百度智能云
All Product Document

          Host Security

          • HOSTEYE
          • >
          • Operation Guide
          • >
          • Hosteye Security Agent

          Hosteye Security Agent

          Last Updated2020-09-08

          Login Management

          The hosteye security agent of Baidu AI Cloud is the first to apply the advanced AI technology algorithm of Baidu AI Cloud. It automatically analyze users' normal host login habits in the cloud by collecting the users' daily login logs. When there is a brute force attack or abnormal login, the security agent of Baidu AI Cloud can quickly identify and deny the source IP of the attack. Meanwhile, when it detects the cloud server is successfully cracked by brute force or there is an abnormal login address, the security alarm will be triggered immediately. For setting alarm notifications, please see Alarm Setting.

          Preconditions

          The login management function relies on the Baidu host security components. As shown in the following figure, if "Offline" is displayed for the cloud server security components, it means the security components inside the cloud server is not working properly. For specific operations, please see Installation Guide for Security Components.

          image.png

          Operation steps

          1. Log in to Baidu AI Cloud Console.
          2. Select "Product Services > Security and Management > Hosteye Security Agent" to enter the login management page.

          3. Click "Setting" in the navigation bar on the left, and select the "Login Management Setting" tab.

            image.png

          4. Click "Add to Whitelist" to complete the following two things:

            • Fill in the IP address.
            • Select the cloud server to which the filled IP address is to be adaptive.

            image.png

          5. Return to the "Login Management" page, and you can view:

            the following contents of the cloud server in the last 7 days Number of interceptions of brute force,Number of remote login detection,View details.

            image.png

          Details of login events

          1. On the Login Management page, click" View Details" for the cloud server instance to be detected.

            image.png

          2. View the following of the login events on the Login Details page trend versus details.

          image.png

          1. Operations to the login Events

            • For the source IPs of brute force which are automatically denied by the cloud policy, you can click the "Unblock"button to unblock them.
            • For ordinary login or remote login, you can click the Add the source IP to the whitelist by one click to add the IP to the whitelist.

          image.png

          Website Backdoor

          The security agent of Baidu AI Cloud adopts the Webshell detection and removal engine self-developed by Baidu. Combined with the secure and massive security data analysis capability of Baidu AI Cloud, it builds a Cloud + end detection and removal system and supports the detection of multiple web services including Apache, IIS, Nginx and Tomcat.

          Preconditions

          It relies on Baidu host security components. For specific operations, please refer to Installation Guide for Security Components.

          Operation steps

          1. Log in to Baidu AI Cloud Console.
          2. Select "Product Services > Security and Management > Hosteye Security Agent' to enter the hosteye security agent service.

          3. Click "Setting" in the navigation bar on the left, and select the "Website Backdoor Setting Tab".

            image.png

          4. Click "Edit" to complete the following two things:

            • Add a WEB path. This path can be automatically identified by the system and be manually added by the user currently.
            • Turn on the cloud detection and removal function, which is disabled by default.

            image.png

          5. After editing, click "OK"
          6. Return to the "Website Backdoor Page", and check the information of the website backdoor detected.

          7. For the backdoor files detected, there are the following operations:

            • Ignore: The security agent of Baidu AI Cloud will no longer report this backdoor file.
            • Quarantine Move this backdoor file to the quarantine region (Note: not to delete the backdoor file).
            • Restore: If a file is quarantined by mistake, you can restore the file through this operation.

          Security Baseline

          The security baseline check of Baidu AI Cloud supports to check the risks of system configuration, Web service configuration, database configuration and account password configuration on the cloud server and provides repair suggestions for the risks detected. Support manually issue check tasks immediately or customize to configure scheduled scanning tasks. Defaulted check rules are available in the system. Users can also customize to configure check rules based on the type of the cloud server, providing accurate, flexible and controllable checks.

          Preconditions

          It relies on Baidu host security components. For specific operations, please refer to Installation Guide for Security Components.

          Operation steps

          1. Log in to Baidu AI Cloud Console.
          2. Select "Product Services > Security and Management > Hosteye Security Agent" to enter the hosteye security agent service.

          3. Click "Setting" in the navigation bar on the left, and select the "Baseline Check setting Tab".

            Note:

            The security baseline function initially comes with defaulted check rules and check time, and it also supports users to customize to configure check rules and check time.

            • Defaulted check rules in the system: Support viewing and editing and not support deleting.
            • Customize to create check rules: Support viewing, editing and deleting.

            image.png

          4. Click the "Create Check Rules" button to complete the following things:

            • Customize to configure rule name
            • Check items
            • Effective server

            Note: One cloud server can only have one baseline check rule. In the initial state, all cloud servers have effective defaulted check rules. To bind the cloud server with a customized check rule, you need to unbind the cloud server in the defaulted check rule.

            image.png

            After editing, click "confirm".

            image.png

          5. On the Baseline Check setting tab, you can view the check rules created.

          Trigger detection

          The system enables baseline checking by default. Triggered detection is divided into: Periodic detection and manually issued detection.

          The check results include: Risk description, number of servers affected, risk level, rule type and last time to be discovered.

          Note: In the check result list, the last check result will be displayed, and it will be replaced by the next check result.

          • Periodic detection: On the Baseline Check Setting page, click the "Check Time Setting" button to configure the periodic check.

            image.png

          • Manually issued detection: Click "Security Baseline" in the navigation bar on the left to enter the security baseline page, and click the "Check Now" button to issue the check task.

            image.png

          Risk details

          1. On the Security Baseline page, click the risk item in the risk description list.

          2. On the details page, you can view the following information about the risk:

            • Basic details: Include rule description, risk level, last time to be discovered and repair suggestions for this risk item
            • List of servers associated with the risk
          Previous
          Login of Hosteye Security Agent
          Next
          Alarm Setting