CN114531303B - Server port hiding method and system - Google Patents
Server port hiding method and system Download PDFInfo
- Publication number
- CN114531303B CN114531303B CN202210432579.3A CN202210432579A CN114531303B CN 114531303 B CN114531303 B CN 114531303B CN 202210432579 A CN202210432579 A CN 202210432579A CN 114531303 B CN114531303 B CN 114531303B
- Authority
- CN
- China
- Prior art keywords
- port
- access
- service
- service port
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0414—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden during transmission, i.e. party's identity is protected against eavesdropping, e.g. by using temporary identifiers, but is known to the other party or parties involved in the communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application relates to a method and a system for hiding a server port, which belong to the technical field of network security, wherein the method for hiding the server port comprises the steps of receiving an access data packet sent by a client; the access data packet comprises a service port accessed at this time; calling preset service port type information and port verification matching information; the service port type information comprises an entrance service port, a conventional service port and a special service port; matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port; and authenticating according to the access data packet and the port verification process information, and sending a port closing message to the client when the authentication fails. The method and the device have the effect of improving the access security of the service port.
Description
Technical Field
The present application relates to the field of network security technologies, and in particular, to a method and a system for hiding a server port.
Background
With the development of computer network technology, the original physical interface can not meet the requirement of network communication; the service port provided by the TCP/IP protocol solves the problem; the service port refers to a request port when a program initiates connection to a server; different services can adopt different ports to respectively provide different services; for the server, the service to be accessed needs to pass through the corresponding port, and if the access end is a credible IP address, the access end can be protected by the traditional black and white list means; but black and white lists are difficult to protect effectively when a large number of unknown IP addresses are present for access.
Disclosure of Invention
In order to solve the above technical problem, the present application provides a server port hiding method and system.
The application aims to provide a server port hiding method.
The above object of the present application is achieved by the following technical solutions:
a server port hiding method, comprising:
receiving an access data packet sent by a client; the access data packet comprises a service port accessed at this time;
calling preset service port type information and port verification matching information; the service port type information comprises an entrance service port, a conventional service port and a special service port;
the port verification matching information comprises a service port type and port verification process information corresponding to the service port; the port verification process information refers to a verification step which is required to be carried out before the client accesses the port successfully;
matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port;
and authenticating according to the access data packet and the port verification process information, and sending a port closing message to the client when the authentication fails.
By adopting the technical scheme, the access data packet sent by the client is received, the service port which the client wants to access and the corresponding type are obtained according to the access data packet, the corresponding port verification process is matched according to the port type which the client wants to access, and then authentication is carried out through the access data packet and the port verification process to judge whether the client can access the corresponding port; thereby improving the access security of the service port.
The present application may be further configured in a preferred example, that the access data packet further includes a user name, a fixed key, and an encrypted ciphertext; when the service port in the access data packet is an entry service port, the port verification process information corresponding to the entry service port includes:
calling a pre-stored local secret key;
comparing the local key with the fixed key;
if the fixed key is the same as the local key, allowing the client to access the access service port;
and if the fixed key is different from the local key, sending a port closing message to the client.
In a preferred example, when the service port in the access packet is a regular service port, the port authentication flow information corresponding to the regular service port includes:
when the fixed key is the same as the local key, reading the user name;
obtaining a public key corresponding to the user name according to the user name, decrypting the encrypted ciphertext by using the public key to obtain authentication information, and sending the authentication information to the client;
receiving feedback information returned by the client in response to the authentication information, and authenticating according to the authentication information and the feedback information;
if the authentication is successful, allowing the client to access the conventional service port;
and if the authentication fails, sending a port closing message to the client.
In a preferred example, the receiving the feedback information returned by the client in response to the authentication information, and performing authentication according to the authentication information and the feedback information may further include:
when receiving the feedback information, generating a random character string;
encrypting the random character string by using a public key to obtain a first authentication ciphertext;
encrypting the authentication information by using the public key to obtain a second authentication ciphertext;
sending the first authentication ciphertext and the second authentication ciphertext to the client, and receiving an authentication character string returned by the client in response to the first authentication ciphertext and the second authentication ciphertext;
decrypting the authentication character string by using the public key to obtain a third authentication ciphertext;
and comparing the third authentication ciphertext with the random character string to obtain an authentication result.
In a preferred example, when the service port in the access packet is a special service port, the port authentication procedure information corresponding to the special service port includes:
if the service port in the access data packet is a special service port, executing a port verification process with the service port being a conventional service port when the port verification process is carried out, and executing the following steps when the authentication is successful;
acquiring a prestored verification instruction message, and sending the verification instruction message to a client;
receiving an instruction ciphertext returned by the client in response to the verification instruction message;
decrypting the instruction ciphertext by using the public key to obtain an instruction plaintext;
comparing the instruction plaintext with a locally pre-stored special plaintext;
if the instruction plaintext is the same as the special plaintext, allowing the client to access the special service port;
and if the command plaintext is different from the special plaintext, sending a port closing message to the client.
The present application may be further configured in a preferred example to further include:
acquiring service record big data of a server, and acquiring historical access time and historical access ip from the service record big data;
obtaining a service limit time period according to historical access time;
obtaining a historical access geographical position corresponding to the ip according to the historical access ip;
the access data packet comprises access time and an access ip;
when receiving access data packets sent by a plurality of clients;
acquiring an access ip in an access data packet, and obtaining an access geographical position corresponding to the ip according to the access ip;
comparing the visiting geographic position with the historical visiting geographic position corresponding to the ip;
comparing the access time to a service restriction time period;
when the visiting geographic location is different from the historical visiting geographic location and the visiting time is within the service limit time period;
obtaining service port types in access data packets sent by a plurality of clients;
if the service port type is an entrance service port, sending a port closing message to a corresponding client;
if the service port type is a conventional service port, the port verification process information of the corresponding client is changed into the port verification process corresponding to the special service port.
In a preferred example of the present application, when receiving an access packet sent by a plurality of clients, the step of determining whether the server suffers from an abnormal access at that time may further be configured as follows:
acquiring the access amount of the service in the server within preset time;
calculating the ratio of the preset time to the access amount to obtain an access increase ratio value;
comparing the access increase proportion value with a preset proportion threshold, and if the access increase proportion value is not less than the proportion threshold, determining that the server suffers abnormal access at the moment, and executing the steps as claimed in claim 6;
after performing the steps of claim 6;
acquiring the increased number of service users within preset time;
calculating the ratio of the preset time to the number of the service users to be increased to obtain a user increase ratio value;
and comparing the user increase proportion value with a preset increase proportion threshold, and executing a preset callback strategy if the user increase proportion value is smaller than the increase proportion threshold.
The second purpose of the application is to provide a server port hiding system.
The second application object of the present application is achieved by the following technical scheme:
a server port hiding system, comprising:
the receiving module is used for receiving the access data packet sent by the client;
the calling module is used for calling preset service port type information and port verification matching information;
the matching module is used for matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification flow information corresponding to the service port;
and the authentication module is used for authenticating according to the access data packet and the port verification process information and sending a port closing message to the client when the authentication fails.
The third purpose of the application is to provide an intelligent terminal.
The third application purpose of the present application is achieved through the following technical scheme:
an intelligent terminal comprises a memory and a processor, wherein the memory stores computer program instructions of the server port hiding method which can be loaded and executed by the processor.
It is a fourth object of the present application to provide a computer medium capable of storing a corresponding program.
The fourth application purpose of the present application is achieved by the following technical solutions:
a computer readable storage medium storing a computer program that can be loaded by a processor and executed to perform any of the above-described server port hiding methods.
Drawings
Fig. 1 is a schematic flowchart of a server port hiding method in an embodiment of the present application.
Fig. 2 is a schematic structural diagram of a server port hiding system in an embodiment of the present application.
Description of reference numerals: 1. a receiving module; 2. a calling module; 3. a matching module; 4. and an authentication module.
Detailed Description
The present embodiment is only for explaining the present application and is not limited to the present application, and those skilled in the art can make modifications without inventive contribution to the present embodiment as needed after reading the present specification, but all of them are protected by patent law within the scope of the claims of the present application.
In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The embodiments of the present application will be described in further detail with reference to the drawings attached to the specification.
The application provides a server port hiding method, and the main flow of the method is described as follows.
As shown in fig. 1:
step S101: and receiving an access data packet sent by the client.
Step S102: and calling preset service port type information and port verification matching information.
Step S103: and matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port.
Step S104: and authenticating according to the access data packet and the port verification process information, and sending a port closing message to the client when the authentication fails.
It can be understood that the server in the embodiment of the present application is a cloud server, is a virtual server, and is not a physical server; the cloud server comprises a plurality of services, and each service comprises a plurality of small services; for a service, the service itself has an external port, and the service includes a plurality of sub-services, each sub-service also has a port, and the sub-service may also include a plurality of sub-services, each sub-service also has a port; therefore, when the server receives the request of the client, an access data packet is received; the access data packet includes the service port accessed this time, that is, the client may be an external port for accessing the service itself, a port corresponding to a sub-service included in the access service, or a port corresponding to a sub-service included in the access sub-service.
Therefore, when a data access packet sent by a client is received, preset service port type information and port verification matching information need to be called, and then a service port in the access data packet is matched with a service port type in the port verification matching information to obtain port verification process information corresponding to the service port; it can be understood that, in the embodiment of the present application, the type and the authority corresponding to each service are different, and the authority of the port type corresponding to some services is higher, so that a client needs to pass through a more complicated verification process when wanting to access the service; if the authority of the port type corresponding to some service is lower, the client needs to pass a simpler verification process when the client wants to access the service; for example, the outmost layer of a service is an advertisement with similar publicity, and each person can see the advertisement, namely, the outer port of the service is hidden shallowly and can be accessed by most clients; the port of the second layer of service, such as the port of the sub-service in the service, is hidden deeply and can be accessed only by the client after some verification operations are performed; and the third layer port of the service, such as the port of the sub-service in the sub-service, is hidden deeper, and can be accessed only by the client through a series of verification operations.
The above example illustrates that different types of service ports correspond to different port authentication procedures; in the embodiment of the present application, the service port type information includes an entry service port, a conventional service port, and a special service port, where the entry service port may be understood as an external port of a service, the conventional service port may be understood as a sub-service within the service, and the special service port may be understood as a sub-service within the sub-service; the port verification matching information comprises a service port type and port verification process information corresponding to the service port, and the port verification process information refers to a verification step performed before the client accesses the port successfully; after the information is obtained, the port verification process required by the client can be obtained according to the service port in the access data packet and the preset port verification matching information.
In the embodiment of the application, the access data packet further comprises a user name, a fixed key and an encrypted ciphertext; it can be understood that all the clients store preset accounts, each account generates a key pair in advance, the server stores a public key, and the client stores a private key; the client randomly generates a character string as an original plaintext, and then encrypts the original plaintext into an encrypted ciphertext by using a private key; setting the initial preset number of bytes of the access data packet as a fixed value, wherein the fixed value is a fixed key; and then the client sends the fixed key, the encrypted ciphertext and the user name of the client to the server.
And after receiving the access data packet, the server acquires the service port accessed at this time from the access data packet, and matches the service port with the service port type in the port verification matching information.
If the service port is the entrance service port, calling port verification process information corresponding to the entrance service port; the port verification process information corresponding to the entrance service port comprises calling a pre-stored local secret key; comparing the local key with the fixed key, and if the fixed key is the same as the local key, allowing the client to access the access service port; if the fixed key is different from the local key, sending a port closing message to the client; it can be understood that, the server stores a local secret key, and if the fixed secret key sent by the client is the same as the local secret key, it indicates that the user is a trusted user, and then the user is allowed to access the portal service port; and if the fixed key and the local key sent by the client are different, the user is not trusted, and then a port closing message is sent to the user.
If the service port is a conventional service port, calling port verification process information corresponding to the conventional service port; the port verification process information corresponding to the conventional service port comprises calling a pre-stored local secret key; comparing the local key with the fixed key, and reading the user name if the fixed key is the same as the local key; then, a locally stored public key corresponding to the user name is called according to the user name, the encrypted ciphertext is decrypted by using the public key to obtain authentication information, and the authentication information is sent to the client; then receiving feedback information returned by the client in response to the authentication information, and authenticating according to the authentication information and the feedback information; specifically, when the server receives the feedback information, a random character string is generated; then, encrypting the random character string by using the public key to obtain a first authentication ciphertext, and then encrypting the authentication information by using the public key to obtain a second authentication ciphertext; sending the first authentication ciphertext and the second authentication ciphertext to the client; after receiving the first authentication ciphertext and the second authentication ciphertext, the client decrypts the second authentication ciphertext by using a private key to obtain plaintext information; then, comparing the plaintext information with the original plaintext, if the plaintext information is consistent with the original plaintext, decrypting the first authentication ciphertext by using a private key to obtain an authentication plaintext, encrypting the authentication plaintext by using the private key to obtain an authentication character string, and sending the authentication character string to a server; after receiving the authentication character string, the server decrypts the authentication character string by using the public key to obtain a third authentication ciphertext; then comparing the third authentication ciphertext with the random character string to obtain an authentication result; if the authentication result is that the authentication is successful, allowing the client to access the conventional service port; and if the authentication result is authentication failure, sending a port closing message to the client.
If the service port is a special service port, calling port verification process information corresponding to the special service port; if the service port in the access data packet is a special service port, executing a port verification process with the service port being a conventional service port when the port verification process is carried out, and executing the following steps when the authentication is successful; acquiring a prestored verification instruction message, and sending the verification instruction message to a client; then receiving an instruction ciphertext returned by the client in response to the verification instruction message; then, the public key is used for decrypting the instruction ciphertext to obtain an instruction plaintext, the instruction plaintext is compared with a special plaintext which is prestored locally, and if the instruction plaintext is the same as the special plaintext, the client is allowed to access the special service port; and if the command plaintext is different from the special plaintext, sending a port closing message to the client.
It can be understood that in the embodiment of the present application, the complexity of the access flow of the portal service port, the regular service port and the special service port is gradually increased; when a client wants to access an entrance service port, only the fixed key and the local key need to be matched; if the client wants to access the conventional service port, verification is required to be carried out according to the user name and the authentication information on the basis of matching of the fixed key and the local key; if the client wants to access the special service port, the verification instruction information and the instruction plaintext need to be further judged on the basis of the former two.
Specifically, when a client wants to access a special service port, after a port verification process corresponding to a conventional service port is successfully authenticated, a server sends a prestored verification instruction message to the client, the verification instruction message indicates that the client wants to access the special port, the client returns an instruction ciphertext, the server decrypts the instruction ciphertext to obtain an instruction plaintext, the instruction plaintext is compared with the prestored special plaintext, if the instruction plaintext and the prestored special plaintext are consistent, the instruction ciphertext returned by the client is correct, the client can access the special port, and if the instruction ciphertext returned by the client is not consistent, the instruction ciphertext returned by the client is wrong, the server sends a port closing message to the client; by the method, the service ports can be managed, each service port has a corresponding verification process, the port to be hidden is well hidden, and the access security of the port is improved.
In the process of port hiding in the above manner, the following situation may occur; when large-scale accesses are generated by a plurality of clients at a certain position at a certain time point, the server analyzes according to the time, the position and the access amount, judges whether the accesses are abnormal accesses or not, and intercepts the accesses if the accesses are abnormal accesses.
Specifically, acquiring service record big data of a server, and acquiring historical access time and historical access ip from the service record big data; then obtaining a service limit time period according to the historical access time, and obtaining a historical access geographic position corresponding to the ip according to the historical access ip; it can be understood that the historical access time refers to the access time of the client in the history of accessing the server, and then it can be found out in which time periods the client has less or no access according to the access time, and then the time period is marked as the service limitation time period; the service limit time period represents that the number of accesses of the client in the time period is less or even none; the historical access ip refers to the ip of the client, and then the historical access geographic position corresponding to the ip can be obtained through the historical access ip, namely, the geographic position of the client corresponding to the ip when accessing the server, wherein the geographic position refers to a real position, for example, the client frequently accesses an a service in the server at home or in a coffee shop, eight to nine am.
Then, when receiving access data packets sent by a plurality of clients, judging whether the access data packets belong to abnormal access at the moment; firstly, acquiring access time and an access ip from an access data packet of a client; and then obtaining an access geographic position corresponding to the ip according to the access ip, comparing the access geographic position with a historical access geographic position corresponding to the ip, and comparing the access time with a service limit time period, wherein when the access geographic position is different from the historical access geographic position and the access time is within the service limit time period, the current client side is the request access sent to the server at the abnormal time and the abnormal place, and the current access is the abnormal access.
Specifically, the access amount of the service in the server within the preset time is obtained; the preset time refers to when a plurality of clients generate a large amount of access; then, calculating the ratio of the access amount to the time amount in the period of time, namely, calculating the ratio of the access amount to the preset time to obtain an access increase ratio value, then comparing the access increase ratio value with a preset ratio threshold value, and if the access increase ratio value is not less than the ratio threshold value, determining that the server is abnormally accessed at the moment; a determination is then made as to the time of the visit and the geographic location of the visit.
If the abnormal access is determined, acquiring the service port types in the access data packets sent by the plurality of clients; if the service port type is an entrance service port, sending a port closing message to a corresponding client; if the service port type is a conventional service port, changing the port verification process information of the corresponding client into a port verification process corresponding to the special service port; it can be understood that, when it is determined that the access of the client is an abnormal access, the access request which wants to access the portal service port is directly intercepted, and the difficulty level of the verification process of the access request which wants to access the conventional service port is improved, so that the interception of the abnormal access is realized, and the access security of the port is ensured.
After the abnormal access is intercepted, acquiring the number of the increased service users within the preset time; then calculating the ratio of the number of the service users to the preset time to obtain a user increase ratio value; comparing the user increase proportion value with a preset increase proportion threshold value, and if the user increase proportion value is smaller than the increase proportion threshold value, executing a preset callback strategy; it can be understood that after intercepting the abnormal access, a certain influence is caused to the normally accessed clients, and therefore it is necessary to determine whether the influence is large enough, analyze the increased number of the service users within the preset time, and determine the increased number of the service users within a certain time, and if the increased number is significantly reduced and is smaller than the increase ratio threshold, it is indicated that the intercepting operation of the abnormal access has a large influence on the increased number of the service users, then a certain callback needs to be performed on the intercepting operation, that is, a preset callback policy is executed;
specifically, the callback policy includes adjusting the service restriction period, and reducing the amount of time of the service restriction period; for example, the service restriction time period indicates that the access performed by the client in the time period belongs to an abnormal time, and then a part of the restriction time is reduced, for example, the original time is eight to nine points, and now becomes eight to half to nine points, and in this way, the callback of the interception operation is realized; the callback strategy also comprises that when the reduction degree of the increment is very high, even the condition of negative increment occurs, the interception operation can be selected to be cancelled, and the callback is carried out to the original state.
As shown in fig. 2, the server port hiding system includes a receiving module 1, configured to receive an access data packet sent by a client; the calling module 2 is used for calling preset service port type information and port verification matching information; the matching module 3 is used for matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port; and the authentication module 4 is used for performing authentication according to the access data packet and the port verification process information and sending a port closing message to the client when the authentication fails.
In order to better execute the program of the method, the application also provides an intelligent terminal which comprises a memory and a processor.
Wherein the memory is operable to store an instruction, a program, code, a set of codes, or a set of instructions. The memory may include a program storage area and a data storage area, wherein the program storage area may store instructions for implementing an operating system, instructions for at least one function, and instructions for implementing the above-described server port hiding method, and the like; the storage data area may store data and the like involved in the server port hiding method described above.
A processor may include one or more processing cores. The processor executes or executes the instructions, programs, code sets, or instruction sets stored in the memory, calls data stored in the memory, performs various functions of the present application, and processes the data. The processor may be at least one of an application specific integrated circuit, a digital signal processor, a digital signal processing device, a programmable logic device, a field programmable gate array, a central processing unit, a controller, a microcontroller, and a microprocessor. It is understood that the electronic devices for implementing the above processor functions may be other devices, and the embodiments of the present application are not limited in particular.
The present application also provides a computer-readable storage medium, for example, comprising: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk. The computer readable storage medium stores a computer program that can be loaded by a processor and executes the above-described server port hiding method.
The foregoing description is only exemplary of the preferred embodiments of the invention and is provided for the purpose of illustrating the general principles of the technology. It will be appreciated by those skilled in the art that the scope of the disclosure herein is not limited to the particular combination of features described above, but also encompasses other arrangements formed by any combination of the above features or their equivalents without departing from the spirit of the disclosure. For example, the above features may be replaced with (but not limited to) features having similar functions disclosed in the present application.
Claims (8)
1. A server port hiding method is characterized by comprising the following steps:
receiving an access data packet sent by a client; the access data packet comprises a service port accessed at this time;
calling preset service port type information and port verification matching information; the service port type information comprises an entrance service port, a conventional service port and a special service port;
the port verification matching information comprises service port types and port verification process information corresponding to the service ports; the port verification process information refers to a verification step which is required to be carried out before the client accesses the port successfully;
matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port;
authenticating according to the access data packet and the port verification process information, and sending a port closing message to the client when authentication fails;
when receiving access data packets sent by a plurality of clients, judging whether the server is abnormally accessed at the moment comprises the following steps:
acquiring the access amount of the service in the server within preset time;
calculating the ratio of the access amount to the preset time to obtain an access increase ratio value;
comparing the access increase proportion value with a preset proportion threshold value, and if the access increase proportion value is not less than the proportion threshold value, determining that the server is abnormally accessed;
acquiring service record big data of a server, and acquiring historical access time and historical access ip from the service record big data;
obtaining a service limit time period according to historical access time;
obtaining a historical access geographical position corresponding to the ip according to the historical access ip;
the access data packet comprises access time and an access ip;
when receiving access data packets sent by a plurality of clients;
acquiring an access ip in an access data packet, and obtaining an access geographical position corresponding to the ip according to the access ip;
comparing the visiting geographic position with the historical visiting geographic position corresponding to the ip;
comparing the access time to a service restriction time period;
when the visiting geographic location is different from the historical visiting geographic location and the visiting time is within the service limit time period;
obtaining service port types in access data packets sent by a plurality of clients;
if the service port type is an entrance service port, sending a port closing message to a corresponding client;
if the service port type is a conventional service port, changing the port verification process information of the corresponding client into a port verification process corresponding to the special service port;
acquiring the increased number of service users within preset time;
calculating the ratio of the number of the service users to the preset time to obtain a user increase ratio value;
and comparing the user increase proportion value with a preset increase proportion threshold, and executing a preset callback strategy if the user increase proportion value is smaller than the increase proportion threshold.
2. The server port hiding method according to claim 1, wherein the access packet further comprises a user name, a fixed key and an encrypted ciphertext; when the service port in the access data packet is an entry service port, the port verification process information corresponding to the entry service port includes:
calling a pre-stored local key;
comparing the local key with the fixed key;
if the fixed key is the same as the local key, allowing the client to access the access service port;
and if the fixed key is different from the local key, sending a port closing message to the client.
3. The method according to claim 2, wherein when the service port in the access packet is a regular service port, the port authentication flow information corresponding to the regular service port includes:
when the fixed key is the same as the local key, reading the user name;
obtaining a public key corresponding to the user name according to the user name, decrypting the encrypted ciphertext by using the public key to obtain authentication information, and sending the authentication information to the client;
receiving feedback information returned by the client in response to the authentication information, and authenticating according to the authentication information and the feedback information;
if the authentication is successful, allowing the client to access the conventional service port;
and if the authentication fails, sending a port closing message to the client.
4. The server port hiding method according to claim 3, wherein the step of receiving the feedback information returned by the client in response to the authentication information and performing authentication according to the authentication information and the feedback information comprises:
when receiving the feedback information, generating a random character string;
encrypting the random character string by using a public key to obtain a first authentication ciphertext;
encrypting the authentication information by using the public key to obtain a second authentication ciphertext;
sending the first authentication ciphertext and the second authentication ciphertext to the client, and receiving an authentication character string returned by the client in response to the first authentication ciphertext and the second authentication ciphertext;
decrypting the authentication character string by using the public key to obtain a third authentication ciphertext;
and comparing the third authentication ciphertext with the random character string to obtain an authentication result.
5. The method according to claim 4, wherein when the service port in the access packet is a special service port, the port authentication flow information corresponding to the special service port includes:
if the service port in the access data packet is a special service port, executing a port verification process with the service port being a conventional service port when the port verification process is carried out, and executing the following steps when the authentication is successful;
acquiring a prestored verification instruction message, and sending the verification instruction message to a client;
receiving an instruction ciphertext returned by the client in response to the verification instruction message;
decrypting the instruction ciphertext by using the public key to obtain an instruction plaintext;
comparing the instruction plaintext with a locally pre-stored special plaintext;
if the instruction plaintext is the same as the special plaintext, allowing the client to access the special service port;
and if the command plaintext is different from the special plaintext, sending a port closing message to the client.
6. A server port hiding system, comprising:
the system comprises a receiving module (1) and a processing module, wherein the receiving module is used for receiving an access data packet sent by a client, and the access data packet comprises a service port accessed at this time;
the system comprises an invoking module (2) and a processing module, wherein the invoking module is used for invoking preset service port type information and port verification matching information, the service port type information comprises an entrance service port, a conventional service port and a special service port, and the port verification matching information comprises a service port type and port verification process information corresponding to the service port; the port verification process information refers to a verification step which is required to be carried out before the client accesses the port successfully;
the matching module (3) is used for matching the service port in the access data packet with the service port type in the port verification matching information to obtain port verification process information corresponding to the service port;
the authentication module (4) is used for authenticating according to the access data packet and the port verification process information and sending a port closing message to the client when the authentication fails;
the server port hiding system is further configured to:
when receiving access data packets sent by a plurality of clients, judging whether the server is abnormally accessed at the moment comprises the following steps:
acquiring the access amount of the service in the server within preset time;
calculating the ratio of the access amount to the preset time to obtain an access increase ratio value;
comparing the access increase proportion value with a preset proportion threshold value, and if the access increase proportion value is not less than the proportion threshold value, determining that the server is abnormally accessed;
acquiring service record big data of a server, and acquiring historical access time and historical access ip from the service record big data;
obtaining a service limit time period according to historical access time;
obtaining a historical access geographical position corresponding to the ip according to the historical access ip;
the access data packet comprises access time and an access ip;
when receiving access data packets sent by a plurality of clients;
acquiring an access ip in an access data packet, and obtaining an access geographical position corresponding to the ip according to the access ip;
comparing the visiting geographic position with a historical visiting geographic position corresponding to the ip;
comparing the access time to a service restriction time period;
when the visiting geographic location is different from the historical visiting geographic location and the visiting time is within the service limit time period;
obtaining service port types in access data packets sent by a plurality of clients;
if the service port type is an entrance service port, sending a port closing message to a corresponding client;
if the service port type is a conventional service port, changing the port verification process information of the corresponding client into a port verification process corresponding to the special service port;
acquiring the increased number of service users within preset time;
calculating the ratio of the number of the service users to the preset time to obtain a user increase ratio value;
and comparing the user increase proportion value with a preset increase proportion threshold, and executing a preset callback strategy if the user increase proportion value is smaller than the increase proportion threshold.
7. An intelligent terminal, comprising a memory and a processor, the memory having stored thereon computer program instructions which are loadable by the processor and adapted to carry out the method according to any of claims 1-5.
8. A computer-readable storage medium, in which a computer program is stored which can be loaded by a processor and which executes the method according to any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210432579.3A CN114531303B (en) | 2022-04-24 | 2022-04-24 | Server port hiding method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210432579.3A CN114531303B (en) | 2022-04-24 | 2022-04-24 | Server port hiding method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114531303A CN114531303A (en) | 2022-05-24 |
| CN114531303B true CN114531303B (en) | 2022-07-12 |
Family
ID=81627885
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210432579.3A Active CN114531303B (en) | 2022-04-24 | 2022-04-24 | Server port hiding method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114531303B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
| CN112839062A (en) * | 2021-04-20 | 2021-05-25 | 北京天维信通科技有限公司 | Port hiding method, device and equipment with mixed authentication signals |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109495431B (en) * | 2017-09-13 | 2021-04-20 | 华为技术有限公司 | Access control method, device and system and switch |
| CN112165536B (en) * | 2020-09-11 | 2022-11-11 | 中国银联股份有限公司 | Network terminal authentication method and device |
| CN113949528A (en) * | 2021-09-09 | 2022-01-18 | 中云网安科技有限公司 | Access control method and device based on flow data, storage medium and equipment |
| CN113992354A (en) * | 2021-09-28 | 2022-01-28 | 新华三信息安全技术有限公司 | Identity authentication method, device, equipment and machine readable storage medium |
-
2022
- 2022-04-24 CN CN202210432579.3A patent/CN114531303B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
| CN112839062A (en) * | 2021-04-20 | 2021-05-25 | 北京天维信通科技有限公司 | Port hiding method, device and equipment with mixed authentication signals |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114531303A (en) | 2022-05-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111429254B (en) | Business data processing method and device and readable storage medium | |
| US8214890B2 (en) | Login authentication using a trusted device | |
| JP6215934B2 (en) | Login verification method, client, server, and system | |
| US20220394026A1 (en) | Network identity protection method and device, and electronic equipment and storage medium | |
| CA3035817A1 (en) | System and method for decentralized authentication using a distributed transaction-based state machine | |
| US20020062452A1 (en) | Countering credentials copying | |
| US9235731B2 (en) | Trusted data relay | |
| CN112688773A (en) | Token generation and verification method and device | |
| US11714914B2 (en) | Secure storage of passwords | |
| US20180130056A1 (en) | Method and system for transaction security | |
| US9356787B2 (en) | Secure communication architecture including sniffer | |
| WO2016188335A1 (en) | Access control method, apparatus and system for user data | |
| US20200382498A1 (en) | Method and device for portal authentication | |
| CN113395406A (en) | Encryption authentication method and system based on power equipment fingerprints | |
| CN112448930A (en) | Account registration method, device, server and computer readable storage medium | |
| CN112968910A (en) | Replay attack prevention method and device | |
| CN115473655B (en) | Terminal authentication method, device and storage medium for access network | |
| CN112261103A (en) | Node access method and related equipment | |
| CN114531303B (en) | Server port hiding method and system | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN109743338A (en) | A kind of verification method logged in automatically, system, server and readable storage medium storing program for executing | |
| CN108289102B (en) | Micro-service interface safe calling device | |
| CN108449753B (en) | Method for reading data in trusted computing environment by mobile phone device | |
| US20080263189A1 (en) | Secure identification of intranet network | |
| CN114257437B (en) | Remote access method, device, computing equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |