User Guide - developer-res-cbc-cn.obs.cn-north-1 ... · User Guide Issue 03 Date 2017-03-30 HUAWEI TECHNOLOGIES CO., LTD. ... can harden your ECS security accordingly to improve your

Host Intrusion Detection

User Guide

Issue 03

Date 2017-03-30

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2017. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without prior writtenconsent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei and thecustomer. All or part of the products, services and features described in this document may not be within thepurchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,and recommendations in this document are provided "AS IS" without warranties, guarantees orrepresentations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.Address: Huawei Industrial Base

Bantian, LonggangShenzhen 518129People's Republic of China

Website: http://e.huawei.com

Issue 03 (2017-03-30) Huawei Proprietary and ConfidentialCopyright © Huawei Technologies Co., Ltd.

i

http://e.huawei.com

Contents

1 Overview......................................................................................................................................... 11.1 Host Intrusion Detection.................................................................................................................................................11.2 Functions........................................................................................................................................................................ 11.3 Application Scenarios.....................................................................................................................................................21.4 Charging Standards.........................................................................................................................................................31.5 Accessing and Using HID.............................................................................................................................................. 31.5.1 How to Access HID.....................................................................................................................................................31.5.2 How to Use HID.......................................................................................................................................................... 31.5.3 Related Services.......................................................................................................................................................... 3

2 Management................................................................................................................................... 52.1 Installing an HID Client................................................................................................................................................. 52.2 Enabling HID..................................................................................................................................................................72.3 Enabling Alarm Notification.......................................................................................................................................... 82.4 Configuring Detection Rules.......................................................................................................................................... 92.5 Performing a Manual Scan........................................................................................................................................... 112.6 Viewing Reports........................................................................................................................................................... 112.7 Disabling HID...............................................................................................................................................................132.8 Uninstalling an HID Client...........................................................................................................................................14

3 FAQs...............................................................................................................................................153.1 Does HID Charge Fees?............................................................................................................................................... 153.2 How Do I Enable HID?................................................................................................................................................ 153.3 What Should I Do When the Client Running Status Is Abnormal?............................................................................. 153.4 How Do I Start a Manual Scan?................................................................................................................................... 163.5 How Should I Handle an Intrusion Alarm?.................................................................................................................. 16

A Change History........................................................................................................................... 17

Host Intrusion DetectionUser Guide Contents


ii

1 Overview

1.1 Host Intrusion DetectionHost Intrusion Detection (HID) provides you with a basic security detection platform forElastic Cloud Servers (ECSs). It monitors ECSs against brute force attacks and remote loginsand detects ECS weakness. You can log in to the management console and configure HID,start a manual scan, or view detection reports. Based on ECS weakness detected by HID, youcan harden your ECS security accordingly to improve your system security and mitigate risksof your ECS being intruded.

1.2 FunctionsHID provides the following functions:l Detecting brute force attacks: HID detects brute force attacks targeted at remote login,

FTP, and database (MySQL) applications on your ECS.l Warning about remote logins: HID monitors and displays remote logins to your system.l Checking for weak passwords: HID checks for weak passwords in your system or

database (MySQL). If any are discovered, HID promptly reminds you of changing themto prevent cracking.

l Checking permissions on the database process: HID checks whether a systemadministrator account is running your database (MySQL). If so, HID reminds you ofchanging the running account so that it will not be used by a hacker due to its high-levelpermissions.

l Detecting web backdoors: HID detects web backdoors and promptly notifies you tohandle them. This prevents a hacker from using them to control your ECS.

l Starting a manual scan: HID allows you to start a manual scan for weak passwords,permissions on the database process, and web backdoors.

l Generating detection reports: HID provides detection reports and scan results, includingalarm records and warning statistics.

Host Intrusion DetectionUser Guide 1 Overview


1

1.3 Application ScenariosTo use HID, you need to configure an elastic IP address (EIP) for your ECS; otherwise, youcannot upload the client installation program to the ECS. Therefore, HID is applicable only toECSs with EIPs.

l For Windows:

Table 1-1 HID application scenarios in Windows

No. Supported OS Restriction

1 Windows Server Enterprise 2008 Service Pack 2 l The web backdoordetection functionworks only on ECSswhere IIS has beeninstalled. It does notwork on Tomcatservers. HID supportsIIS 6.0 mode currently.If the IIS to be installedis later than 6.0, suchas IIS 7.0, select the IIS6.0 compatible modeduring the installation.

l If McAfee has beeninstalled, stop theprotection functionprovided by McAfeefirst.

l Database protectioncurrently supportsMySQL only.

2 Windows Web Server 2008 R2

3 Windows Server Standard 2008 R2

4 Windows Server Enterprise 2008 R2

5 Windows Server Datacenter 2008 R2

6 Windows 2012 R2 Standard

7 Windows 2012 R2 Datacenter

l For Linux:

Table 1-2 HID application scenarios in Linux


1 CentOS 5.11 32bit l The web backdoordetection functionworks only on ECSswhere Apache httpdhas been installed.Currently, HIDsupports Apache httpd2.2 and earlier.RHEL5.0 is alsosupported.

2 CentOS 5.11 64bit

3 CentOS Linux 5.5 64bit






2


7 l Database protectioncurrently supportsMySQL only.

CentOS Linux 7.0 64bit


9 Debian 7.5 32bit

10 Debian 7.5 64bit

11 Debian 8.2 64bit

12 Ubuntu Server 10.04 64bit


14 Ubuntu Server 12.04.2 32bit



1.4 Charging StandardsHID is free of charge currently.

1.5 Accessing and Using HID

1.5.1 How to Access HIDYou can access HID using the management console. If you have registered a public cloudaccount, log in to the management console, and choose Security > Product Center ofPartners > Host Intrusion Detection from the home page.

1.5.2 How to Use HIDYou can enable HID for ECSs. Based on scan reports provided by HID, you can learn aboutdefects on your ECSs in a timely manner and harden the security of ECSs accordingly.

After configuring alarm notification for HID, you will receive a notification SMS or emailwhen HID detects an ECS abnormality.

1.5.3 Related Services

ECS

HID provides detection services for ECSs on which HID clients are installed.

VPC

HID associates ECSs and HID clients through Virtual Private Cloud (VPC).



3

SISSecurity Index Service (SIS) can directly obtain HID situations as security assessmentmetrics. You can directly learn about HID security views and conveniently navigate to theHID management console to configure security detection policies through SIS.



4

2 Management

2.1 Installing an HID Client

Downloading an HID Client

Step 1 Log in to the management console and choose Security > Product Center of Partners >Host Intrusion Detection. The ECS list page is displayed.

Step 2 Check ECS detection status of the ECS. If its ECS detection status is Not installed, youmust download and install an HID client.

Figure 2-1 ECS detection status

Step 3 Click download clients in service introduction on the upper part and select the client versionthat corresponds to the OS of the ECS. After reading the saftedog application scenarios, selectI have read and know about the SafeDog Use scenario, and click OK.

Host Intrusion DetectionUser Guide 2 Management


5

Figure 2-2 Downloading an HID client

Step 4 In the Confirm Download dialog box, click OK to start downloading the client.

Step 5 After the client installation package is downloaded, upload it to the ECS. An elastic IPaddress (EIP) must have already been bound to this ECS.

----End

Installing an HID Client on an ECS Running LinuxNOTE

The following uses an ECS running a 32-bit OS as an example.

Step 1 Log in to the ECS, navigate to the directory containing the installation package, and run thefollowing command to decompress the package:

tar -zxvf name of the installation package

For example, if the name of the installation package is linux_32_cn-north-1.tar.gz, run thefollowing command:

tar -zxvf linux_32_cn-north-1.tar.gz

Step 2 Run the following command to switch to the directory containing decompressed files:

cd HwCloudAgent_linux32

Step 3 Run the following command to run the installation script:

./install.py

If information similar to the following is displayed, the client has been successfully installed:

[root@ecs-bef4 HwCloudAgent_linux64]# ./install.py 1.1 Start install HwCloudAgent..1.2 Install common file1.3 Start the application1.4 Install Completely!



6

Step 4 Run the following command to confirm that the client processes exist:

ps -ef | grep HwCloud

If the following processes are displayed, the client is running properly:

[root@ecs-bef4 HwCloudAgent_linux64.bak]# ps -ef|grep HwCloudroot 9169 9148 5 17:00 ? 00:00:00 HwCloudAgent -droot 9172 9148 0 17:00 ? 00:00:00 HwCloudUpdate -droot 9646 8289 0 17:00 pts/0 00:00:00 grep HwCloud

----End

Installing an HID Client on an ECS Running Windows

Step 1 Navigate to the directory containing the installation package and double-click the installationfile. On the installation wizard that is displayed, click Next.

Step 2 After reading License Agreement, click I Agree.

Step 3 In Destination Folder, select an installation directory and click Next.

Step 4 Click Install to start installing the client.

Step 5 Click Finish.

Step 6 Check for the client processes in Task Manager. If the client processes are displayed, theclient has been successfully installed.

----End

2.2 Enabling HIDStep 1 Log in to the management console and choose Security > Product Center of Partners >

Host Intrusion Detection.

Step 2 On the ECS list page, find the ECS for which you want to enable HID. Confirm that ECSdetection status of the ECS is Not enabled.

Figure 2-3 ECS detection status

Table 2-1 ECS detection statuses

Status Description

Normal The HID client is running correctly and theHID service has been enabled.

Not installed The HID client has not been installed orsuccessfully started.



7

Status Description

Not enabled The client is running correctly but the HIDservice has not been enabled. In this case,the client is not performing any intrusiondetection function.

Abnormal The client has been installed and the HIDservice has been enabled, but the client isnot communicating properly with the server.

Stop The ECS has been shut down.

Step 3 In the row containing the ECS, click Enable detection to enable HID.

----End

2.3 Enabling Alarm NotificationAfter you enable alarm notification for HID, you will be promptly notified (by SMS messagesor emails) when an abnormality is detected. If you do not enable alarm notification, you haveto log in to the management console to view alarms.

Step 1 Log in to the management console and choose Security > Product Center of Partners.

Step 2 Click Alarm Notification in the navigation tree and enable alarm notification for the desiredservice. You can enable alarm notification for:

l Brute force cracking

l Non-local login

l Weak password

l Unnecessary database process privilege

l Website backdoor

Step 3 In Reminder frequency setting, set the reminder frequency.

Attack alarms are collected and reminders are sent once a day or every half an hour. Noreminders are sent if no attack alarms are collected.

Step 4 Select a group to send notifications to.

If you need to create a group, click Create Group and set information about the group, asshown in Figure 2-4. On the Create Group page, click Add in Send To to add emailaddresses or mobile phone numbers to receive notifications.

NOTE

You can click to go to the group management page. On the group management page, you canclick:

l Create Group in the upper left corner to create groups

l Modify of a group to modify its information

l Delete of a group to delete it



8

l Name: Enter a name for the group. The name length ranges from 1 to 256 characters. Itcan contain only letters, digits, underscores (_), and hyphens (-) and must start with aletter or digit.

l Email address: Enter email addresses that you want to send notifications to.l Phone number: Enter phone numbers that you want to send notifications to.

Figure 2-4 Creating a group

Step 5 Click OK to enable alarm notification.

----End

2.4 Configuring Detection RulesAfter HID is enabled, the client automatically detects intrusions according to default rules.You can view the detection rules of each ECS on the management console and modifyparameter settings based on your needs.

Step 1 Log in to the management console and choose Security > Product Center of Partners >Host Intrusion Detection.

Step 2 On the ECS list page, find the ECS for which you want to configure HID parameters.Confirm that ECS detection status of the ECS is Normal.

Step 3 In the row containing the ECS, choose More > Modify. The Detection rule settings page isdisplayed, as shown in Figure 2-5.



9

Figure 2-5 Detection rule settings

Parameters are as follows:l Remote account login detection: detects brute force attacks performed by means of

remote login based on SSH or mstsc.– Interval: indicates the detection interval of login attempts. The default value is 600

seconds.– Number of login attempts: indicates the threshold of brute force attack within the

interval. If the number of detected login attempts reaches this value, a brute forceattack is recorded.

l FTP brute-force attack detection: detects brute force attacks performed by means ofFTP client or FTP access.– Interval: indicates the detection interval of login attempts. The default value is 600

seconds.– Number of login attempts: indicates the threshold of brute force attack within the

interval. If the number of detected login attempts reaches this value, a brute forceattack is recorded.

– Protected port: indicates the FTP service port opened by the system. The defaultvalue is 21. If you need to protect multiple ports, enter the port IDs separated withcommas (,). The maximum length of a character string is 100.

l Database brute-force attack detection: detects brute force attacks performed by meansof database client or database access.– Interval: indicates the detection interval of login attempts. The default value is 600

seconds.



10

– Number of login attempts: indicates the threshold of brute force attack within theinterval. If the number of detected login attempts reaches this value, a brute forceattack is recorded.

– Protected port: indicates the database service port opened by the system. Thedefault value is 3306 for MySQL. If you need to protect multiple ports, enter theport IDs separated with commas (,). The maximum length of a character string is100.

l Different-location account login prompt: detects login attempts performed in irregularlocations. You can set two locations as regular login locations.– Regular account login location: indicates the regular login locations. For a

location in China, you can specify it to the city level. For a location outside China,you can specify it to the nation level.

l Routine security scan and detection: performs day-to-day system security scans basedon ECSs' performance. Scan results as well as necessary alarms are displayed on theHost Intrusion Detection interface.

Step 4 Click OK after configuring the required parameters.

----End

2.5 Performing a Manual ScanHID provides the manual scan function. You can perform a manual scan to detect weakpasswords, database process permissions, and website backdoor files.


Step 2 In the row containing the ECS you want to scan, click Manual scan, as shown in Figure 2-6.

Figure 2-6 Starting a manual scan

Step 3 In the dialog box that is displayed, click OK to start the scan.

If Scan status of the ECS becomes Scan completed, the scan is completed and you canchoose more > Scan details to view the scan report.

----End

2.6 Viewing Reports

Viewing the Detection Report About One ECS


Step 2 On the ECS list page, find the ECS the report of which you want to view. In the rowcontaining the ECS, click View reports. The report page is displayed, as shown in Figure2-7.



11

Figure 2-7 Report about one ECS

----End

Viewing the Detection Report About All ECSs

Step 1 Log in to the management console and choose Security > Product Center of Partners >Host Intrusion Detection. On the displayed page, click Detection report.

Step 2 Check detection statistics on the displayed page. The page displays detection statistics in thelast seven days about all your ECSs for which HID has been enabled, as shown in Figure 2-8.

Figure 2-8 Report about all ECSs

Step 3 Click at the upper right corner to view the list of detection statistics in the last sevendays about all your ECSs, as shown in Figure 2-9.



12

Figure 2-9 List of detection statistics about all ECSs

----End

Viewing a Manual Scan Report


Step 2 On the ECS list page, find the ECS the Scan status of which is Scan completed. In the rowcontaining the ECS, choose More > Scan details, as shown in Figure 2-10.

Figure 2-10 Scan details

----End

2.7 Disabling HIDYou can disable HID if you do not need it.


Step 2 On the ECS list page, find the ECS for which you want to disable HID. Confirm that ECSdetection status of the ECS is Normal.

Step 3 Choose more > Disable detection. Then click OK to disable HID.

Figure 2-11 Disabling HID

----End



13

2.8 Uninstalling an HID Client

Uninstalling an HID Client from an ECS Running Linux

Step 1 Log in to the ECS from which you want to uninstall the HID client.

Step 2 Run the following command to switch to the installation directory:

cd client installation directory

For example, if the client installation directory is /etc/HwCloudAgent_linux32, run thefollowing command:

cd /etc/HwCloudAgent_linux32

Step 3 Run the following command to uninstall the client:

./uninstall.py

If the following information is displayed, the client has been uninstalled:

[root@ecs-bef4 HwCloudAgent_linux64]# ./uninstall.pyStart uninstall..Stop the application..Uninstall file..Uninstall completely!

----End

Uninstalling an HID Client from an ECS Running Windows

Step 1 Log in to the ECS from which you want to uninstall the HID client.

Step 2 Go to the client installation directory and double-click uninst.exe to uninstall the client.

Step 3 In the dialog box asking you to confirm, click Yes.

Step 4 Click Close after the client is completely uninstalled.

----End



14

3 FAQs

3.1 Does HID Charge Fees?No, HID is free of charge.

3.2 How Do I Enable HID?You can enable HID in the following three steps:

1. Download the HID client and upload it to your ECS.

2. Log in to your ECS and install the client.

– In Linux: Install the client as user root. After the installation, the client runsautomatically.

– In Windows: Install the client as user Administrator. After the installation, theclient runs automatically.

3. Log in to the management console and choose Security > Product Center of Partners> Host Intrusion Detection. On the ECS list page, click Enable detection in the rowcontaining the desired ECS.

3.3 What Should I Do When the Client Running Status IsAbnormal?

Log in to the management console and choose Security > Product Center of Partners >Host Intrusion Detection. On the ECS list page, check the running status of the HID client.If ECS detection status is Abnormal, the client has been successfully installed and HID hasbeen enabled, but the client is not communicating properly with the server.

Possible causes: The network is faulty or the client process is abnormal.

Handling methods:

l If the network is faulty, ECS detection status will automatically changes to Normalafter the network recovers. No operation is required.

Host Intrusion DetectionUser Guide 3 FAQs


15

l If ECS detection status remains Abnormal for a long period of time, log in to the ECSand restart/re-install the HID client.

3.4 How Do I Start a Manual Scan?1. Log in to the management console and choose Security > Product Center of Partners

> Host Intrusion Detection. The ECS list page is displayed.2. In the row containing the ECS for which you want to start a manual scan, click Manual

scan.3. If Scan status of an ECS is Scan completed, choose More > Scan details to view the

scan report.

3.5 How Should I Handle an Intrusion Alarm?Currently, HID provides only basic detection and alarm services. It is not capable ofautomatically repairing vulnerabilities. Therefore, for an alarm generated from a detection orscan, you need to modify the corresponding configuration of your ECS, for example, change adetected weak password to a strong one.

Host Intrusion DetectionUser Guide 3 FAQs


16

A Change History

Released On Description

2017-03-30 This is the third official release.l Added section Accessing and Using HID.l Modified the description about the HID navigation

path change in section Management.

2016-09-30 This is the second official release.Added section Enabling Alarm Notification.

2016-08-25 This is the first official release.

Host Intrusion DetectionUser Guide A Change History


17

Documents

User Guide - developer-res-cbc-cn.obs.cn-north-1 ... · User Guide Issue 03 Date 2017-03-30 HUAWEI TECHNOLOGIES CO., LTD. ... can harden your ECS security accordingly to improve your