CN109688104A - It is a kind of to realize the system and method for the hiding host in network - Google Patents
It is a kind of to realize the system and method for the hiding host in network Download PDFInfo
- Publication number
- CN109688104A CN109688104A CN201811360364.5A CN201811360364A CN109688104A CN 109688104 A CN109688104 A CN 109688104A CN 201811360364 A CN201811360364 A CN 201811360364A CN 109688104 A CN109688104 A CN 109688104A
- Authority
- CN
- China
- Prior art keywords
- client
- modules
- kernel security
- request
- security modules
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/663—Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
Abstract
The application belongs to Information Technology Agreement field, in particular to a kind of to realize by the system and method for the hiding host in network, including client modules: for sending the IP access registrar request of encryption to kernel security modules;Kernel security modules: safety certification is carried out for the request content to client modules;Configuration module: for being configured to kernel security modules;The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, and the kernel security modules are connected respectively at configuration module with client modules signal.The present invention does access control at IP layers, suitable for the protection to any applied host machine, server only responds the TCP connection request that the IP of trust is initiated, and any response will not be done to the TCP connection request that non-trusted IP is initiated, it can't find host by way of port scan, and do not need to be further added by additional certificate server.
Description
Technical field
The application belongs to Information Technology Agreement field, in particular to it is a kind of realize the system of the hiding host in network and
Method.
Background technique
For being exposed to the network server of public network, any client can initiate network access to it, exist by network
The risk of attack, and traditional security solution is to dispose firewall or IDS equipment in the front end of server, and data packet is allowed to pass through
Host is arrived again after crossing firewall or the filtering of IDS equipment, or server host is reinforced, and the resource of host is visited
Ask control.But these solutions are only effective to known attack, any due to not doing IP access control to open port
External IP can be scanned discovery security breaches to open port, and novel attack method emerges one after another, it is difficult to prevent to come
The attack of automatic network.
Existing related application such as number of patent application is 201010291551.X, the entitled " method of prevention CC attack
And device " patent of invention and number of patent application be 201410409718.6, it is entitled " based on APP application Portal
Authentication method and its device " patent of invention, above-mentioned patent is to do access control in application layer, is only limited to WEB server
Protection is that server can all have response to all TCP connection requests that client is initiated, can't resolve asking for anti-port scan
Topic, and a special certificate server is needed to authenticate.
Summary of the invention
After solving the host open network port on existing public network, IP access control cannot be done to these network ports
The problems such as, it is currently proposed it is a kind of by server host be hidden to reduce even prevent the realization from network attack for net
The system and method for hiding host in network.
To achieve the above object, the application's the specific scheme is that
It is a kind of to realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace
Full module is connected respectively at configuration module with client modules signal.
A method of it realizes the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng
The port of number, security module.Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are same
It loses;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized
Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID
With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client
IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules
With processing.
(5) if client and server in time-out time without data communication, kernel security modules are by client ip
It is removed from trusting in IP list.
IP authentication request message in the step (2) includes timestamp, UUID and the sequence number ID of client, is sent out every time
It send and carries out sequence number ID to add 1.
The step (3) loses packet if certification request is illegal.
The advantages of the application, is:
1. the present invention does access control at IP layers, suitable for the protection to any applied host machine, server only sends out the IP of trust
The TCP connection request risen responds, and will not do any response to the TCP connection request that non-trusted IP is initiated, and is swept by port
The mode retouched can't find host, and not need to be further added by additional certificate server.
2. source IP can only be added in the white list of server by traditional firewall by way of configuring, and of the invention
The IP of client can be added to the trust IP list of server in such a way that client sends out certification request, and server is to visitor
The certification request at family end is completed in kernel state, and the firewall open authentication without host requests access to port.
3. the present invention using trust IP mechanism, only server setting IP white list and be mounted with client modules
Host could carry out IP communication with server, avoid server and found by attacker.One new client host and service
Device carries out communicating first to install being integrated with the software of client modules.
4. non-trusted regardless of host is in Intranet or public network seen in the IP that server host can only be trusted by him
Client can not all find him by the networks means such as ping, port scan.
4. even if the port that attacker knows the IP of server and opens, can not also be communicated, attacker with server
Can not be attacked by network means come.
5. attacker cannot forge certification request packet by way of modifying original authentication request packet, a certification request is only
It can be used primary.
Detailed description of the invention
Fig. 1 is system construction drawing of the invention.
Fig. 2 is method flow schematic diagram of the invention.
Specific embodiment
Embodiment 1
It is a kind of to realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace
Full module is connected respectively at configuration module with client modules signal.
Embodiment 2
A method of it realizes the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng
The port of number, security module.Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are same
It loses;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized
Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID
With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client
IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules
With processing.
(5) if client and server in time-out time without data communication, kernel security modules are by client ip
It is removed from trusting in IP list.
IP authentication request message in the step (2) includes timestamp, UUID and the sequence number ID of client, is sent out every time
It send and carries out sequence number ID to add 1.
The step (3) loses packet if certification request is illegal.
The present invention does access control at IP layers, and suitable for the protection to any applied host machine, server is only to the IP of trust
The TCP connection request of initiation responds, and will not do any response to the TCP connection request that non-trusted IP is initiated, and passes through port
The mode of scanning can't find host, and not need to be further added by additional certificate server.Traditional firewall can only pass through
Source IP is added in the white list of server by the mode of configuration, and the present invention can incite somebody to action in such a way that client sends out certification request
The IP of client is added to the trust IP list of server, and server completes the certification request of client in kernel state, and
Firewall open authentication without host requests access to port.
The present invention utilizes trust IP mechanism, only the IP white list of server setting and the host for being mounted with client modules
IP communication could be carried out with server, avoid server and found by attacker.One new client host and server into
Row communication, which must be installed first, is integrated with the software of client modules.Seen in the IP that server host can only be trusted by him, regardless of main
Machine is in Intranet or public network, and non-trusted client can not all find him by networks means such as ping, port scans.
Even if attacker know server IP and open port, can not also be communicated with server, attacker without
Method by network means attack come.Attacker cannot forge certification request packet by way of modifying original authentication request packet, and one
A certification request only uses once.
Embodiment 3
Specific implementation process is by taking linux system as an example:
(1) kernel security modules initialize when read certification request decryption key, port numbers, white list, kernel security modules it is close
The parameters such as code (optional), and NF_IP_PRE_ROUTING and NF_IP_LOCAL_OUT hook letter are registered by netfilter
Number.
(2) configuration module carries out configuration distributing and state information acquisition by Netlink socket and kernel security modules
Communication.The configuration for mainly decrypting key, port numbers, white list, password (optional) updates and trusts IP, white list, kernel
The acquisition of the information such as security module state.
(3) port that client modules are configured to kernel security modules sends UDP certification request packet, and certification request packet includes
With the password (optional) of the associated UUID string of server ip, sequence number ID, kernel security modules, cipher mode uses asymmetric
It encrypts (such as RSA).Client modules are desirably integrated into client software and browser.
(4) firewall on server host is not necessarily to the udp port of open authentication request, and kernel security modules register NF_
The Hook Function of IP_PRE_ROUTING handles the data packet that network interface card receives, and transfers to assist if it is non-IP packet or broadcast packet
Discuss stack processing.If it is certification request packet, will see whether the information of carrying is legal, mainly sees the timestamp of client after packet decryption
With the timestamp of server whether in error range, whether sequence number ID is incremented by, whether password etc. legal etc., if decryption is not
Success or field information are illegal, and data packet is lost, if legal, IP are added to and trusts IP list.If it is other IP
Packet transfers to protocol stack to handle, otherwise loses packet if source IP is being trusted inside IP list.
(5) Hook Function of the NF_IP_LOCAL_OUT of kernel security modules registration is responsible for server actively to visiting abroad
The IP asked is added in interim trust list, not the external IP communication of limiting server host.
(6) optionally, when kernel security modules find that some IP is frequently sending illegal certification request packet (such as time
Stamp, sequence number ID are fixed), which can be added in blacklist.If having received the data packet from blacklist, directly lose
Fall.
Claims (4)
1. a kind of realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace
Full module is connected respectively at configuration module with client modules signal.
2. a kind of realize the method for the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng
The port of number, security module;
Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are lost without exception;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized
Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID
With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client
IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules
With processing;
(5) if client and server in time-out time without data communication, kernel security modules are by client ip from letter
Appoint and is removed in IP list.
It a kind of is realized the method for the hiding host in network 3. according to claim 2, which is characterized in that the step
(2) the IP authentication request message in includes timestamp, UUID and the sequence number ID of client, sends carry out sequence number ID every time
Add 1.
It a kind of is realized the method for the hiding host in network 4. according to claim 2, which is characterized in that the step
(3), if certification request is illegal, packet is lost.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811360364.5A CN109688104A (en) | 2018-11-15 | 2018-11-15 | It is a kind of to realize the system and method for the hiding host in network |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811360364.5A CN109688104A (en) | 2018-11-15 | 2018-11-15 | It is a kind of to realize the system and method for the hiding host in network |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109688104A true CN109688104A (en) | 2019-04-26 |
Family
ID=66185740
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811360364.5A Pending CN109688104A (en) | 2018-11-15 | 2018-11-15 | It is a kind of to realize the system and method for the hiding host in network |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109688104A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111371748A (en) * | 2020-02-21 | 2020-07-03 | 浙江德迅网络安全技术有限公司 | Method for realizing WEB firewall on cloud platform |
CN112839062A (en) * | 2021-04-20 | 2021-05-25 | 北京天维信通科技有限公司 | Port hiding method, device and equipment with mixed authentication signals |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
CN102984153A (en) * | 2012-11-29 | 2013-03-20 | 华为技术有限公司 | Hacker preventing method, equipment and system |
CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
CN106230861A (en) * | 2016-09-07 | 2016-12-14 | 上海斐讯数据通信技术有限公司 | A kind of router fire wall lower network access method and router |
CN108471432A (en) * | 2018-07-11 | 2018-08-31 | 北京智芯微电子科技有限公司 | Prevent web application interface by the method for malicious attack |
-
2018
- 2018-11-15 CN CN201811360364.5A patent/CN109688104A/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101436958A (en) * | 2007-11-16 | 2009-05-20 | 太极计算机股份有限公司 | Method for resisting abnegation service aggression |
CN101789947A (en) * | 2010-02-21 | 2010-07-28 | 成都市华为赛门铁克科技有限公司 | Method and firewall for preventing HTTP POST flooding attacks |
CN102984153A (en) * | 2012-11-29 | 2013-03-20 | 华为技术有限公司 | Hacker preventing method, equipment and system |
CN104917779A (en) * | 2015-06-26 | 2015-09-16 | 北京奇虎科技有限公司 | Protection method of CC attack based on cloud, device thereof and system thereof |
CN106230861A (en) * | 2016-09-07 | 2016-12-14 | 上海斐讯数据通信技术有限公司 | A kind of router fire wall lower network access method and router |
CN108471432A (en) * | 2018-07-11 | 2018-08-31 | 北京智芯微电子科技有限公司 | Prevent web application interface by the method for malicious attack |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN111371748A (en) * | 2020-02-21 | 2020-07-03 | 浙江德迅网络安全技术有限公司 | Method for realizing WEB firewall on cloud platform |
CN112839062A (en) * | 2021-04-20 | 2021-05-25 | 北京天维信通科技有限公司 | Port hiding method, device and equipment with mixed authentication signals |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7716331B2 (en) | Method of gaining secure access to intranet resources | |
US8886934B2 (en) | Authorizing physical access-links for secure network connections | |
Aboba et al. | RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP) | |
TWI362859B (en) | ||
US9210126B2 (en) | Method for secure single-packet authorization within cloud computing networks | |
US7207061B2 (en) | State machine for accessing a stealth firewall | |
JP2005503047A (en) | Apparatus and method for providing a secure network | |
JP2002314549A (en) | User authentication system and user authentication method used for the same | |
WO2005020041A1 (en) | System and method for secure remote access | |
WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
US20020178356A1 (en) | Method for setting up secure connections | |
CN103944716A (en) | User authentication method and device | |
JP2005099980A (en) | Service provision method, service provision program, host device, and service provision device | |
CN109688104A (en) | It is a kind of to realize the system and method for the hiding host in network | |
CN114726513A (en) | Data transmission method, apparatus, medium, and product | |
KR100856918B1 (en) | Method for IP address authentication in IPv6 network, and IPv6 network system | |
Sathyadevan et al. | Portguard-an authentication tool for securing ports in an IoT gateway | |
CN111416824A (en) | Network access authentication control system | |
EP1530343A1 (en) | Method and system for creating authentication stacks in communication networks | |
Cisco | Security Command Reference Cisco IOS Release 12.0 | |
Cisco | Release Notes for the Cisco Secure PIX Firewall Version 5.2(4) | |
JP4768547B2 (en) | Authentication system for communication devices | |
Cisco | Release Notes for the Cisco Secure PIX Firewall Version 5.2(5) | |
WO2021229749A1 (en) | Authentication method and authentication system in ip communication | |
CN116938603B (en) | Traffic transmission method, device, equipment and storage medium based on stealth gateway |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190426 |