Cracking Behavior Determination Threshold (Login Attempts)
-This parameter is used together with Cracking Behavior Determination Threshold. The value range is 1 to 36,000.
-Threshold for slow brute force attack (second)
-This parameter is used together with Threshold for slow brute force attack (failed login attempt). The value range is 600 to 86,400s.
-For example, if this parameter is set to 3600 and Threshold for slow brute force attack (failed login attempt) is set to 15, the system determines that an account is cracked when the same IP address fails to log in to the system for fifteen times within 3,600 seconds.
-Threshold for slow brute-force attack (failed login attempt)
-This parameter is used together with Threshold for slow brute force attack (second). The value range is 6 to 100.
-Cracking Behavior Determination Release Time (s)
-Interval for clearing login failure records generated due to cracking. The value range is 60 to 86,400s.
-The unblocked IP addresses are those that triggered brute-force alarms.
-Check Whether the Audit Login Is Successful
-- After this function is enabled, HSS reports login success logs.
: enabled
: disabled
Paths of trusted processes. You can click Add to add a path and click Delete to delete it.
- Confirm the information and click OK.
- Confirm the information and click OK.
Malicious File Detection
- Click Malicious File Detection.
- On the displayed page, modify the policy. For more information, see Table 8.Figure 7 Modifying the malicious file detection policy+
Login Security Check
- Click Login Security Check.
- On the displayed Login Security Check page, modify the policy content. Table 8 describes the parameters.Figure 6 Modifying the security check policy-
Table 8 Parameter description Parameter
++
+Table 8 Parameter description Parameter
Description
+Description
Whitelist Paths in Reverse Shell Check
+Lock Time (min)
Process file path to be ignored in reverse shell detection
+This parameter is used to determine how many minutes the IP addresses that send attacks are locked. The value range is 1 to 43200. Login is not allowed in the lockout duration.
+Check Whether the Audit Login Is Successful
+- After this function is enabled, HSS reports login success logs.
: enabled
: disabled
Block Non-whitelisted Attack IP Address
+After this function is enabled, HSS blocks the login of brute force IP addresses (non-whitelisted IP addresses).
+ +Report Alarm on Brute-force Attack from Whitelisted IP Address
+- After this function is enabled, HSS generates alarms for brute force attacks from whitelisted IP addresses.
: enabled
: disabled
Whitelist
+After an IP address is added to the whitelist, HSS does not block brute force attacks from the IP address in the whitelist. A maximum of 50 IP addresses or network segments can be added to the whitelist. Both IPv4 and IPv6 addresses are supported.
+- Confirm the information and click OK.
+ +-Malicious File Detection
- Click Malicious File Detection.
- On the displayed page, modify the policy. For more information, see Table 9.Figure 7 Modifying the malicious file detection policy+ +-
Table 9 Parameter description Parameter
+Description
+Whitelist Paths in Reverse Shell Check
+Process file path to be ignored in reverse shell detection
Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.
Reverse Shell Scanning Interval (s):
+Ignored Reverse Shell Local Port
Reverse shell scanning period. The value range is 30 to 86,400.
+Local ports that do not need to be scanned for reverse shells.
Audit detection enhancement
+Ignored Reverse Shell Remote Address
- Whether to enhance audit detection. You are advised to enable this function.
: enabled
: disabled
Remote addresses that do not need to be scanned for reverse shells.
+
Detect Reverse Shells
+- Detects reverse shells. You are advised to enable it.
: enabled
: disabled
Max. open files per process
+Auto-block Reverse Shells
Maximum number of files that can be opened by a process. The value range is 10 to 300,000.
-Detect Reverse Shells
-- Detects reverse shells. You are advised to enable it.
- : enabled
- : disabled
Auto-block Reverse Shells
-Specifies whether to enable automatic blocking of reverse shells. You are advised to enable this function. +Specifies whether to enable automatic blocking of reverse shells. You are advised to enable this function.Abnormal Shell Detection
+Abnormal Shell Detection
- Detects abnormal shells. You are advised to enable it.
: enabled
: disabled
- Detects abnormal shells. You are advised to enable it.
- : enabled
- : disabled
- Whether to enhance audit detection. You are advised to enable this function.
- Confirm the information and click OK.
- Confirm the information and click OK.
Abnormal Process Behavior
- Click Abnormal process behaviors.
- In the displayed area, modify the settings as required. For more information, see Table 9.Figure 8 Modifying the abnormal process behavior policy+
Abnormal Process Behavior
- Click Abnormal process behaviors.
- In the displayed area, modify the settings as required. For more information, see Table 10.Figure 8 Modifying the abnormal process behavior policy-
Table 9 Parameter description Parameter
+-Table 10 Parameter description Parameter
Description
+Description
Example Value
+Example Value
Detection and Scanning Cycle (Seconds)
+Detection Mode
Interval for checking the running programs on the host. The value range is 30 to 1,800.
-1800
-Detection Mode
-Select the method for abnormal process behavior detection.
+Select the method for abnormal process behavior detection.
- Sensitive: In-depth and full detection and scanning are performed on all processes, which may cause false positives. Suitable for cyber protection drills and key event assurance drills.
- Balanced: All processes are detected and scanned. The detection result accuracy and the abnormal process detection rate are balanced. Suitable for routine protection.
- Conservative: All processes are detected and scanned. This mode provides high detection result accuracy and low false positives. Suitable for scenarios with a large number of false positives.
Balanced
+Balanced
Threshold for Score Reporting
+Threshold for Score Reporting
Score reporting threshold. The value range is 1 to 100.
+Score reporting threshold. The value range is 1 to 100.
3
+3
- Confirm the information and click OK.
+- Confirm the information and click OK.
-Root Privilege Escalation Detection
- Click Root privilege escalation.
- In the displayed area, modify the settings as required. For more information, see Table 10.Figure 9 Modifying the root privilege escalation policy+
Root Privilege Escalation Detection
- Click Root privilege escalation.
- In the displayed area, modify the settings as required. For more information, see Table 11.Figure 9 Modifying the root privilege escalation policy-
Table 10 Parameter description Parameter
+-Table 11 Parameter description Parameter
Description
+Description
Ignored Process File Path
+Ignored Process File Path
Ignored process file path
+Ignored process file path
Start with a slash (/) and end with no slashes (/). Occupy a separate line and cannot contain spaces.
Scanning Interval (s)
-Interval for checking process files. The value range is 5 to 3,600.
-- Confirm the information and click OK.
+- Confirm the information and click OK.
-Real-time Process
- Click Real-time Process.
- On the displayed page, modify the settings as required. For more information, see Table 11.Figure 10 Modifying the real-time process policy+
Real-time Process
- Click Real-time Process.
- On the displayed page, modify the settings as required. For more information, see Table 12.Figure 10 Modifying the real-time process policy-
Table 11 Parameters for real-time process policy settings Parameter
+-Table 12 Parameters for real-time process policy settings Parameter
Description
+Description
Full Process Report Interval (s)
+High-Risk Commands
Interval for reporting the full process. The value range is 3,600 to 86,400.
+High-risk commands that contain keywords during detection.
High-Risk Commands
+Whitelist (Do Not Record Logs)
High-risk commands that contain keywords during detection.
-Whitelist (Do Not Record Logs)
-Paths or programs that are allowed or ignored during detection. You can enter the regular expression of the command to be added to the whitelist. The command regular expression is optional.
+Paths or programs that are allowed or ignored during detection. You can enter the regular expression of the command to be added to the whitelist. The command regular expression is optional.
- Confirm the information and click OK.
+- Confirm the information and click OK.
Rootkit Detection
- Click Rootkit Detection.
- On the rootkit detection page, modify the policy content.Figure 11 Modifying the rootkit detection policy-
Table 12 Parameter description Parameter
+-Table 13 Parameter description Parameter
Description
+Description
Example Value
+Example Value
Scanning Interval (s)
+Kernel Module Whitelist
Interval for executing the check policy. The value ranges from 60 to 86,400.
-86400
-Check Library
-Check files and folders in the existing libraries. You are advised to enable this function.
-
: enabled
: disabled
-
: enabledCheck Kernel Space
-Perform the check by kernel modules. All kernel modules will be checked. You are advised to enable this function.
- -
: enabled
: disabled
-
: enabledKernel Module Whitelist
-Add the kernel modules that can be ignored during the detection.
+Add the kernel modules that can be ignored during the detection.
Up to 10 kernel modules can be added. Each module occupies a line.
xt_conntrack
+xt_conntrack
virtio_scsi
tun
- Confirm the information and click OK.
+- Confirm the information and click OK.
-AV Detection
- Click AV Detection.
- On the AV Detection slide pane that is displayed, modify the settings as required. For details, see Table 13.Figure 12 Modifying an AV detection policy+
AV Detection
- Click AV Detection.
- On the AV Detection slide pane that is displayed, modify the settings as required. For details, see Table 14.Figure 12 Modifying an AV detection policy-
Table 13 AV detection policy parameters Parameter
+-Table 14 AV detection policy parameters Parameter
Description
+Description
Example Value
+Example Value
Real-Time Protection
+Real-Time Protection
After this function is enabled, AV detection is performed in real time when the current policy is executed. You are advised to enable this function.
+After this function is enabled, AV detection is performed in real time when the current policy is executed. You are advised to enable this function.
: enabled
: disabled
+
: enabled: enabledProtected File Type
+Protected File Type
Type of the files to be checked in real time.
+Type of the files to be checked in real time.
- All: Select all file types.
- Executable: Executable file types such as EXE, DLL, and SYS.
- Compressed: Compressed file types such as ZIP, RAR, and JAR.
- Text: Text file types such as PHP, JSP, HTML, and Bash.
- OLE: Composite file types such as Microsoft Office files (PPT and DOC) and saved email files (MSG).
- Other: File types except the preceding types.
All
+All
Action
+Action
Handling method for the object detection alarms.
+Handling method for the object detection alarms.
- Automated handling:Isolate high-risk virus files bu default. Report other virus files but do not isolate them.
- Manual handling: Report all the detected virus files but do not isolate them. You need to handle them manually.
Automatic handling
+Automatic handling
- Confirm the information and click OK.
+- Confirm the information and click OK.
-Container Information Collection
- Click Container Information Collection.
- On the Container Information Collection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 14.Figure 13 Modifying the container information collection policy+
Container Information Collection
- Click Container Information Collection.
- On the Container Information Collection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 15.Figure 13 Modifying the container information collection policy-
The whitelist has a higher priority than blacklist. If a directory is specified in both the whitelist and blacklist, it is regarded as a whitelisted item.
Table 14 Container information collection policy parameters Parameter
+-Table 15 Container information collection policy parameters Parameter
Description
+Description
Example Value
+Example Value
Mount Path Whitelist
+Mount Path Whitelist
Enter the directory that can be mounted.
+Enter the directory that can be mounted.
/test/docker or /root/*
+/test/docker or /root/*
Note: If a directory ends with an asterisk (*), it indicates all the sub-directories under the directory (excluding the main directory).
For example, if /var/test/* is specified in the whitelist, all sub-directories in /var/test/ are whitelisted, excluding the test directory.
Mount Path Blacklist
+Mount Path Blacklist
Enter the directories that cannot be mounted. For example, user and bin, the directories of key host information files, are not advised being mounted. Otherwise, important information may be exposed.
+Enter the directories that cannot be mounted. For example, user and bin, the directories of key host information files, are not advised being mounted. Otherwise, important information may be exposed.
- Confirm the information and click OK.
+- Confirm the information and click OK.
-Cluster Intrusion Detection
- Click Cluster Intrusion Detection.
- On the Cluster Intrusion Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 15.Figure 14 Modifying the cluster intrusion detection policy+
Cluster Intrusion Detection
- Click Cluster Intrusion Detection.
- On the Cluster Intrusion Detection slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 16.Figure 14 Modifying the cluster intrusion detection policy-
Table 15 Cluster intrusion detection policy parameters Parameter
+Table 16 Cluster intrusion detection policy parameters Parameter
Description
+Description
Example Value
+Example Value
Basic Detection Cases
+Basic Detection Cases
Select basic check items as required.
+Select basic check items as required.
Select all
+Select all
Whitelist
+Whitelist
You can customize the types and values that need to be ignored during the detection. You can add and delete types and values as required.
+You can customize the types and values that need to be ignored during the detection. You can add and delete types and values as required.
The following types are supported:
- IP address filter
- Pod name filter
- Image name filter
- User filter
- Pod tag filter
- Namespace filterNOTE:
Each type can be used only once.
Type: IP address filtering
+Type: IP address filtering
Value: 192.168.x.x
- After this policy is configured, you need to enable the log audit function and deploy the HSS agent on the management node (node where the APIServer is located) of the cluster to make the policy take effect.
- Confirm the information and click OK.
+- Confirm the information and click OK.
+ +Container Escape Detection
- Click Container Escape. The container escape policy details page is displayed.
- On the container escape page that is displayed, edit the policy content. For details about the parameters, see Table 17.If no image, process, or POD needs to be added to the whitelist, leave the whitelist blank. +++
+Table 17 Container escape detection policy parameters Parameter
+Description
+Image Whitelist
+Enter the names of the images that do not need to perform container escape behavior detection. An image name can contain only letters, numbers, underscores (_), and hyphens (-), and each name needs to be on a separate line. Up to 100 image names are allowed.
+Process Whitelist
+Enter the full paths of processes that do not need to perform container escape behavior detection. A process path can contain only letters, numbers, underscores (_), and hyphens (-), and each path needs to be on a separate line. Up to 100 process paths are allowed.
+Pod Whitelist
+Enter the names of pods that do not need to perform container escape behavior detection. A pod name can contain only letters, numbers, underscores (_), and hyphens (-), and each name needs to be on a separate line. Up to 100 pod names are allowed.
+ - Confirm the information and click OK.
Container File Monitoring
- If a monitored file path is under the mount path rather than the writable layer of the container on the server, changes on the file cannot trigger container file modification alarms. To protect such files, configure a file protection policy.
- Click Container File Monitoring.
- On the Container File Monitoring slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 16.Figure 15 Modifying the container file monitoring policy+
- Click Container File Monitoring.
- On the Container File Monitoring slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 18.Figure 15 Modifying the container file monitoring policy-
Table 16 Container file monitoring policy parameters Parameter
+-Table 18 Container file monitoring policy parameters Parameter
Description
+Description
Example Value
+Example Value
Fuzzy match
+Fuzzy match
Indicates whether to enable fuzzy match for the target file. You are advised to select this option.
+Indicates whether to enable fuzzy match for the target file. You are advised to select this option.
Selected
+Selected
Block New Executable
+Image Name
Monitor the behavior of the adding executable files. If this option is selected, adding executable files is prohibited. You are advised to select this option.
+Name of the target image to be checked
Selected
+test_bj4
Image Name
+Image ID
Name of the target image to be checked
+ID of the target image to be checked
test_bj4
+-
Image ID
+File
ID of the target image to be checked
+Name of the file in the target image to be checked
-
-File
-Name of the file in the target image to be checked
-/tmp/testw.txt
+/tmp/testw.txt
- Confirm the information and click OK.
+- Confirm the information and click OK.
-Container Process Whitelist
- Click Container Process Whitelist.
- On the Container Process Whitelist slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 17.Figure 16 Container process whitelist policy+
Container Process Whitelist
- Click Container Process Whitelist.
- On the Container Process Whitelist slide pane that is displayed, modify the Policy Settings. For details about the parameters, see Table 19.Figure 16 Container process whitelist policy-
- After this function is enabled, HSS reports login success logs.
- Detects privilege escalation.
- Viewing the container alarms of a certain type
Viewing Server Alarms
-The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.
+HSS displays alarm and event statistics and their summary all on one page. You can have a quick overview of alarms, including the numbers of urgent alarms, total alarms, servers with alarms, blocked IP addresses, and isolated files.
+The Events page displays the alarm events generated in the last 30 days. You can manually handle the alarmed items.
The status of a handled event changes from Unhandled to Handled.
-Constraints and Limitations
Procedure
- Select the tenant_linux_premium_default_policy_group policy group. Locate the row that this policy group resides, click Copy in the Operation column.
- View the brute force cracking detection result of the server.
- View the brute force cracking detection result of the server.
- Not installed: The agent has not been installed or successfully started.
