CN114124558B - Operation response method, device, electronic equipment and computer readable storage medium - Google Patents
Operation response method, device, electronic equipment and computer readable storage medium Download PDFInfo
- Publication number
- CN114124558B CN114124558B CN202111443278.2A CN202111443278A CN114124558B CN 114124558 B CN114124558 B CN 114124558B CN 202111443278 A CN202111443278 A CN 202111443278A CN 114124558 B CN114124558 B CN 114124558B
- Authority
- CN
- China
- Prior art keywords
- port
- operation request
- host
- host machine
- preset
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 230000004044 response Effects 0.000 title claims abstract description 67
- 238000000034 method Methods 0.000 title claims abstract description 56
- 244000035744 Hura crepitans Species 0.000 claims abstract description 105
- 238000001914 filtration Methods 0.000 claims abstract description 53
- 241000700605 Viruses Species 0.000 claims description 13
- 238000013507 mapping Methods 0.000 claims description 10
- 238000004590 computer program Methods 0.000 claims description 8
- 238000001514 detection method Methods 0.000 claims description 7
- 238000012545 processing Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000004891 communication Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 3
- 235000012907 honey Nutrition 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 238000012423 maintenance Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000009191 jumping Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/16—Obfuscation or hiding, e.g. involving white box
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computer And Data Communications (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The application provides an operation response method, an operation response device, electronic equipment and a computer readable storage medium. The method comprises the following steps: receiving an operation request of a user terminal to a host machine through a first port in a preset sand box in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance; filtering and authenticating the operation request through a first packet filtering firewall and a first authentication strategy in a preset sandbox; and after the operation request passes the filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine. Therefore, the second port of the host machine, which actually receives the operation request, is not exposed, and the safety of the operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
Description
Technical Field
The present invention relates to the field of computer information security technologies, and in particular, to an operation response method, an operation response device, an electronic device, and a computer readable storage medium.
Background
Along with the development of virtualization technology and cloud computing technology, the avoidance and repair of vulnerabilities of a host and a business machine are gradually emphasized by clients. In general, aiming at host loopholes, part of the slight loopholes can be repaired and avoided by patching and modifying the form of system parameters. In the face of numerous kernel vulnerabilities, upgrades to kernel versions are typically required. The upgrade of the kernel version of the system is not allowed in most cases, because upgrading the kernel version is time-consuming and labor-consuming, has a large influence on running business, and has a large influence on existing business data. At present, a honey system is deployed to protect a host, but when the honey is deployed, a corresponding virtual machine needs to be deployed separately, and in addition, interaction between the honey system and the host usually has a certain delay, so that the efficiency of operation response is affected.
Disclosure of Invention
An object of an embodiment of the present invention is to provide an operation response method, apparatus, electronic device, and computer readable storage medium, which can improve the problem of low response efficiency while improving the security of operation response.
In order to achieve the above object, embodiments of the present application are realized by:
in a first aspect, an embodiment of the present application provides an operation response method, where the method includes: receiving an operation request of a user terminal to a host machine through a first port in a preset sand box in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance; filtering and authenticating the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox; and after the operation request passes the filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine.
In the above embodiment, the operation request for the host is filtered and authenticated by the preset sandbox in the host, and the operation request is input into the host through the second port of the host after the filtering and authentication are completed, so that the second port of the host that actually receives the operation request is not exposed, and the security of the operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
With reference to the first aspect, in one possible implementation manner, before receiving, through a first port in a preset sandbox in a host, an operation request from a user terminal to the host, the method further includes: and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication policy in the host.
With reference to the first aspect, in a possible implementation manner, before receiving the operation request through a second port in the host corresponding to the first port, the method further includes: detecting the operation request through a virus searching and killing database in the preset sandbox, wherein the receiving the operation request through a second port corresponding to the first port in the host machine comprises the following steps: and when the operation request passes the detection and the detection is passed, receiving the operation request through a second port corresponding to the first port in the host.
With reference to the first aspect, in one possible implementation manner, before receiving, through a first port in a preset sandbox in a host, an operation request from a user terminal to the host, the method includes:
mapping the second port corresponding to the type of the request in the host machine to the first port; creating a sandbox mirror image corresponding to the host machine in the host machine as the preset sandbox based on a preset container engine, wherein the preset sandbox comprises a service corresponding to the first port, and the service comprises an SSH service; and establishing the connection between the preset sandbox and a response system of the host machine so that the host machine jumps the received operation request into the preset sandbox.
With reference to the first aspect, in a possible implementation manner, the method further includes: and shielding the second port of the host.
With reference to the first aspect, in a possible implementation manner, the method further includes: and configuring the management authority for the host machine for the preset sandbox, wherein the management authority comprises an IP address range which is allowed to be accessed.
With reference to the first aspect, in a possible implementation manner, the method further includes: and deleting a command for acquiring the specified information of the system of the host machine in the preset sandbox.
In a second aspect, the present application also provides an operation response device, the device comprising:
the first receiving unit is used for receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
the filtering authentication unit is used for filtering and authenticating the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
and the second receiving unit is used for receiving the operation request through a second port corresponding to the first port in the host machine after the operation request passes the filtering authentication of the preset sandbox, and responding to the operation request through the host machine.
In a third aspect, the present application further provides an electronic device, including a processor and a memory coupled to each other, where the memory stores a computer program, which when executed by the processor, causes the electronic device to perform the above-mentioned method.
In a fourth aspect, the present application also provides a computer readable storage medium having a computer program stored therein, which when run on a computer causes the computer to perform the above-described method.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Fig. 2 is a flow chart of an operation response method provided in an embodiment of the present application.
Fig. 3 is a schematic path diagram of a response request in an electronic device according to an embodiment of the present application.
Fig. 4 is a block diagram of an operation response device according to an embodiment of the present application.
Icon: 10-an electronic device; 11-a processing module; 12-a memory module; 13-a communication module; 200-operation response means; 210-a first receiving unit; 220-a filter authentication unit; 230-a second receiving unit.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application. It should be noted that the terms "first," "second," and the like are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance. The following embodiments and features of the embodiments may be combined with each other without conflict.
Referring to fig. 1, the present application provides an electronic device 10, which can improve the security of the electronic device 10 responding to an operation request and reduce the possibility of hacking the electronic device 10.
The electronic device 10 may include a processing module 11 and a memory module 12. The memory module 12 stores a computer program which, when executed by the processing module 11, enables the electronic device 10 to perform the steps of the operation response method described below. It should be noted that the electronic device 10 may further include other modules, for example, the electronic device 10 may further include a communication module 13 for establishing communication with other devices.
In the present embodiment, the electronic device 10 may be, but is not limited to, a host device, a server, a virtual host, and the like. The virtual host is a host deployed in a cloud server, and is well known to those skilled in the art.
Referring to fig. 2, the present application further provides an operation response method, which may be applied to the electronic device 10, and the electronic device 10 executes or implements each step in the method. The electronic device 10 is a host in the following method, and the method may include the following steps:
step S110, receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
step S120, performing filtering authentication on the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
step S130, after the operation request passes the filtering authentication of the preset sandbox, the operation request is received through a second port corresponding to the first port in the host machine, and the operation request is responded through the host machine.
In the above embodiment, the operation request for the host is filtered and authenticated by the preset sandbox in the host, and the operation request is input into the host through the second port of the host after the filtering and authentication are completed, so that the second port of the host that actually receives the operation request is not exposed, and the security of the operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
The steps in the method will be described in detail as follows:
prior to step S110, the method may further comprise the step of creating and configuring a preset sandbox on the host machine. For example, before step S110, the method may include:
step S101, mapping the second port corresponding to the type of the request in the host machine to the first port;
step S102, creating a sand box mirror image corresponding to the host machine in the host machine based on a preset container engine to serve as the preset sand box, wherein the preset sand box comprises services corresponding to the first port, and the services comprise SSH services;
step S103, establishing connection between the preset sandbox and a response system of the host machine so that the host machine jumps the received operation request into the preset sandbox.
In step S101, the type of the request may be flexibly determined according to the actual situation. For example, the types include management type, service type. In addition, in the management type and the service type, the subdivision may be performed according to a specific management type and service type, which is not particularly limited herein.
In the host, the first port may be understood as a "port" for the external device that the host receives the request. The second port may be understood as a port where the host actually receives the request, and the second port may be understood as a mapped port of the first port.
Illustratively, in the host, the management port "22" based on SSH (Secure Shell protocol) service in the host is modified to the port "22222". That is, in the host, the management class request is actually received by the port "22", and the operation request of the management class is modified to be actually received by the port "22222" now, but the management request is still received by the port "22" for the external device. Namely, the port "22222" is a second port, which is a port that the host actually receives the management request; the port with the port number of 22 is used as an external management port of the host machine and is a first port. The '22222' port is a mapping port of the '22' port, and the '22222' port and the '22' port have association or mapping relation. When the external device sends a management request to the host, the perceived port is the port of "22", and the port of "22222" is not known.
For another example, in the host, the service port based service in the host may be modified. For example, the original service class request actually received by the "80" port in the host is modified to the current actual port "888" to receive the operation request of the service class, but the "80" port receiving management request is still presented to the external device. That is, when the external device sends a service operation request to the host, the perceived port is the port of "80", and the port of "888" is not known.
In this embodiment, the port numbers of the first port and the second port are different, and the first port may be flexibly set according to the actual situation of the second port, which is not specifically limited herein. When the port mapping or disconnect modification of the host is completed, the port may be restarted to validate the port configuration. For example, the SSH service is restarted to validate the modified port. At this point, the service port of the SSH has been changed to "22222", and the original established SSH link is not affected. If a connection is to be newly established, port parameters are added to perform port mapping.
In step S102, the preset container engine may flexibly determine according to the actual situation. For example, the preset container engine may be a Docker. Dock is an open-source application container engine, and developers can package dock's applications and dependent packages into a portable mirror, which is then published in a host based on Linux or Windows operating systems.
Illustratively, a developer may use the minimal security image (or other image) of the host and create an out-box image containing the SSH service with the Docker. In the sandbox image, services corresponding to other service ports may be further included, and the service content is not specifically limited herein. The created sandbox image may be used as a preset sandbox.
In addition, in the sandbox, the service corresponding to the first port can be flexibly determined according to the actual situation, so that the response flow of the response system in the host machine to the operation request can be simulated in the sandbox. If the operation request threatens or attacks the response system, at this time, after the operation request is received based on the sandbox, the service in the sandbox can simulate responding to the request and expose the threat or attack of the response request in the sandbox, without threatening the actual response system in the host.
In step S103, the response system of the host is a system for responding to the operation request, and may be flexibly set according to actual situations, which is not particularly limited herein. For example, the response system stores corresponding network resources, and the user can upload, download or query specific network resources to the response system by using the user terminal and in a mode that the user terminal initiates a request.
In this embodiment, the preset sandbox is connected to the response system, so that the host machine can jump the received operation request into the preset sandbox. In addition, after the filtering authentication of the operation request is completed in the preset sandbox, the operation request can be input into the response system, so that the response system responds to the operation.
In this embodiment, through the above steps S101 to S103, a corresponding sandbox may be created on the host machine as a preset sandbox. After the preset sandbox is deployed on the host, the operation request received by the host can be safely detected by utilizing the preset sandbox, so that the safety of operation response is improved.
As an alternative embodiment, the method may also include other configuration operations during deployment of the sandboxes. For example, before step S110, the method may further include:
and shielding the second port of the host.
In this embodiment, the second port of the host may be shielded by using the first packet filtering firewall in the preset sandbox. The second port can be set according to actual conditions. The first packet of filter protection wall can set up according to actual conditions. For example, the first packet filtering firewall may be iptables.
In this embodiment, iptables can be understood as a client agent, through which a user can execute security settings of the user to a corresponding netfilter. Netfilter is the security framework (frame) of a firewall, netfilter being located in kernel space. The Iptables is used as a command line tool and is located in the user space, and the preset sandbox can use the security framework operated by the tool, so that security detection of the request data is realized.
For example, the preset sandbox may mask the actual SSH port (for example, port 22222) of the host through the iptables of the sandbox, so that the actual SSH port of the host is not exposed, thereby being beneficial to improving the network security of the host.
As an alternative embodiment, before step S110, the method may further include: and configuring the management authority for the host machine for the preset sandbox, wherein the management authority comprises an IP address range which is allowed to be accessed.
The management authority and the allowed access IP address range can be flexibly set according to actual conditions. For example, the management authority may further include a response system that permits operation to the host machine through the interior of the preset sandbox to facilitate management of the host machine. For example, the preset sandbox is permitted to establish SSH connection with the response system through an SSH port of an actual management port of the host machine, so that an administrator can use the preset sandbox to manage and operate the host machine, and management and maintenance are convenient.
As an alternative embodiment, before step S110, the method may further include: and deleting a command for acquiring the specified information of the system of the host machine in the preset sandbox.
Understandably, in the preset sandbox, there is a command capable of acquiring the specification information of the system of the host computer. The appointed information is sensitive information in the host machine, and can be flexibly determined according to actual conditions. For example, the commands can acquire the kernel version and basic information of the system, which easily causes information leakage of the system and affects the safety of the host. In this embodiment, by deleting such a command, the manner of obtaining the host vulnerability can be further hidden, so that the security of the host can be improved.
As an alternative embodiment, before step S110, the host may use the own packet filtering firewall and authentication policy of the host to filter and authenticate the operation request. For example, the method may further comprise:
and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication policy in the host.
In this embodiment, the second packet filtering firewall may be iptables that is native to the host. The function of the second packet filtering firewall is similar to that of the first packet filtering firewall, and the filtering reliability and the operation safety are improved through double-layer filtering.
The second authentication policy can be flexibly set according to actual conditions, and can be a policy for authentication aiming at user and password login of a response system of a login host. For example, in the second authentication policy, a user and a login password that have undergone security authentication are recorded in advance. When the user logs in the response system or executes the business operation, the user needs to input a user name and a login password, and the current login password is the same as the login password of the user recorded in the second authentication policy, the authentication is confirmed to pass. If the current login password is different from the login password of the user recorded in advance, the authentication is confirmed not to pass.
In step S110, an operation request initiated by an external device (such as a user terminal) to the host may be received by a first port external to the host. Wherein the operation request is generally required to be sent to the response system of the host by using the second port in the host, so that the response system responds to the operation request. The second port is a port in the host pair that is not exposed. That is, the external device can only acquire information of the first port, but cannot acquire information of the second port.
In this embodiment, the number of the first ports of the host may be plural, each first port is associated with a corresponding type of operation request, and different types of operation requests may correspond to different first ports.
Illustratively, port "22" in the host corresponds to a management port of the SSH service, associated with an operation request of the management class, for receiving the operation request of the management class. The port 80 in the host is a service port, and is associated with an operation request of a service class, and is used for receiving the operation request of the service class.
In step S120, the first packet filtering firewall may be iptables, which may filter the operation request. For example, the preset sandbox may use iptables to perform security detection on the operation request, so as to determine whether the operation request has a potential safety hazard or an attack. If the operation request has potential safety hazard or has attack, the operation request is directly intercepted to stop responding to the operation request. If the operation request is secure, the operation request can be authenticated by a first authentication policy.
Among them, the manner of security detection is well known to those skilled in the art. The manner in which the operation request is authenticated using the first authentication policy is similar to that described above in which the operation request is authenticated using the second authentication policy. The difference is that the first authentication policy is used for authenticating the user and the login password entering the preset sandbox, and the second authentication policy is used for authenticating the user and the login password of the response system of the login host. In the operation request, the user account and the login password may be carried, or when the operation request is received, a login interface is displayed on the user terminal, and then the user inputs the user account and the login password. The user and the login password for logging in the preset sandbox are different from the user and the login password for logging in the host.
When the preset sandbox completes authentication of the operation request by using the first authentication policy, it indicates that the operation request is generally a secure request, and at this time, step S130 may be entered. If the authentication of the operation request is not completed, namely the authentication is not passed, the operation request is unsafe and needs to be intercepted.
In step S130, when the operation request is filtered and authenticated by the preset sandbox, the operation request is indicated to be safe, and at this time, the operation request may be input to the response system in the host through the second port in the host, so that the response system responds to the operation request. The manner of responding to the operation request may be flexibly determined according to practical situations, which is not limited herein.
Between step S120 to step S130, the method may further include:
and detecting the operation request through a virus searching and killing database in the preset sandbox.
It will be appreciated that in the virus challenge database, the characteristics of the various types of network viruses present may be recorded and used for comparison with the characteristics of the operation request. If the characteristics in the database are checked and killed by viruses in the operation request, the operation request is threatened or has attack, and interception is needed. If the feature corresponding to the operation request does not exist in the virus killing database, it indicates that the operation request is safe without interception, and then step S130 may be performed.
When the host is configured with the preset sandbox, the response path of the operation request may be as shown in fig. 3, where the port shown in fig. 3 is an exemplary port, and the port may be flexibly set according to the actual situation, and is not limited to the mapping relationship shown in fig. 3.
For example, referring to fig. 3, assume that the actual management port 22222 of the electronic device 10 is 22 to the external device. After the host is configured with the preset sandbox based on the Docker, if the host receives the operation request and the operation request is a management request, the operation request needs to be filtered and detected through a second iptables of the host. If the operation request is safe, authenticating the user and the password of the operation request. If the authentication is successful, jumping to the sandbox, and performing simulation response and virus searching and killing on the operation request by a virtualization system formed by the sandbox. For example, the first iptables in the sandbox is utilized to filter and detect the operation request again, virus searching and killing are performed on the operation request through virus killing software pre-installed in the sandbox, if the operation request is still safe, the user and the password of the login sandbox corresponding to the operation request are authenticated, and after the authentication is passed again, the operation request is sent to the actual system of the host machine to respond through the management port 22222, so that the security reinforcement of the host machine can be realized, and the security of the response operation of the host machine is improved.
Based on the design, the sand box characteristics of the Docker are utilized to provide a new layer of protection for the user host, so that the safety of the host is greatly improved, and the attack action by utilizing the loopholes can be effectively avoided. In addition, under the condition of not additionally carrying out kernel upgrading and patch repairing, the system vulnerability of the bottom layer can be effectively avoided, the implementation is convenient and quick, the applicability is strong, and the operation and maintenance cost is low.
Referring to fig. 4, an operation response device 200 is further provided in the embodiment of the present application, which can be applied to the above-mentioned electronic device 10, and is used for executing each step in the method. The operation response means 200 comprises at least one software function module which may be stored in the memory module 12 in the form of software or Firmware (Firmware) or cured in an Operating System (OS) of the electronic device 10. The processing module 11 is configured to execute executable modules stored in the storage module 12, such as software functional modules and computer programs included in the operation response device 200.
In this embodiment, the operation response device 200 may include a first receiving unit 210, a filtering authentication unit 220, and a second receiving unit 220, where the functional roles of the units may be as follows:
a first receiving unit 210, configured to receive an operation request from a user terminal to a host through a first port in a preset sandbox in the host, where the first port is a port associated with a type of the operation request in advance;
a filtering authentication unit 220 (or called a first filtering authentication unit) for performing filtering authentication on the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
and a second receiving unit 220, configured to receive the operation request through a second port corresponding to the first port in the host after the operation request passes the filtering authentication of the preset sandbox, and respond to the operation request through the host.
Optionally, the operation response device 200 may further include a second filtering authentication unit. Before the first receiving unit 210 receives an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the second filtering authentication unit is configured to perform filtering authentication on the operation request through a second packet filtering firewall and a second authentication policy in the host.
Optionally, the operation response device 200 may further include a virus killing unit. Before the first receiving unit 210 receives an operation request from a user terminal to a host through a first port in a preset sandbox in the host, the virus killing unit is configured to detect the operation request through a virus killing database in the preset sandbox.
Optionally, the operation response device 200 may further include a port mapping unit, a creation unit, and a connection establishment unit. Before the first receiving unit 210 receives an operation request of a user terminal to a host through a first port in a preset sandbox in the host, a port mapping unit is configured to map the second port corresponding to a type of the request in the host to the first port; the creation unit is used for creating a sand box mirror image corresponding to the host machine in the host machine based on a preset container engine to serve as the preset sand box, wherein the preset sand box comprises a service corresponding to the first port, and the service comprises an SSH service; the connection establishment unit is used for establishing connection between the preset sandbox and a response system of the host machine so that the host machine jumps the received operation request into the preset sandbox.
Optionally, the operation response device 200 may further include a port shielding unit for shielding the second port of the host.
Optionally, the operation response device 200 may further include a rights configuration unit configured to configure the preset sandbox with a management right for the host, where the management right includes an IP address range that allows access.
Optionally, the operation response device 200 may further include a deleting unit configured to delete, in the preset sandbox, a command for acquiring the specification information of the system of the host.
In this embodiment, the processing module 11 may be an integrated circuit chip with signal processing capability. The processing module 11 may be a general purpose processor. For example, the processor may be a central processing unit (Central Processing Unit, CPU), digital signal processor (Digital Signal Processing, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application.
The memory module 12 may be, but is not limited to, random access memory, read only memory, programmable read only memory, erasable programmable read only memory, electrically erasable programmable read only memory, and the like. In this embodiment, the storage module 12 may be used to store packet filtering firewalls, authentication policies, and the like. Of course, the storage module 12 may also be used to store a program, which is executed by the processing module 11 upon receiving an execution instruction.
The communication module 13 is configured to establish a communication connection between the electronic device 10 and other devices (e.g., user terminals) through a network, and transmit and receive data through the network.
It is to be understood that the configuration shown in fig. 1 is merely a schematic diagram of one configuration of the electronic device 10, and that the electronic device 10 may include more components than those shown in fig. 1. The components shown in fig. 1 may be implemented in hardware, software, or a combination thereof.
It should be noted that, for convenience and brevity, the specific working process of the electronic device 10 described above may refer to the corresponding process of each step in the foregoing method, and will not be described in detail herein.
Embodiments of the present application also provide a computer-readable storage medium. The computer-readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to perform the operation response method as described in the above embodiments.
From the foregoing description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented in hardware, or by means of software plus a necessary general hardware platform, and based on this understanding, the technical solution of the present application may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disc, a mobile hard disk, etc.), and includes several instructions to cause a computer device (may be a personal computer, a server, or a network device, etc.) to perform the methods described in the respective implementation scenarios of the present application.
In summary, in the scheme, the operation request for the host is filtered and authenticated by the preset sandbox in the host, and the operation request is input into the host through the second port of the host after the filtering and authentication are completed, so that the second port of the host which actually receives the operation request is not exposed, and the safety of the operation response can be improved. In addition, the preset sandbox is integrated with the host machine, so that the response efficiency is improved.
In the embodiments provided in the present application, it should be understood that the disclosed apparatus, system, and method may be implemented in other manners as well. The above-described apparatus, systems, and method embodiments are merely illustrative, for example, flow charts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. In addition, the functional modules in the embodiments of the present application may be integrated together to form a single part, or each module may exist alone, or two or more modules may be integrated to form a single part.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.
Claims (9)
1. A method of operational response, the method comprising:
receiving an operation request of a user terminal to a host machine through a first port in a preset sand box in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
filtering and authenticating the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
after the operation request passes the filtering authentication of the preset sandbox, receiving the operation request through a second port corresponding to the first port in the host machine, and responding to the operation request through the host machine;
before receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, the method further comprises: and filtering and authenticating the operation request through a second packet filtering firewall and a second authentication policy in the host.
2. The method of claim 1, wherein prior to receiving the operation request through a second port of the hosts corresponding to the first port, the method further comprises:
detecting the operation request through a virus searching and killing database in the preset sandbox, wherein the receiving the operation request through a second port corresponding to the first port in the host machine comprises the following steps:
and when the operation request passes the detection and the detection is passed, receiving the operation request through a second port corresponding to the first port in the host.
3. The method of claim 1, wherein prior to receiving a request for operation of a user terminal to a host through a first port in a preset sandbox in the host, the method comprises:
mapping the second port corresponding to the type of the request in the host machine to the first port;
creating a sandbox mirror image corresponding to the host machine in the host machine as the preset sandbox based on a preset container engine, wherein the preset sandbox comprises a service corresponding to the first port, and the service comprises an SSH service;
and establishing the connection between the preset sandbox and a response system of the host machine so that the host machine jumps the received operation request into the preset sandbox.
4. A method according to claim 3, characterized in that the method further comprises:
and shielding the second port of the host.
5. A method according to claim 3, characterized in that the method further comprises:
and configuring the management authority for the host machine for the preset sandbox, wherein the management authority comprises an IP address range which is allowed to be accessed.
6. A method according to claim 3, characterized in that the method further comprises:
and deleting a command for acquiring the specified information of the system of the host machine in the preset sandbox.
7. An operation response device, the device comprising:
the first receiving unit is used for receiving an operation request of a user terminal to a host machine through a first port in a preset sandbox in the host machine, wherein the first port is a port which is associated with the type of the operation request in advance;
the filtering authentication unit is used for filtering and authenticating the operation request through a first packet filtering firewall and a first authentication policy in the preset sandbox;
the second receiving unit is used for receiving the operation request through a second port corresponding to the first port in the host after the operation request passes the filtering authentication of the preset sandbox, and responding to the operation request through the host;
and the second filtering authentication unit is used for filtering and authenticating the operation request through a second packet filtering firewall and a second authentication policy in the host.
8. An electronic device comprising a processor and a memory coupled to each other, the memory storing a computer program that, when executed by the processor, causes the electronic device to perform the method of any of claims 1-6.
9. A computer readable storage medium, characterized in that the computer readable storage medium has stored therein a computer program which, when run on a computer, causes the computer to perform the method according to any of claims 1-6.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111443278.2A CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111443278.2A CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114124558A CN114124558A (en) | 2022-03-01 |
| CN114124558B true CN114124558B (en) | 2024-02-06 |
Family
ID=80368830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111443278.2A Active CN114124558B (en) | 2021-11-30 | 2021-11-30 | Operation response method, device, electronic equipment and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114124558B (en) |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075188A (en) * | 2006-05-17 | 2007-11-21 | 联想(北京)有限公司 | Safety inputting method based on virtual machine |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103810429A (en) * | 2014-02-28 | 2014-05-21 | 成都长天信息技术有限公司 | Computer virus searching and killing method based on desktop cloud virtualization technology |
| CN105653938A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sandbox protection system and method for virtual machine |
| WO2017031954A1 (en) * | 2015-08-25 | 2017-03-02 | 华为技术有限公司 | Data communication method, user equipment, and server |
| CN106845213A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of application security system based on Sandboxing |
| CN107122224A (en) * | 2016-02-25 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of data transmission method, virtual machine and host |
| CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107682333A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtualization safety defense system and method based on cloud computing environment |
| CN107992743A (en) * | 2017-12-04 | 2018-05-04 | 山东渔翁信息技术股份有限公司 | A kind of identity authentication method based on sandbox, device, equipment and storage medium |
| CN109165506A (en) * | 2018-07-05 | 2019-01-08 | 河南中烟工业有限责任公司 | A kind of method of industry control fault-tolerant server online checking and killing virus and antivirus protection |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| CN111274570A (en) * | 2019-06-25 | 2020-06-12 | 宁波奥克斯电气股份有限公司 | Encryption authentication method and device, server, readable storage medium and air conditioner |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20210200859A1 (en) * | 2019-12-31 | 2021-07-01 | Fortinet, Inc. | Malware detection by a sandbox service by utilizing contextual information |
-
2021
- 2021-11-30 CN CN202111443278.2A patent/CN114124558B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101075188A (en) * | 2006-05-17 | 2007-11-21 | 联想(北京)有限公司 | Safety inputting method based on virtual machine |
| CN102254120A (en) * | 2011-08-09 | 2011-11-23 | 成都市华为赛门铁克科技有限公司 | Method, system and relevant device for detecting malicious codes |
| CN103810429A (en) * | 2014-02-28 | 2014-05-21 | 成都长天信息技术有限公司 | Computer virus searching and killing method based on desktop cloud virtualization technology |
| WO2017031954A1 (en) * | 2015-08-25 | 2017-03-02 | 华为技术有限公司 | Data communication method, user equipment, and server |
| CN105653938A (en) * | 2015-12-31 | 2016-06-08 | 中国电子科技网络信息安全有限公司 | Sandbox protection system and method for virtual machine |
| CN107122224A (en) * | 2016-02-25 | 2017-09-01 | 中兴通讯股份有限公司 | A kind of data transmission method, virtual machine and host |
| CN106845213A (en) * | 2016-12-26 | 2017-06-13 | 沈阳通用软件有限公司 | A kind of application security system based on Sandboxing |
| CN107395650A (en) * | 2017-09-07 | 2017-11-24 | 杭州安恒信息技术有限公司 | Even method and device is returned based on sandbox detection file identification wooden horse |
| CN107609396A (en) * | 2017-09-22 | 2018-01-19 | 杭州安恒信息技术有限公司 | A kind of escape detection method based on sandbox virtual machine |
| CN107682333A (en) * | 2017-09-30 | 2018-02-09 | 北京奇虎科技有限公司 | Virtualization safety defense system and method based on cloud computing environment |
| CN107992743A (en) * | 2017-12-04 | 2018-05-04 | 山东渔翁信息技术股份有限公司 | A kind of identity authentication method based on sandbox, device, equipment and storage medium |
| CN109165506A (en) * | 2018-07-05 | 2019-01-08 | 河南中烟工业有限责任公司 | A kind of method of industry control fault-tolerant server online checking and killing virus and antivirus protection |
| CN110022294A (en) * | 2019-02-27 | 2019-07-16 | 广州虎牙信息科技有限公司 | A kind of proxy server, Docker system and its right management method, storage medium |
| CN111274570A (en) * | 2019-06-25 | 2020-06-12 | 宁波奥克斯电气股份有限公司 | Encryption authentication method and device, server, readable storage medium and air conditioner |
| CN110516437A (en) * | 2019-08-27 | 2019-11-29 | 中国信息安全测评中心 | Security sweep method and device based on virtualized environment |
| CN112866244A (en) * | 2021-01-15 | 2021-05-28 | 中国电子科技集团公司第十五研究所 | Network flow sandbox detection method based on virtual network environment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114124558A (en) | 2022-03-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102301721B1 (en) | Dual memory introspection to protect multiple network endpoints | |
| CN111819544B (en) | Pre-deployment security analyzer service for virtual computing resources | |
| US11625489B2 (en) | Techniques for securing execution environments by quarantining software containers | |
| US10242186B2 (en) | System and method for detecting malicious code in address space of a process | |
| US10148693B2 (en) | Exploit detection system | |
| US11222123B2 (en) | Securing privileged virtualized execution instances from penetrating a virtual host environment | |
| US9973531B1 (en) | Shellcode detection | |
| US8954897B2 (en) | Protecting a virtual guest machine from attacks by an infected host | |
| US8281363B1 (en) | Methods and systems for enforcing network access control in a virtual environment | |
| Angel et al. | Defending against malicious peripherals with Cinch | |
| KR101153073B1 (en) | Isolating software deployment over a network from external malicious intrusion | |
| CN109379347B (en) | Safety protection method and equipment | |
| US20220391506A1 (en) | Automated Interpreted Application Control For Workloads | |
| Sun et al. | A scalable high fidelity decoy framework against sophisticated cyber attacks | |
| US11392700B1 (en) | System and method for supporting cross-platform data verification | |
| CN114124558B (en) | Operation response method, device, electronic equipment and computer readable storage medium | |
| US8640242B2 (en) | Preventing and detecting print-provider startup malware | |
| US20230319112A1 (en) | Admission control in a containerized computing environment | |
| CN110809004A (en) | Safety protection method and device, electronic equipment and storage medium | |
| CN114329444A (en) | System safety improving method and device | |
| GB2618884A (en) | Admission control in a containerised computing environment | |
| Ramachandran et al. | Rapid and proactive approach on exploration of vulnerabilities in cloud based operating systems | |
| Xu | Security enhancement of secure USB debugging in Android system | |
| CN116566633A (en) | Attack behavior defending method, device, equipment and storage medium | |
| Rose | LAB 1–NMAP AND NESSUS |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |