CN109688104A - It is a kind of to realize the system and method for the hiding host in network - Google Patents

It is a kind of to realize the system and method for the hiding host in network Download PDF

Info

Publication number
CN109688104A
CN109688104A CN201811360364.5A CN201811360364A CN109688104A CN 109688104 A CN109688104 A CN 109688104A CN 201811360364 A CN201811360364 A CN 201811360364A CN 109688104 A CN109688104 A CN 109688104A
Authority
CN
China
Prior art keywords
client
modules
kernel security
request
security modules
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811360364.5A
Other languages
Chinese (zh)
Inventor
林康
罗鹰
谭春海
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CHENGDU COLASOFT Co Ltd
Original Assignee
CHENGDU COLASOFT Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CHENGDU COLASOFT Co Ltd filed Critical CHENGDU COLASOFT Co Ltd
Priority to CN201811360364.5A priority Critical patent/CN109688104A/en
Publication of CN109688104A publication Critical patent/CN109688104A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/663Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports

Abstract

The application belongs to Information Technology Agreement field, in particular to a kind of to realize by the system and method for the hiding host in network, including client modules: for sending the IP access registrar request of encryption to kernel security modules;Kernel security modules: safety certification is carried out for the request content to client modules;Configuration module: for being configured to kernel security modules;The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, and the kernel security modules are connected respectively at configuration module with client modules signal.The present invention does access control at IP layers, suitable for the protection to any applied host machine, server only responds the TCP connection request that the IP of trust is initiated, and any response will not be done to the TCP connection request that non-trusted IP is initiated, it can't find host by way of port scan, and do not need to be further added by additional certificate server.

Description

It is a kind of to realize the system and method for the hiding host in network
Technical field
The application belongs to Information Technology Agreement field, in particular to it is a kind of realize the system of the hiding host in network and Method.
Background technique
For being exposed to the network server of public network, any client can initiate network access to it, exist by network The risk of attack, and traditional security solution is to dispose firewall or IDS equipment in the front end of server, and data packet is allowed to pass through Host is arrived again after crossing firewall or the filtering of IDS equipment, or server host is reinforced, and the resource of host is visited Ask control.But these solutions are only effective to known attack, any due to not doing IP access control to open port External IP can be scanned discovery security breaches to open port, and novel attack method emerges one after another, it is difficult to prevent to come The attack of automatic network.
Existing related application such as number of patent application is 201010291551.X, the entitled " method of prevention CC attack And device " patent of invention and number of patent application be 201410409718.6, it is entitled " based on APP application Portal Authentication method and its device " patent of invention, above-mentioned patent is to do access control in application layer, is only limited to WEB server Protection is that server can all have response to all TCP connection requests that client is initiated, can't resolve asking for anti-port scan Topic, and a special certificate server is needed to authenticate.
Summary of the invention
After solving the host open network port on existing public network, IP access control cannot be done to these network ports The problems such as, it is currently proposed it is a kind of by server host be hidden to reduce even prevent the realization from network attack for net The system and method for hiding host in network.
To achieve the above object, the application's the specific scheme is that
It is a kind of to realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace Full module is connected respectively at configuration module with client modules signal.
A method of it realizes the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng The port of number, security module.Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are same It loses;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules With processing.
(5) if client and server in time-out time without data communication, kernel security modules are by client ip It is removed from trusting in IP list.
IP authentication request message in the step (2) includes timestamp, UUID and the sequence number ID of client, is sent out every time It send and carries out sequence number ID to add 1.
The step (3) loses packet if certification request is illegal.
The advantages of the application, is:
1. the present invention does access control at IP layers, suitable for the protection to any applied host machine, server only sends out the IP of trust The TCP connection request risen responds, and will not do any response to the TCP connection request that non-trusted IP is initiated, and is swept by port The mode retouched can't find host, and not need to be further added by additional certificate server.
2. source IP can only be added in the white list of server by traditional firewall by way of configuring, and of the invention The IP of client can be added to the trust IP list of server in such a way that client sends out certification request, and server is to visitor The certification request at family end is completed in kernel state, and the firewall open authentication without host requests access to port.
3. the present invention using trust IP mechanism, only server setting IP white list and be mounted with client modules Host could carry out IP communication with server, avoid server and found by attacker.One new client host and service Device carries out communicating first to install being integrated with the software of client modules.
4. non-trusted regardless of host is in Intranet or public network seen in the IP that server host can only be trusted by him Client can not all find him by the networks means such as ping, port scan.
4. even if the port that attacker knows the IP of server and opens, can not also be communicated, attacker with server Can not be attacked by network means come.
5. attacker cannot forge certification request packet by way of modifying original authentication request packet, a certification request is only It can be used primary.
Detailed description of the invention
Fig. 1 is system construction drawing of the invention.
Fig. 2 is method flow schematic diagram of the invention.
Specific embodiment
Embodiment 1
It is a kind of to realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace Full module is connected respectively at configuration module with client modules signal.
Embodiment 2
A method of it realizes the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng The port of number, security module.Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are same It loses;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules With processing.
(5) if client and server in time-out time without data communication, kernel security modules are by client ip It is removed from trusting in IP list.
IP authentication request message in the step (2) includes timestamp, UUID and the sequence number ID of client, is sent out every time It send and carries out sequence number ID to add 1.
The step (3) loses packet if certification request is illegal.
The present invention does access control at IP layers, and suitable for the protection to any applied host machine, server is only to the IP of trust The TCP connection request of initiation responds, and will not do any response to the TCP connection request that non-trusted IP is initiated, and passes through port The mode of scanning can't find host, and not need to be further added by additional certificate server.Traditional firewall can only pass through Source IP is added in the white list of server by the mode of configuration, and the present invention can incite somebody to action in such a way that client sends out certification request The IP of client is added to the trust IP list of server, and server completes the certification request of client in kernel state, and Firewall open authentication without host requests access to port.
The present invention utilizes trust IP mechanism, only the IP white list of server setting and the host for being mounted with client modules IP communication could be carried out with server, avoid server and found by attacker.One new client host and server into Row communication, which must be installed first, is integrated with the software of client modules.Seen in the IP that server host can only be trusted by him, regardless of main Machine is in Intranet or public network, and non-trusted client can not all find him by networks means such as ping, port scans.
Even if attacker know server IP and open port, can not also be communicated with server, attacker without Method by network means attack come.Attacker cannot forge certification request packet by way of modifying original authentication request packet, and one A certification request only uses once.
Embodiment 3
Specific implementation process is by taking linux system as an example:
(1) kernel security modules initialize when read certification request decryption key, port numbers, white list, kernel security modules it is close The parameters such as code (optional), and NF_IP_PRE_ROUTING and NF_IP_LOCAL_OUT hook letter are registered by netfilter Number.
(2) configuration module carries out configuration distributing and state information acquisition by Netlink socket and kernel security modules Communication.The configuration for mainly decrypting key, port numbers, white list, password (optional) updates and trusts IP, white list, kernel The acquisition of the information such as security module state.
(3) port that client modules are configured to kernel security modules sends UDP certification request packet, and certification request packet includes With the password (optional) of the associated UUID string of server ip, sequence number ID, kernel security modules, cipher mode uses asymmetric It encrypts (such as RSA).Client modules are desirably integrated into client software and browser.
(4) firewall on server host is not necessarily to the udp port of open authentication request, and kernel security modules register NF_ The Hook Function of IP_PRE_ROUTING handles the data packet that network interface card receives, and transfers to assist if it is non-IP packet or broadcast packet Discuss stack processing.If it is certification request packet, will see whether the information of carrying is legal, mainly sees the timestamp of client after packet decryption With the timestamp of server whether in error range, whether sequence number ID is incremented by, whether password etc. legal etc., if decryption is not Success or field information are illegal, and data packet is lost, if legal, IP are added to and trusts IP list.If it is other IP Packet transfers to protocol stack to handle, otherwise loses packet if source IP is being trusted inside IP list.
(5) Hook Function of the NF_IP_LOCAL_OUT of kernel security modules registration is responsible for server actively to visiting abroad The IP asked is added in interim trust list, not the external IP communication of limiting server host.
(6) optionally, when kernel security modules find that some IP is frequently sending illegal certification request packet (such as time Stamp, sequence number ID are fixed), which can be added in blacklist.If having received the data packet from blacklist, directly lose Fall.

Claims (4)

1. a kind of realize the system of the hiding host in network, it is characterised in that: including
Client modules: for sending the IP access registrar request of encryption to kernel security modules;
Kernel security modules: safety certification is carried out for the request content to client modules;
Configuration module: for being configured to kernel security modules;
The kernel security modules and configuration module are deployed in server, and client modules are deployed in client, the kernel peace Full module is connected respectively at configuration module with client modules signal.
2. a kind of realize the method for the hiding host in network, which comprises the steps of:
(1) kernel security modules are configured by configuration module, such as configuration of IP white list, decryption key parameter, time-out ginseng The port of number, security module;
Kernel security modules only allow to trust IP and are communicated with server, and other IP communication bags are lost without exception;
(2) client modules send the IP access registrar request of encryption to kernel security modules;
(3) after kernel security modules receive the request of IP access registrar, decoding request message and the information for extracting the request, if recognized Card request field be all it is legal, then certification pass through, the IP of the client is added to trusted IP list, and record its UUID With sequence number ID, start timing;
(4) client modules initiate normal IP communication to server, after IP packet reaches kernel security modules, due to client IP in trusting IP list, will not be filtered by security module, and IP data packet is transferred to protocol stack and answered by kernel security modules With processing;
(5) if client and server in time-out time without data communication, kernel security modules are by client ip from letter Appoint and is removed in IP list.
It a kind of is realized the method for the hiding host in network 3. according to claim 2, which is characterized in that the step (2) the IP authentication request message in includes timestamp, UUID and the sequence number ID of client, sends carry out sequence number ID every time Add 1.
It a kind of is realized the method for the hiding host in network 4. according to claim 2, which is characterized in that the step (3), if certification request is illegal, packet is lost.
CN201811360364.5A 2018-11-15 2018-11-15 It is a kind of to realize the system and method for the hiding host in network Pending CN109688104A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811360364.5A CN109688104A (en) 2018-11-15 2018-11-15 It is a kind of to realize the system and method for the hiding host in network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811360364.5A CN109688104A (en) 2018-11-15 2018-11-15 It is a kind of to realize the system and method for the hiding host in network

Publications (1)

Publication Number Publication Date
CN109688104A true CN109688104A (en) 2019-04-26

Family

ID=66185740

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811360364.5A Pending CN109688104A (en) 2018-11-15 2018-11-15 It is a kind of to realize the system and method for the hiding host in network

Country Status (1)

Country Link
CN (1) CN109688104A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371748A (en) * 2020-02-21 2020-07-03 浙江德迅网络安全技术有限公司 Method for realizing WEB firewall on cloud platform
CN112839062A (en) * 2021-04-20 2021-05-25 北京天维信通科技有限公司 Port hiding method, device and equipment with mixed authentication signals

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102984153A (en) * 2012-11-29 2013-03-20 华为技术有限公司 Hacker preventing method, equipment and system
CN104917779A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Protection method of CC attack based on cloud, device thereof and system thereof
CN106230861A (en) * 2016-09-07 2016-12-14 上海斐讯数据通信技术有限公司 A kind of router fire wall lower network access method and router
CN108471432A (en) * 2018-07-11 2018-08-31 北京智芯微电子科技有限公司 Prevent web application interface by the method for malicious attack

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101436958A (en) * 2007-11-16 2009-05-20 太极计算机股份有限公司 Method for resisting abnegation service aggression
CN101789947A (en) * 2010-02-21 2010-07-28 成都市华为赛门铁克科技有限公司 Method and firewall for preventing HTTP POST flooding attacks
CN102984153A (en) * 2012-11-29 2013-03-20 华为技术有限公司 Hacker preventing method, equipment and system
CN104917779A (en) * 2015-06-26 2015-09-16 北京奇虎科技有限公司 Protection method of CC attack based on cloud, device thereof and system thereof
CN106230861A (en) * 2016-09-07 2016-12-14 上海斐讯数据通信技术有限公司 A kind of router fire wall lower network access method and router
CN108471432A (en) * 2018-07-11 2018-08-31 北京智芯微电子科技有限公司 Prevent web application interface by the method for malicious attack

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111371748A (en) * 2020-02-21 2020-07-03 浙江德迅网络安全技术有限公司 Method for realizing WEB firewall on cloud platform
CN112839062A (en) * 2021-04-20 2021-05-25 北京天维信通科技有限公司 Port hiding method, device and equipment with mixed authentication signals

Similar Documents

Publication Publication Date Title
US7716331B2 (en) Method of gaining secure access to intranet resources
US8886934B2 (en) Authorizing physical access-links for secure network connections
Aboba et al. RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP)
TWI362859B (en)
US9210126B2 (en) Method for secure single-packet authorization within cloud computing networks
US7207061B2 (en) State machine for accessing a stealth firewall
JP2005503047A (en) Apparatus and method for providing a secure network
JP2002314549A (en) User authentication system and user authentication method used for the same
WO2005020041A1 (en) System and method for secure remote access
WO2015174100A1 (en) Packet transfer device, packet transfer system, and packet transfer method
US20020178356A1 (en) Method for setting up secure connections
CN103944716A (en) User authentication method and device
JP2005099980A (en) Service provision method, service provision program, host device, and service provision device
CN109688104A (en) It is a kind of to realize the system and method for the hiding host in network
CN114726513A (en) Data transmission method, apparatus, medium, and product
KR100856918B1 (en) Method for IP address authentication in IPv6 network, and IPv6 network system
Sathyadevan et al. Portguard-an authentication tool for securing ports in an IoT gateway
CN111416824A (en) Network access authentication control system
EP1530343A1 (en) Method and system for creating authentication stacks in communication networks
Cisco Security Command Reference Cisco IOS Release 12.0
Cisco Release Notes for the Cisco Secure PIX Firewall Version 5.2(4)
JP4768547B2 (en) Authentication system for communication devices
Cisco Release Notes for the Cisco Secure PIX Firewall Version 5.2(5)
WO2021229749A1 (en) Authentication method and authentication system in ip communication
CN116938603B (en) Traffic transmission method, device, equipment and storage medium based on stealth gateway

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190426