CN113065161A - Security control method and device for Redis database - Google Patents
Security control method and device for Redis database Download PDFInfo
- Publication number
- CN113065161A CN113065161A CN202110430327.2A CN202110430327A CN113065161A CN 113065161 A CN113065161 A CN 113065161A CN 202110430327 A CN202110430327 A CN 202110430327A CN 113065161 A CN113065161 A CN 113065161A
- Authority
- CN
- China
- Prior art keywords
- client
- information
- access
- redis database
- redis
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a security control method and a security control device for a Redis database, which respond to a received connection establishing request initiated by a client and acquire IP information of the client; judging whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, controlling the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database. The invention supports that the client is limited to access the Redis database by setting the IP information, realizes that the authentication check is carried out before the user name and the password of the client are obtained, does not need the support of other proxy servers or software and hardware, can directly carry out access control through related components of the server of the Redis database, and improves the safety of the Redis database on the premise of not responding to the performance of the Redis database.
Description
Technical Field
The invention relates to the technical field of databases, in particular to a safety control method and device for a Redis database.
Background
The Redis database is a commonly used memory storage database at present, and under the condition that the address, the port and other related information of the Redis database are known, all users have the authority to operate the Redis database, so that the problem of low security of the Redis database is caused.
In order to improve the security of the Redis database, at present, passwords are generally adopted to encrypt the database, or firewalls, proxy services and the like are used to protect or authenticate access, but the existing methods have the problems that the passwords are easy to steal and the performance of the Redis database is affected, so that the performance requirement for improving the security of the Redis database cannot be met.
Disclosure of Invention
In view of the above problems, the present invention provides a method and an apparatus for security control of a Redis database, which improve the security of the Redis database without responding to the performance of the Redis database.
In order to achieve the purpose, the invention provides the following technical scheme:
a security control method for a Redis database is applied to a server of the Redis database, and comprises the following steps:
the method comprises the steps of responding to a received connection establishing request initiated by a client, and acquiring IP information of the client;
judging whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, controlling the client to access a Redis database;
if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database.
Optionally, the method further comprises:
acquiring IP information and port information of the client, and constructing a client information structure;
wherein the determining whether the client belongs to an access-allowed client based on the client IP information includes:
and judging whether the client belongs to the access-allowed client or not based on the client information structure body.
Optionally, the determining whether the client belongs to an access-allowed client based on the client IP information includes:
inquiring the IP information of the client based on the pre-created file information to obtain an inquiry result;
and judging whether the client belongs to the client allowing access or not based on the query result.
Optionally, the method further comprises:
and creating the file information, wherein the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
Optionally, the method further comprises:
when the client is controlled to access a Redis database, acquiring identity information of the client;
determining access rights of the client based on the identity information;
determining accessible data of the client in the Redis database based on the access authority of the client;
and controlling the client to access accessible data of the Redis database.
A safety control device for a Redis database is applied to a server of the Redis database, and comprises:
the first acquisition unit is used for responding to a received connection establishment request initiated by a client and acquiring the IP information of the client;
the judging unit is used for judging whether the client belongs to an access-allowed client or not based on the IP information of the client, and if so, controlling the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database.
Optionally, the apparatus further comprises:
the second acquisition unit is used for acquiring the IP information and the port information of the client and constructing the client information structure;
wherein the judging unit includes:
and the first judgment subunit is used for judging whether the client belongs to the access-allowed client or not based on the client information structural body.
Optionally, the determining unit includes:
the query subunit is used for querying the client IP information based on the pre-created file information to obtain a query result;
and the second judging subunit is used for judging whether the client belongs to the access-allowed client or not based on the query result.
Optionally, the apparatus further comprises:
and the creating unit is used for creating the file information, and the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
Optionally, the apparatus further comprises:
the third obtaining unit is used for obtaining the identity information of the client when the client is controlled to access a Redis database;
a first determining unit, configured to determine, based on the identity information, an access right of the client;
a second determining unit, configured to determine, based on the access right of the client, data that is accessible to the client in the Redis database;
and the control unit is used for controlling the client to access the accessible data of the Redis database.
Compared with the prior art, the invention provides a security control method and a security control device for a Redis database, which are used for responding to a received connection establishing request initiated by a client and acquiring IP information of the client; judging whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, controlling the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database. The invention supports that the client is limited to access the Redis database by setting the IP information, realizes that the authentication check is carried out before the user name and the password of the client are obtained, does not need the support of other proxy servers or software and hardware, can directly carry out access control through related components of the server of the Redis database, and improves the safety of the Redis database on the premise of not responding to the performance of the Redis database.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic flowchart of a security control method for a Redis database according to an embodiment of the present invention;
fig. 2 is a schematic diagram of Redis linkage code analysis provided in an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a security control device for a Redis database according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The terms "first" and "second," and the like in the description and claims of the present invention and the above-described drawings are used for distinguishing between different objects and not for describing a particular order. Furthermore, the terms "comprising" and "having," as well as any variations thereof, are intended to cover non-exclusive inclusions. For example, a process, method, system, article, or apparatus that comprises a list of steps or elements is not set forth for a listed step or element but may include steps or elements not listed.
The embodiment of the invention provides a security control method for a Redis database, which finds out a relevant function for processing a client request by a server by analyzing a Redis code. And acquiring the IP address of the client. And compiling a self-research component for client IP authentication. Modifying Redis code in lieu of the expansion component determines whether the client IP is allowed access. The method achieves the aim of authenticating the address of the client by modifying a part used for controlling the establishment and connection of the client in the network.c in the Redis source code, adding an independent module for the part, and calling the function of a self-developed extension component. In the process, the invention is designed to mainly aim at the access of the client to carry out authentication according to the IP address. The source IP address is checked before the user name, the password and the like are interacted, and the safety is improved.
Referring to fig. 1, a flowchart of a security control method for a Redis database according to an embodiment of the present invention is shown, and is applied to a server of the Redis database, so that preliminary authentication may be implemented without referring to a third party proxy service, where the method specifically includes the following steps:
s101, responding to a received connection establishing request initiated by a client, and acquiring IP information of the client;
s102, judging whether the client belongs to a client allowing access or not based on the IP information of the client, if so, executing S103, and if not, executing S104;
s103, controlling the client to access a Redis database;
s104, intercepting the connection establishing request of the client is controlled, so that the client cannot access the Redis database.
Correspondingly, a client information structure may also be constructed, that is, the IP information and the port information of the client are acquired, and the client information structure is constructed. And then judging whether the client belongs to the access-allowed client or not based on the client information structure body.
In order to facilitate the authentication of the IP information of the client, the IP information can be directly analyzed in a possible implementation manner of the invention to determine whether the information such as camouflage exists or not, or pre-created file information can be utilized for comparison, namely, the IP information of the client is inquired based on the pre-created file information to obtain an inquiry result; and judging whether the client belongs to the client allowing access or not based on the query result.
Correspondingly, an embodiment of the present application further provides a method for creating file information, including:
and creating the file information, wherein the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
In order to further ensure the security of the database, after the IP is authenticated, the identity information of the client can be authenticated, and the process includes:
when the client is controlled to access a Redis database, acquiring identity information of the client;
determining access rights of the client based on the identity information;
determining accessible data of the client in the Redis database based on the access authority of the client;
and controlling the client to access accessible data of the Redis database.
The identity information of the client may include an identifier that may uniquely represent the client, or an identifier that may uniquely represent a user using the client, such as a number, an ID, and the like, and the command information of the command may include an identifier that may uniquely represent the command, such as a name, a number, and the like of the command.
Referring to fig. 2, a schematic diagram of Redis linkage establishing code analysis provided by an embodiment of the present invention is shown, and a specific process includes:
(1) redis client initiates a request for establishing connection
(2) And after receiving the connection establishing request, the Redis server calls a network.c to process the connection establishment of the client and simultaneously acquires the IP of the client.
(3) Calling the self-research expansion component through the network.c, transmitting the self-research expansion component to a client IP and a port of the self-research expansion component, and constructing a client information structure body, wherein the client information structure body comprises: client IP address, port number.
(4) And the self-research extension component constructs a client information structure body according to the parameters transmitted by Redis 'network.c'.
(5) Reading the contents of the "/etc/hosts. allow" and "/etc/hosts. denty" files from the intra-component function of the self-research component
(6) And judging whether the access is allowed or not and returning the result to the Redis.
(7) And controlling whether the client is allowed to access or not by the Redis according to the result returned by the self-research component.
The embodiment of the invention provides a security control method and a security control device for a Redis database, which are used for responding to a received connection establishing request initiated by a client and acquiring IP information of the client; judging whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, controlling the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database. The method supports the limitation of access to the Redis host by setting the IP and the IP section, can dynamically increase and delete the corresponding preset IP file information of the client, and does not influence the database efficiency under the high concurrency condition. Compared with other existing Redis security control technologies, the method and the system have the advantage that the security enhancement function based on the source IP is more prominent. Authentication check is already carried out before Redis interaction of the user name and the password. The native Redis can be used directly without using any agent or other software and hardware, and is not different from the original Redis when used from the user perspective.
An embodiment of the present invention further provides a security control device for a Redis database, which is applied to a server of the Redis database shown in fig. 3, and includes:
a first obtaining unit 10, configured to obtain, in response to receiving a connection establishment request initiated by a client, IP information of the client;
a determining unit 20, configured to determine, based on the client IP information, whether the client belongs to a client allowing access, and if so, control the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database.
On the basis of the above embodiment, the apparatus further includes:
the second acquisition unit is used for acquiring the IP information and the port information of the client and constructing the client information structure;
wherein the judging unit includes:
and the first judgment subunit is used for judging whether the client belongs to the access-allowed client or not based on the client information structural body.
On the basis of the above embodiment, the judging unit includes:
the query subunit is used for querying the client IP information based on the pre-created file information to obtain a query result;
and the second judging subunit is used for judging whether the client belongs to the access-allowed client or not based on the query result.
On the basis of the above embodiment, the apparatus further includes:
and the creating unit is used for creating the file information, and the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
On the basis of the above embodiment, the apparatus further includes:
the third obtaining unit is used for obtaining the identity information of the client when the client is controlled to access a Redis database;
a first determining unit, configured to determine, based on the identity information, an access right of the client;
a second determining unit, configured to determine, based on the access right of the client, data that is accessible to the client in the Redis database;
and the control unit is used for controlling the client to access the accessible data of the Redis database.
The invention provides a safety control device for a Redis database, wherein a first acquisition unit is used for responding to a received connection establishment request initiated by a client and acquiring IP information of the client; the judging unit judges whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, the judging unit controls the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database. The invention supports that the client is limited to access the Redis database by setting the IP information, realizes that the authentication check is carried out before the user name and the password of the client are obtained, does not need the support of other proxy servers or software and hardware, can directly carry out access control through related components of the server of the Redis database, and improves the safety of the Redis database on the premise of not responding to the performance of the Redis database.
The embodiments in the present description are described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments are referred to each other. The device disclosed by the embodiment corresponds to the method disclosed by the embodiment, so that the description is simple, and the relevant points can be referred to the method part for description.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the invention. Thus, the present invention is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (10)
1. A security control method for a Redis database is characterized in that a server applied to the Redis database comprises the following steps:
the method comprises the steps of responding to a received connection establishing request initiated by a client, and acquiring IP information of the client;
judging whether the client belongs to a client allowing access or not based on the IP information of the client, and if so, controlling the client to access a Redis database;
if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database.
2. The method of claim 1, further comprising:
acquiring IP information and port information of the client, and constructing a client information structure;
wherein the determining whether the client belongs to an access-allowed client based on the client IP information includes:
and judging whether the client belongs to the access-allowed client or not based on the client information structure body.
3. The method of claim 1, wherein the determining whether the client belongs to an access-allowed client based on the client IP information comprises:
inquiring the IP information of the client based on the pre-created file information to obtain an inquiry result;
and judging whether the client belongs to the client allowing access or not based on the query result.
4. The method of claim 3, further comprising:
and creating the file information, wherein the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
5. The method of claim 1, further comprising:
when the client is controlled to access a Redis database, acquiring identity information of the client;
determining access rights of the client based on the identity information;
determining accessible data of the client in the Redis database based on the access authority of the client;
and controlling the client to access accessible data of the Redis database.
6. A safety control device for a Redis database is characterized in that the safety control device is applied to a server of the Redis database and comprises the following components:
the first acquisition unit is used for responding to a received connection establishment request initiated by a client and acquiring the IP information of the client;
the judging unit is used for judging whether the client belongs to an access-allowed client or not based on the IP information of the client, and if so, controlling the client to access a Redis database; if not, controlling the interception of the connection establishing request of the client side, so that the client side cannot access the Redis database.
7. The apparatus of claim 6, further comprising:
the second acquisition unit is used for acquiring the IP information and the port information of the client and constructing the client information structure;
wherein the judging unit includes:
and the first judgment subunit is used for judging whether the client belongs to the access-allowed client or not based on the client information structural body.
8. The apparatus according to claim 6, wherein the judging unit includes:
the query subunit is used for querying the client IP information based on the pre-created file information to obtain a query result;
and the second judging subunit is used for judging whether the client belongs to the access-allowed client or not based on the query result.
9. The apparatus of claim 8, further comprising:
and the creating unit is used for creating the file information, and the file information records client IP information allowing to access the Redis database and client information refusing to access the Redis database.
10. The apparatus of claim 6, further comprising:
the third obtaining unit is used for obtaining the identity information of the client when the client is controlled to access a Redis database;
a first determining unit, configured to determine, based on the identity information, an access right of the client;
a second determining unit, configured to determine, based on the access right of the client, data that is accessible to the client in the Redis database;
and the control unit is used for controlling the client to access the accessible data of the Redis database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110430327.2A CN113065161A (en) | 2021-04-21 | 2021-04-21 | Security control method and device for Redis database |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110430327.2A CN113065161A (en) | 2021-04-21 | 2021-04-21 | Security control method and device for Redis database |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113065161A true CN113065161A (en) | 2021-07-02 |
Family
ID=76567277
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110430327.2A Pending CN113065161A (en) | 2021-04-21 | 2021-04-21 | Security control method and device for Redis database |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113065161A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564739A (en) * | 2022-02-14 | 2022-05-31 | 浙江惠瀜网络科技有限公司 | Method and device for preventing illegal acquisition of index source code of coded file |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
| CN103310161A (en) * | 2012-03-14 | 2013-09-18 | 北京海泰方圆科技有限公司 | Protection method and system for database system |
| CN103425940A (en) * | 2013-08-16 | 2013-12-04 | 广东电网公司中山供电局 | Database safety reinforcing method and device |
| CN109088875A (en) * | 2018-08-24 | 2018-12-25 | 郑州云海信息技术有限公司 | A kind of access authority method of calibration and device |
| CN110489996A (en) * | 2019-07-31 | 2019-11-22 | 山东三未信安信息科技有限公司 | A kind of database data method for managing security and system |
| CN111090882A (en) * | 2019-12-18 | 2020-05-01 | 北京浪潮数据技术有限公司 | Operation control method, device and equipment for redis database |
| CN112351015A (en) * | 2020-10-28 | 2021-02-09 | 广州助蜂网络科技有限公司 | Gateway control method based on API |
-
2021
- 2021-04-21 CN CN202110430327.2A patent/CN113065161A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102722667A (en) * | 2012-03-07 | 2012-10-10 | 甘肃省电力公司信息通信公司 | Database security protection system and method based on virtual databases and virtual patches |
| CN103310161A (en) * | 2012-03-14 | 2013-09-18 | 北京海泰方圆科技有限公司 | Protection method and system for database system |
| CN103425940A (en) * | 2013-08-16 | 2013-12-04 | 广东电网公司中山供电局 | Database safety reinforcing method and device |
| CN109088875A (en) * | 2018-08-24 | 2018-12-25 | 郑州云海信息技术有限公司 | A kind of access authority method of calibration and device |
| CN110489996A (en) * | 2019-07-31 | 2019-11-22 | 山东三未信安信息科技有限公司 | A kind of database data method for managing security and system |
| CN111090882A (en) * | 2019-12-18 | 2020-05-01 | 北京浪潮数据技术有限公司 | Operation control method, device and equipment for redis database |
| CN112351015A (en) * | 2020-10-28 | 2021-02-09 | 广州助蜂网络科技有限公司 | Gateway control method based on API |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114564739A (en) * | 2022-02-14 | 2022-05-31 | 浙江惠瀜网络科技有限公司 | Method and device for preventing illegal acquisition of index source code of coded file |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109981561B (en) | User authentication method for migrating single-body architecture system to micro-service architecture | |
| US5586260A (en) | Method and apparatus for authenticating a client to a server in computer systems which support different security mechanisms | |
| US8281381B2 (en) | Techniques for environment single sign on | |
| US20040123144A1 (en) | Method and system for authentication using forms-based single-sign-on operations | |
| CN112995219B (en) | Single sign-on method, device, equipment and storage medium | |
| US8863265B2 (en) | Remote sign-out of web based service sessions | |
| JP6875482B2 (en) | Computer-readable storage media for legacy integration and methods and systems for using it | |
| JP2005519365A (en) | Method and apparatus for handling user identifier in single sign-on service | |
| CN107133516B (en) | Authority control method and system | |
| WO2021027600A1 (en) | Single log-in method, apparatus and device, and computer-readable storage medium | |
| CN101986598B (en) | Authentication method, server and system | |
| CN111444495B (en) | System and method for realizing single sign-on based on container | |
| US11165768B2 (en) | Technique for connecting to a service | |
| CN112685726A (en) | Single-point authentication method based on KEYCLOAK | |
| CN110795174A (en) | Application program interface calling method, device, equipment and readable storage medium | |
| CN112039873A (en) | Method for accessing business system by single sign-on | |
| CN107395566B (en) | Authentication method and device | |
| CN113065161A (en) | Security control method and device for Redis database | |
| CN111371811B (en) | Resource calling method, resource calling device, client and service server | |
| CN103428176A (en) | Mobile user accessing mobile Internet application method and system and application server | |
| CN109525613B (en) | Request processing system and method | |
| CN109150862B (en) | Method and server for realizing token roaming | |
| CN107172082B (en) | File sharing method and system | |
| CN112929388B (en) | Network identity cross-device application rapid authentication method and system, and user agent device | |
| CN113784354A (en) | Request conversion method and device based on gateway |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210702 |
|
| RJ01 | Rejection of invention patent application after publication |