CN110602092A - Method for only allowing designated IP to update website based on process forwarding - Google Patents
Method for only allowing designated IP to update website based on process forwarding Download PDFInfo
- Publication number
- CN110602092A CN110602092A CN201910861591.4A CN201910861591A CN110602092A CN 110602092 A CN110602092 A CN 110602092A CN 201910861591 A CN201910861591 A CN 201910861591A CN 110602092 A CN110602092 A CN 110602092A
- Authority
- CN
- China
- Prior art keywords
- website
- administrator
- forwarding
- directory
- authority
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The invention relates to a method for only allowing a specified IP to update a website based on process forwarding. Requests of an administrator IP and a non-administrator IP are separated through an arbitration system: the request of the administrator IP is forwarded to the high-authority website process, and the request of the non-administrator IP is forwarded to the low-authority website process, so that when an illegal user tries to update the website by any method, the authority of the low-authority process P2 where the relevant request is located cannot write the website directory, and thus the illegal update cannot be performed. When the administrator user tries to update the website, the high-authority process P3 or P4 in which the related request is located will have enough authority to write to the website directory or the backup directory, so as to update the website. The invention ensures that the illegal user can not update and falsify the website content, and improves the safety of updating the website.
Description
Technical Field
The invention belongs to the field of information security software, and particularly relates to a method for updating a website only by allowing an appointed IP based on process forwarding.
Background
After the website is released, the website is also updated to maintain the amount of access, SEO optimization, etc.
Generally, a website has a management background which is verified by a user name and a password, and anyone can update the website after mastering the user name and the password of the website management background.
If the user name and the password of the website management background are leaked due to various reasons, the website is illegally updated, and the condition of 'website is blacked out' occurs.
Moreover, a hacker can implant a backdoor (webshell) in a website directory through an attack mode such as SQL injection to bypass a website management background, and then illegally update the website through the webshell.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a method for updating a website only by allowing a specified IP based on process forwarding.
In order to achieve the purpose, the technical scheme of the invention is as follows: a method for allowing only specified IP to update a website based on process forwarding comprises the following steps:
step S1, an arbitration system is set up, the arbitration system has the functions of monitoring the network port w and forwarding the network data packet received by the monitoring network port w to other ports;
step S2, configuring the arbitration system: setting an administrator IP and a forwarding destination of the administrator IP, and setting a forwarding destination of a non-administrator IP;
step S3, when an illegal user or an administrator tries to update the site, a request is sent to a monitoring network port w;
step S4, when the listening network port w receives the network data packet: if the source IP of the data packet is the same as the administrator IP configured in the step S2, forwarding the network data packet to the forwarding destination of the administrator IP, and further realizing website updating; otherwise, forwarding the network data packet to a non-administrator IP forwarding destination, and the website cannot be updated; the network data packet requested to be returned is returned through the arbitration system in the original way;
the forwarding destination of the administrator IP is a port of a high-authority website process with writing authority, and the forwarding destination of the non-administrator IP is a port of a low-authority website process without writing authority.
In an embodiment of the present invention, in step S2, the forwarding destination includes a forwarding destination IP and a forwarding destination port.
In an embodiment of the present invention, the high-permission website processes with write-in permission are a process P3 and a process P4, the low-permission website processes without write-in permission are a process P2, the processes P2, P3 and P4 are all website systems, initially, the contents and data of the processes P2, P3 and P4 are completely consistent, and the processes P2 and P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
In one embodiment of the invention, there is at least one of process P3 and process P4.
Compared with the prior art, the invention has the following beneficial effects: the invention relates to a method for only allowing appointed IP to update a website based on process forwarding, which separates the requests of an administrator IP and a non-administrator IP by an arbitration system: the request of the administrator IP is forwarded to the high-authority website process, and the request of the non-administrator IP is forwarded to the low-authority website process, so that when an illegal user tries to update the website in any way, the authority of the low-authority process where the related request is located cannot write the website directory, and the illegal update cannot be executed. When the administrator user tries to update the website, the high authority of the related request has enough authority to write the website directory or the backup directory, so as to update the website. Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is forwarded to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
Drawings
Fig. 1 is a flowchart illustrating a method for allowing only a specific IP to update a website based on process forwarding according to the present invention.
Detailed Description
The technical scheme of the invention is specifically explained below with reference to the accompanying drawings.
As shown in fig. 1, the present invention provides a method for allowing only a specific IP to update a website based on process forwarding, which is implemented as follows:
(1) and (3) establishing an arbitration system which has the functions of monitoring a certain port w of the network and forwarding the network data packet received by the port w to other ports.
(2) Configuring the arbitration system of step (1): setting administrator IP and forwarding destination (including but not limited to forwarding destination IP, forwarding destination port), setting forwarding destination of non-administrator IP (including but not limited to forwarding destination IP, forwarding destination port).
(3) At a certain moment, an illegal user or an administrator tries to update the site, and a request is sent to the port w of the arbitration system in the step (1).
(4) When the port w of the arbitration system in the step (1) receives a network data packet: if the source IP of the data packet is the same as the administrator IP configured in the step (2), forwarding the data packet to a corresponding destination (such as port y of the process P3 or port z of the process P4); otherwise, it is forwarded uniformly to the non-administrator IP forwarding destination (e.g., port x of process P2). And the network data packet requested to be returned is returned in the original way through the arbitration system.
(5) The processes P2, P3 and P4 are all website systems, the content and data of the 3 website systems are completely consistent initially, and the backup catalog is copied from the website catalog. In particular: the process P2 and the process P3 correspond to the same website directory; process P4 corresponds to the backup catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; the process P4 writes the update website operation into the backup directory, and then synchronously updates the files to the website directory through file synchronization; processes P3 and P4 may exist simultaneously or only one of them may exist.
In the invention, the requests of the administrator IP and the non-administrator IP are separated by the arbitration system: the administrator IP request is forwarded to the high-authority website process (such as the P3 or P4 process shown in fig. 1), and the non-administrator IP request is forwarded to the low-authority website process (such as the P2 process shown in fig. 1), so when an illegal user attempts to update the website by any means (including but not limited to webshell), the authority of the low-authority process P2 (shown in fig. 1) where the relevant request is located cannot perform a write operation on the website directory, and thus cannot perform an illegal update. When the administrator user tries to update the website, the high-authority process P3 or P4 in which the related request is located will have enough authority to write to the website directory or the backup directory, so as to update the website.
Therefore, even if the user name and the password of the website management background are leaked, the illegal user cannot forge the IP of the administrator, and the related request is forwarded to the low-authority process, so that the illegal user still cannot update and tamper the website content, and the safety of updating the website is improved.
The above are preferred embodiments of the present invention, and all changes made according to the technical scheme of the present invention that produce functional effects do not exceed the scope of the technical scheme of the present invention belong to the protection scope of the present invention.
Claims (4)
1. A method for updating a website only allowing a specified IP based on process forwarding is characterized by comprising the following steps:
step S1, an arbitration system is set up, the arbitration system has the functions of monitoring the network port w and forwarding the network data packet received by the monitoring network port w to other ports;
step S2, configuring the arbitration system: setting an administrator IP and a forwarding destination of the administrator IP, and setting a forwarding destination of a non-administrator IP;
step S3, when an illegal user or an administrator tries to update the site, a request is sent to a monitoring network port w;
step S4, when the listening network port w receives the network data packet: if the source IP of the data packet is the same as the administrator IP configured in the step S2, forwarding the network data packet to the forwarding destination of the administrator IP, and further realizing website updating; otherwise, forwarding the network data packet to a non-administrator IP forwarding destination, and the website cannot be updated; the network data packet requested to be returned is returned through the arbitration system in the original way;
the forwarding destination of the administrator IP is a port of a high-authority website process with writing authority, and the forwarding destination of the non-administrator IP is a port of a low-authority website process without writing authority.
2. The method of claim 1, wherein in step S2, the forwarding destination includes a forwarding destination IP and a forwarding destination port.
3. The method of claim 1, wherein the high-rights website processes with write-in rights are process P3 and process P4, the low-rights website processes without write-in rights are process P2, process P2, process P3 and process P4 are all website systems, initially, the contents and data of process P2, process P3 and process P4 are completely consistent, and process P2 and process P3 correspond to the same website directory; the process P4 corresponds to the backup catalog, and the backup catalog is copied from the website catalog; the process user name of the process P2 is U1, and the process P2 only has read permission and cannot write to the website directory; the process user name of the process P3 is U2, and the website directory has read and write permissions; the process user name of the process P4 is U3, and the backup directory has the read and write permission; process P4 writes the update website operation to the backup directory and then updates the file synchronization to the website directory through file synchronization.
4. The method of claim 3, wherein at least one of the process P3 and the process P4 exists.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910861591.4A CN110602092B (en) | 2019-09-12 | 2019-09-12 | Method for only allowing designated IP to update website based on process forwarding |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910861591.4A CN110602092B (en) | 2019-09-12 | 2019-09-12 | Method for only allowing designated IP to update website based on process forwarding |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110602092A true CN110602092A (en) | 2019-12-20 |
| CN110602092B CN110602092B (en) | 2022-03-04 |
Family
ID=68858981
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910861591.4A Active CN110602092B (en) | 2019-09-12 | 2019-09-12 | Method for only allowing designated IP to update website based on process forwarding |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110602092B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111931108A (en) * | 2020-07-31 | 2020-11-13 | 福建深空信息技术有限公司 | Safety net station updating method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
| CN104468543A (en) * | 2014-11-26 | 2015-03-25 | 普联技术有限公司 | Method and device for accessing devices in local area network |
| US9477648B1 (en) * | 2014-02-28 | 2016-10-25 | Intuit Inc. | Optimized web application user experience |
| CN106209889A (en) * | 2016-07-25 | 2016-12-07 | 北京小米移动软件有限公司 | Detection webpage is kidnapped the method and device of information |
| WO2017049045A1 (en) * | 2015-09-16 | 2017-03-23 | RiskIQ, Inc. | Using hash signatures of dom objects to identify website similarity |
| CN109284636A (en) * | 2018-09-27 | 2019-01-29 | 福建深空信息技术有限公司 | A kind of webpage tamper resistant systems and method |
| CN109873811A (en) * | 2019-01-16 | 2019-06-11 | 光通天下网络科技股份有限公司 | Network safety protection method and its network security protection system based on attack IP portrait |
-
2019
- 2019-09-12 CN CN201910861591.4A patent/CN110602092B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9477648B1 (en) * | 2014-02-28 | 2016-10-25 | Intuit Inc. | Optimized web application user experience |
| CN104348914A (en) * | 2014-10-31 | 2015-02-11 | 福建六壬网安股份有限公司 | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method |
| CN104468543A (en) * | 2014-11-26 | 2015-03-25 | 普联技术有限公司 | Method and device for accessing devices in local area network |
| WO2017049045A1 (en) * | 2015-09-16 | 2017-03-23 | RiskIQ, Inc. | Using hash signatures of dom objects to identify website similarity |
| CN106209889A (en) * | 2016-07-25 | 2016-12-07 | 北京小米移动软件有限公司 | Detection webpage is kidnapped the method and device of information |
| CN109284636A (en) * | 2018-09-27 | 2019-01-29 | 福建深空信息技术有限公司 | A kind of webpage tamper resistant systems and method |
| CN109873811A (en) * | 2019-01-16 | 2019-06-11 | 光通天下网络科技股份有限公司 | Network safety protection method and its network security protection system based on attack IP portrait |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111931108A (en) * | 2020-07-31 | 2020-11-13 | 福建深空信息技术有限公司 | Safety net station updating method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110602092B (en) | 2022-03-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10505988B2 (en) | System and method for secure synchronization of data across multiple computing devices | |
| RU2408069C2 (en) | Coordinated authority | |
| US8549326B2 (en) | Method and system for extending encrypting file system | |
| CN110417843B (en) | System and method for decentralized management of device assets outside a computer network | |
| US20040255145A1 (en) | Memory protection systems and methods for writable memory | |
| CN107122406B (en) | Data field-oriented access control method on Hadoop platform | |
| CN107111724A (en) | Protect the data in untrusted equipment | |
| CN113498589B (en) | Managed secret management transmission system and method | |
| US9411643B2 (en) | Method of performing tasks on a production computer system and data processing system | |
| CN104348914A (en) | Tamper-proofing system file synchronizing system and tamper-proofing system file synchronizing method | |
| US9305146B2 (en) | License management device, license management system, license management method, and program | |
| CN107145531B (en) | Distributed file system and user management method of distributed file system | |
| US20130014252A1 (en) | Portable computer accounts | |
| CN110443050B (en) | Method and system for processing counterfeit process in file transparent encryption and decryption system | |
| CN110602092B (en) | Method for only allowing designated IP to update website based on process forwarding | |
| CN110046205B (en) | Relational database row security access control method and system | |
| CN111427897A (en) | Data storage management method on block chain | |
| CN110602091A (en) | Method for realizing website updating by modifying network data packet | |
| CN107332840B (en) | Intelligent authority management system and method | |
| CN109995735A (en) | Downloading and application method, server, client, system, equipment and medium | |
| CN111539014B (en) | Ethical file archiving method based on block chain | |
| CN114584318A (en) | Access control method of certificate and secret key, electronic equipment and storage medium | |
| WO2018124496A1 (en) | File synchronization and centralization system, and file synchronization and centralization method | |
| US11483386B1 (en) | Selective deletion of synchronized content object copies based on a detected change | |
| CN111931108A (en) | Safety net station updating method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |