After the agent is installed, you can use the features of Server Security Defender.
(1) On the Asset Inventory page, you can view the asset inventory information about your server, including the account, process, port, web service, and database information.
(2) On the Risk Discovery > Overview page, you can obtain an overview of risks on your server, including the risk item statistics, risk distribution, and risk trends.
(3) In the Risk Discovery module, you can use features such as security patches, vulnerability detection, weak password check, application risk detection, system risk detection, and account risk detection. You can view the risk information by risk dimension or by host.
Ÿ Security patches: performs regular automated checks on security patches, and provides detailed patch descriptions and remediation plans.
Ÿ Vulnerability detection: performs local analysis on vulnerabilities accurately, including proof of concept (POC) verification and version vulnerability detection. It supports detailed descriptions of vulnerability information such as Common Vulnerability Scoring System (CVSS), and supports checking the impact of vulnerability remediation. It also provides suggestions on how to use commands to remediate vulnerabilities.
Ÿ Weak password check: performs automated checks to identify weak passwords by automatically matching easily guessable passwords of accounts. You can customize your weak password dictionary.
Ÿ Application risk detection: detects configuration risks of commonly used applications on the critical attack paths in Linux.
Ÿ System risk detection: detects security risks caused by system configurations in Linux.
Ÿ Account risk detection: detects security risks caused by account configurations in Linux.
(4) In the Intrusion Detection module, you can detect the following types of intrusions: brute force attack, abnormal login, reverse shell, local privilege escalation, backdoor detection, web backdoor, suspicious operations, and web command execution.
Brute force attack: monitors brute force attack behaviors on the host in real time, and allows you to block the source IP address from which the brute force attack is launched. Both automatic blocking and manual blocking are supported. You can also set a trustlist.
Abnormal login: monitors abnormal login behaviors in real time by identifying abnormal IP addresses, regions, and login time. Before using this feature, you must set rules for normal logins. Otherwise, the abnormal login detection feature does not work as expected and cannot monitor abnormal login behaviors. Both blocking and unblocking are supported.
Reverse shell: monitors reverse connections to the host in real time and provides detailed records of attacks. You can set trustlist rules and block reverse shell attack behaviors.
Local privilege escalation: monitors privilege escalation in processes in real time and offers detailed records.
Backdoor detection: accurately detects backdoor programs in the system, and provides detailed analysis reports on the backdoor programs and remediation suggestions.
Web backdoor: supports real-time monitoring and identifies web backdoors from multiple dimensions. Multiple detection mechanisms are supported, including rule matching, similarity matching, sandbox detection, and pattern analysis engine detection.
Suspicious operations: audits Bash commands in real time to detect suspicious hacker operations. You can create custom audit rules.
Web command execution: detects web remote code execution (RCE) attacks and abnormal process execution events.
(5) In the Anti-virus module, you can set the anti-virus engine and processing method. It supports both automatic processing and manual processing of viruses generated by one or more servers.
(6) In the Compliance Baseline module, you can set baseline check tasks according to the baseline requirements of Classified Protection of Cybersecurity of China and the Center for Internet Security (CIS). You can also perform scheduled baseline check tasks and export the check results.