CN110753039B - Method and device for remote login safety protection - Google Patents

Method and device for remote login safety protection Download PDF

Info

Publication number
CN110753039B
CN110753039B CN201910936520.6A CN201910936520A CN110753039B CN 110753039 B CN110753039 B CN 110753039B CN 201910936520 A CN201910936520 A CN 201910936520A CN 110753039 B CN110753039 B CN 110753039B
Authority
CN
China
Prior art keywords
client
abnormal
clients
remote login
network topology
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910936520.6A
Other languages
Chinese (zh)
Other versions
CN110753039A (en
Inventor
张彬
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN201910936520.6A priority Critical patent/CN110753039B/en
Publication of CN110753039A publication Critical patent/CN110753039A/en
Application granted granted Critical
Publication of CN110753039B publication Critical patent/CN110753039B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明涉及了一种远程登录安全防护的方法及装置,其中该方法包括:根据客户端的网络信息生成网络拓扑;响应于客户端发出网络异常告警,在网络拓扑中标记异常客户端的异常等级;根据异常等级从异常客户端沿网络拓扑向外辐射指定的防护范围;使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。利用本发明的方法为复杂网络环境下,大量客户端的远程登录提供了统一集中管理与保护,从而能够根据全网的安全实时状态的态势感知来主动调整防御策略,以实现有效保护的目的。

Figure 201910936520

The invention relates to a remote login security protection method and device, wherein the method includes: generating a network topology according to network information of a client; in response to a network abnormality alarm issued by the client, marking the abnormality level of the abnormal client in the network topology; The abnormal level radiates the specified protection range from the abnormal client along the network topology; all clients within the radiation protection range of the abnormal client start corresponding temporary control according to the abnormal level to restrict all remote login behaviors within the specified time. The method of the invention provides unified centralized management and protection for remote login of a large number of clients in a complex network environment, so that the defense strategy can be actively adjusted according to the situational awareness of the security real-time state of the whole network to achieve the purpose of effective protection.

Figure 201910936520

Description

一种远程登录安全防护的方法及装置Method and device for remote login security protection

技术领域technical field

本发明涉及网络安全技术领域。本发明进一步涉及一种远程登录安全防护的方法及装置。The invention relates to the technical field of network security. The present invention further relates to a method and device for remote login security protection.

背景技术Background technique

随着各种组织的网络环境愈加复杂,通过窃取系统账号、暴力破解等手段远程登录到操作系统并进行黑客行为的事件愈加严重,登录的手段包括但不限于SSH、远程连接等。As the network environment of various organizations becomes more and more complex, the incidents of remote login to the operating system and hacking by means of stealing system accounts, brute force cracking, etc. have become more and more serious. The means of login include but are not limited to SSH, remote connection, etc.

因此,针对登录,尤其是远程登录的防护也愈加重要。一般的登录防护功能,只是针对登录这一单一的动作,而无法与全网的安全状态关联,仅能提供被动的防御。或者是通过查看登录失败日志等方式来识别网络暴力进而通知网络管理人员进行防治。Therefore, protection against logins, especially remote logins, is becoming more and more important. The general login protection function is only for the single action of login, and cannot be associated with the security status of the entire network, and can only provide passive defense. Or by checking login failure logs, etc., to identify network violence and notify network administrators for prevention and treatment.

基于上述情况,需要提出一种尤其用于针对大量客户端登录的安全防护策略,兼顾被动防御,并且根据全网的安全实时状态的态势感知来自动调节防御策略,以实现有效保护的目的。Based on the above situation, it is necessary to propose a security protection strategy especially for a large number of client logins, taking into account passive defense, and automatically adjusting the defense strategy according to the situational awareness of the security real-time state of the entire network, so as to achieve the purpose of effective protection.

发明内容SUMMARY OF THE INVENTION

一方面,本发明基于上述目的提出了一种远程登录安全防护的方法,其中该方法包括:On the one hand, the present invention provides a method for remote login security protection based on the above objects, wherein the method includes:

根据客户端的网络信息生成网络拓扑;Generate network topology according to client's network information;

响应于客户端发出网络异常告警,在网络拓扑中标记异常客户端的异常等级;In response to the client issuing a network abnormality alarm, marking the abnormality level of the abnormal client in the network topology;

根据异常等级从异常客户端沿网络拓扑向外辐射指定的防护范围;According to the exception level, the specified protection range is radiated from the abnormal client to the outside along the network topology;

使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。Enables all clients within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to restrict all remote login behaviors within a specified time.

根据本发明的远程登录安全防护的方法的实施例,其中方法进一步包括:According to an embodiment of the remote login security protection method of the present invention, the method further comprises:

响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为。In response to the client receiving the control release instruction, the temporary control is turned off to allow the remote login behavior.

根据本发明的远程登录安全防护的方法的实施例,其中响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为进一步包括:According to the embodiment of the remote login security protection method of the present invention, in response to the client receiving the control release instruction, closing the temporary control to allow the remote login behavior further includes:

响应于异常客户端关闭临时管控,取消异常客户端的辐射防护范围。In response to the temporary shutdown of the abnormal client, the radiation protection scope of the abnormal client is cancelled.

根据本发明的远程登录安全防护的方法的实施例,其中使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:According to the embodiment of the remote login security protection method of the present invention, enabling all clients located within the radiation protection range of abnormal clients to initiate corresponding temporary management and control according to the abnormal level to restrict all remote login behaviors within a specified time, further comprising:

响应于客户端位于至少一个异常客户端的辐射防护范围内,根据至少一个异常客户端的异常等级为客户端设置锁定标识,并根据锁定标识的状态启动或解除临时管控。In response to the client being located within the radiation protection range of the at least one abnormal client, a lock identifier is set for the client according to the abnormality level of the at least one abnormal client, and temporary control is activated or released according to the state of the lock identifier.

根据本发明的远程登录安全防护的方法的实施例,其中方法进一步包括:According to an embodiment of the remote login security protection method of the present invention, the method further comprises:

为网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或Set up a whitelist for clients in the network topology to allow remote logins from specified IP addresses and/or IP address ranges; and/or

为网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。Set a blacklist for clients in the network topology to restrict remote logins initiated by specified IP addresses and/or IP address ranges.

另一方面,本发明还提出了一种远程登录安全防护的装置,其中装置包括:On the other hand, the present invention also provides a remote login security protection device, wherein the device includes:

至少一个处理器;和at least one processor; and

存储器,该存储器存储有处理器可运行的程序指令,该程序指令在被处理器运行时执行以下步骤:a memory storing program instructions executable by the processor, the program instructions performing the following steps when executed by the processor:

根据客户端的网络信息生成网络拓扑;Generate network topology according to client's network information;

响应于客户端发出网络异常告警,在网络拓扑中标记异常客户端的异常等级;In response to the client issuing a network abnormality alarm, marking the abnormality level of the abnormal client in the network topology;

根据异常等级从异常客户端沿网络拓扑向外辐射指定的防护范围;According to the exception level, the specified protection range is radiated from the abnormal client to the outside along the network topology;

使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。Enables all clients within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to restrict all remote login behaviors within a specified time.

根据本发明的远程登录安全防护的装置的实施例,其中方法进一步包括:According to the embodiment of the remote login security protection device of the present invention, the method further comprises:

响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为。In response to the client receiving the control release instruction, the temporary control is turned off to allow the remote login behavior.

根据本发明的远程登录安全防护的装置的实施例,其中响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为进一步包括:According to the embodiment of the remote login security protection device of the present invention, in response to the client receiving the control release instruction, closing the temporary control to allow the remote login behavior further includes:

响应于异常客户端关闭临时管控,取消异常客户端的辐射防护范围。In response to the temporary shutdown of the abnormal client, the radiation protection scope of the abnormal client is cancelled.

根据本发明的远程登录安全防护的装置的实施例,其中使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:According to the embodiment of the remote login security protection device of the present invention, enabling all clients located within the radiation protection range of abnormal clients to initiate corresponding temporary management and control according to the abnormality level to restrict all remote login behaviors within a specified time, further comprising:

响应于客户端位于至少一个异常客户端的辐射防护范围内,根据至少一个异常客户端的异常等级为客户端设置锁定标识,并根据锁定标识的状态启动或解除临时管控。In response to the client being located within the radiation protection range of the at least one abnormal client, a lock identifier is set for the client according to the abnormality level of the at least one abnormal client, and temporary control is activated or released according to the state of the lock identifier.

根据本发明的远程登录安全防护的装置的实施例,其中方法进一步包括:According to the embodiment of the remote login security protection device of the present invention, the method further comprises:

为网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或Set up a whitelist for clients in the network topology to allow remote logins from specified IP addresses and/or IP address ranges; and/or

为网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。Set a blacklist for clients in the network topology to restrict remote logins initiated by specified IP addresses and/or IP address ranges.

采用上述技术方案,本发明至少具有如下有益效果:实现了针对大量客户端登录的安全防护策略,为复杂网络环境下,大量客户端的远程登录提供了统一集中管理与保护,根据策略配置进行登录防护,并且通过检测全网的安全状态,根据安全风险的态势感知自我调节,提示风险,从而能够根据全网的安全实时状态的态势感知来主动调整防御策略,以实现有效保护的目的。By adopting the above technical scheme, the present invention has at least the following beneficial effects: realizing a security protection strategy for a large number of client logins, providing unified centralized management and protection for remote login of a large number of clients in a complex network environment, and performing login protection according to the policy configuration , and by detecting the security status of the entire network, self-adjustment according to the situational awareness of security risks, and prompting risks, so that the defense strategy can be actively adjusted according to the situational awareness of the security real-time status of the entire network to achieve the purpose of effective protection.

本发明提供了实施例的各方面,不应当用于限制本发明的保护范围。根据在此描述的技术可设想到其它实施方式,这对于本领域普通技术人员来说在研究以下附图和具体实施方式后将是显而易见的,并且这些实施方式意图被包含在本申请的范围内。The present invention provides aspects of the embodiments, which should not be used to limit the scope of protection of the present invention. Other embodiments are conceivable in light of the techniques described herein, which will be apparent to those of ordinary skill in the art upon study of the following drawings and detailed description, and are intended to be included within the scope of this application .

下面参考附图更详细地解释和描述了本发明的实施例,但它们不应理解为对于本发明的限制。Embodiments of the present invention are explained and described in more detail below with reference to the accompanying drawings, but they should not be construed as limiting the present invention.

附图说明Description of drawings

为了更清楚地说明本发明实施例的技术方案,下面将对现有技术和实施例描述中所需要使用的附图作简单地介绍,附图中的部件不一定按比例绘制,并且可以省略相关的元件,或者在一些情况下比例可能已经被放大,以便强调和清楚地示出本文描述的新颖特征。另外,如本领域中已知的,结构顺序可以被不同地布置。In order to illustrate the technical solutions of the embodiments of the present invention more clearly, the following briefly introduces the accompanying drawings that are used in the description of the prior art and the embodiments. The components in the drawings are not necessarily drawn to scale, and relevant related drawings may be omitted. elements, or in some instances the proportions may have been exaggerated in order to emphasize and clearly illustrate the novel features described herein. Additionally, the structural order may be arranged differently, as is known in the art.

图1示出了根据本发明的远程登录安全防护的方法的实施例的示意性框图。FIG. 1 shows a schematic block diagram of an embodiment of a remote login security protection method according to the present invention.

具体实施方式Detailed ways

虽然本发明可以以各种形式实施,但是在附图中示出并且在下文中将描述一些示例性和非限制性实施例,但应该理解的是,本公开将被认为是本发明的示例并不意图将本发明限制于所说明的具体实施例。While the invention may be embodied in various forms, some exemplary and non-limiting embodiments are shown in the drawings and will be described hereinafter, it being understood that this disclosure is to be considered as an example of the invention and not The intention is to limit the invention to the specific embodiments described.

图1示出了根据本发明的远程登录安全防护的方法的实施例的示意性框图。在如图所示的实施例中,该方法至少包括以下步骤:FIG. 1 shows a schematic block diagram of an embodiment of a remote login security protection method according to the present invention. In the embodiment shown in the figure, the method includes at least the following steps:

S1:根据客户端的网络信息生成网络拓扑;S1: Generate a network topology according to the network information of the client;

S2:响应于客户端发出网络异常告警,在网络拓扑中标记异常客户端的异常等级;S2: In response to the client sending a network abnormality alarm, mark the abnormality level of the abnormal client in the network topology;

S3:根据异常等级从异常客户端沿网络拓扑向外辐射指定的防护范围;S3: According to the abnormal level, the designated protection range is radiated from the abnormal client to the outside along the network topology;

S4:使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。S4: Make all clients within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to restrict all remote login behaviors within a specified time.

具体地说,首先,步骤S1通过客户端的反馈的网络信息,IP地址等,生成网络拓扑。拓扑中每一个节点代表一个客户端。随后,当一台客户端的网络产生异常告警时,步骤S2在网络拓扑中标记异常客户端的异常等级。例如,优选但不限于,根据告警的高、中、低级别标注不同等级,诸如高风险->红色等级;中风险->黄色等级;低风险—>橙色等级。然后步骤S3从异常客户端沿网络拓扑根据异常等级向外辐射指定的防护范围。例如,当有客户端在网络拓扑中被标注为异常,即异常节点被标注时,根据异常节点的异常等级即风险等级,确定其辐射范围,优选地,红色等级沿拓扑图向外辐射3层,黄色等级辐射2层,橙色等级辐射1层。最后,步骤S4位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。例如,在拓扑图上根据异常等级即风险等级来启动辐射防护范围内的客户端的临时管控,临时策略的时效根据等级从高到低为12小时、6小时、2小时。这里提出的临时管控旨在开启远程登录防护功能以限制所有的远程登录行为,从而在没有运维人员对异常进行及时处理和/或不方便及时处理和/或没能在第一时间修护好网络环境的情况下对网络中的客户端进行临时的强制保护。利用上述步骤S1至S4为复杂网络环境下,利用上述方法对大量客户端的远程登录提供了统一集中管理与保护,影响到整个分组所有客户端,达到批量管理的目的,从而能够根据全网的安全实时状态的态势感知来主动调整防御策略,以实现有效保护的目的。Specifically, first, step S1 generates a network topology based on the network information, IP address, etc. fed back by the client. Each node in the topology represents a client. Subsequently, when a network of a client generates an abnormal alarm, step S2 marks the abnormal level of the abnormal client in the network topology. For example, preferably but not limited to, different levels are marked according to the high, medium and low levels of the alarm, such as high risk->red level; medium risk->yellow level; low risk->orange level. Then step S3 radiates the specified protection range outward from the abnormal client along the network topology according to the abnormal level. For example, when a client is marked as abnormal in the network topology, that is, when an abnormal node is marked, the radiation range of the abnormal node is determined according to the abnormal level of the abnormal node, that is, the risk level. Preferably, the red level radiates 3 layers outward along the topology map. , 2 layers of yellow radiation, and 1 layer of orange radiation. Finally, in step S4, all clients located within the radiation protection range of the abnormal client start corresponding temporary management and control according to the abnormal level to restrict all remote login behaviors within a specified time. For example, according to the abnormal level, that is, the risk level, on the topology map, the temporary management and control of the clients within the radiation protection range is activated. The temporary control proposed here aims to enable the remote login protection function to limit all remote login behaviors, so that there is no operation and maintenance personnel to deal with the exception in a timely manner and/or it is inconvenient to deal with it in a timely manner and/or cannot be repaired in the first time. Temporarily enforced protection for clients in the network in the case of a network environment. The above steps S1 to S4 are used to provide unified and centralized management and protection for the remote login of a large number of clients in a complex network environment, which affects all clients in the entire group, and achieves the purpose of batch management. Real-time situational awareness to actively adjust defense strategies to achieve effective protection.

下文将说明本发明的进一步实施例,需要注意的是,其中提到的步骤的编号在没有特殊说明的情况下,仅用于便捷明确地指示该步骤,并不限定所述步骤的顺序。Further embodiments of the present invention will be described below. It should be noted that the numbers of the steps mentioned therein are only used to conveniently and clearly indicate the steps without special instructions, and do not limit the sequence of the steps.

在本发明的远程登录安全防护的方法的一些实施例中,其中方法进一步包括:In some embodiments of the remote login security protection method of the present invention, the method further comprises:

S5:响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为。S5: In response to the client receiving the control release instruction, close the temporary control to allow remote login behavior.

通常情况下,一旦出现客户端发出网络异常告警,运维人员会在第一时间进行处理。处理完成后,运维人员会可以手动的撤销临时管控功能。例如步骤S5通过向客户端发出管控解除指令的方式通知客户端关闭临时管控以允许远程登录行为。Under normal circumstances, once a network abnormality alarm is issued by the client, the operation and maintenance personnel will deal with it as soon as possible. After the processing is completed, the operation and maintenance personnel can manually revoke the temporary control function. For example, in step S5, the client is notified to close the temporary control by sending a control release instruction to the client to allow the remote login behavior.

在本发明的远程登录安全防护的方法的进一步实施例中,步骤S5响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为进一步包括:响应于异常客户端关闭临时管控,取消异常客户端的辐射防护范围。在这些实施例中,当运维人员处理完异常情况并关闭了异常客户端的临时管控之后,不需要运维人员在一个个关闭辐射防护范围内的其它客户端的临时管控,而是可以例如通过指令的方式直接取消该异常客户端的辐射防护范围,而在该辐射防护范围内的客户端则可以根据其本身的情况来相应地做出防护策略的调整,例如关闭该临时管控;和/或者,当其本身也存在异常时仅执行与其本身的异常等级相对应的临时管控;和/或者,当其还位于其它异常客户端的辐射防护范围内时执行与其它异常客户端的异常等级相对应的临时管控等。In a further embodiment of the remote login security protection method of the present invention, step S5 in response to the client receiving the control release instruction, closing the temporary control to allow the remote login behavior further includes: in response to the abnormal client closing the temporary control, canceling the abnormality Radiation protection coverage of the client. In these embodiments, after the operation and maintenance personnel have processed the abnormal situation and closed the temporary management and control of the abnormal client, it is not necessary for the operation and maintenance personnel to close the temporary management and control of other clients within the radiation protection range one by one. directly cancel the radiation protection scope of the abnormal client, and the client within the radiation protection scope can adjust the protection strategy accordingly according to its own situation, such as closing the temporary control; and/or when When there is an abnormality in itself, only the temporary control corresponding to its own abnormality level is performed; and/or, when it is still within the radiation protection range of other abnormal clients, temporary control corresponding to the abnormality level of other abnormal clients is performed, etc. .

在本发明的远程登录安全防护的方法的若干实施例中,步骤S4使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:响应于客户端位于至少一个异常客户端的辐射防护范围内,根据至少一个异常客户端的异常等级为客户端设置锁定标识,并根据锁定标识的状态启动或解除临时管控。具体地说,当客户端位于至少一个异常客户端的辐射防护范围内时,根据锁定标识的状态启动或解除临时管控,该锁定标识是根据全部上述至少一个异常客户端的异常等级来确定的,例如锁定标识E=SUM(n),n为辐射源(即异常客户端)的异常等级。在多个异常客户端同时辐射到某一客户端的情况下,当某一个异常客户端由于异常状态消失或临时管控到时等原因关闭了异常管控时,该锁定标识E会相应减小。当E>0时,则对该客户端执行临时管控,限制所有远程登录;当E为0时,则取消该客户端上的临时管控,以允许远程登录。In several embodiments of the remote login security protection method of the present invention, step S4 enables all clients located within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to limit all remote login behaviors within a specified time. Further Including: in response to the client being located within the radiation protection range of at least one abnormal client, setting a lock identifier for the client according to the abnormal level of the at least one abnormal client, and starting or releasing temporary control according to the state of the lock identifier. Specifically, when the client is within the radiation protection range of at least one abnormal client, the temporary control is activated or deactivated according to the state of the lock flag, which is determined according to the abnormal level of all the above at least one abnormal client, for example, locked The identifier E=SUM(n), where n is the abnormal level of the radiation source (ie, abnormal client). In the case where multiple abnormal clients radiate to a client at the same time, when an abnormal client closes the abnormal control due to the disappearance of the abnormal state or the temporary control arrives, the lock flag E will be reduced accordingly. When E>0, the client is temporarily controlled to restrict all remote logins; when E is 0, the temporary control on the client is canceled to allow remote logins.

在本发明的远程登录安全防护的方法的一个或多个实施例中,该方法进一步包括:In one or more embodiments of the remote login security protection method of the present invention, the method further includes:

S6:为网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或S6: Set a whitelist for clients in the network topology to allow remote logins initiated by specified IP addresses and/or IP address segments; and/or

S7:为网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。S7: Set a blacklist for clients in the network topology to restrict remote logins initiated by specified IP addresses and/or IP address segments.

为了兼顾被动防御策略,也为了对风险极高的远程登录进行长效的管控,减少不必要的主动防护的触发,在本发明的这些实施例中提出了白名单规则和/或黑名单规则。其中当开启白名单规则时,规则的生效条件为,只有规则中的指定IP地址和/或IP地址段发起的远程登录才被允许。而当开启黑名单规则时,规则生效的条件为,黑名单规则中的指定IP地址和/或IP地址段发起的远程登录不被允许,而其他IP地址和/或IP地址段发起的远程登录被允许。由此,可以通过将长期出于风险的IP地址和/或IP地址段放入黑名单的方式来减少不必要的主动防护过程。或者,在整体网络环境相当恶劣,处于极度不安全的情况下时,将相应的指定IP地址和/或IP地址段放入白名单来维护必要的少数远程登录的正常进行。In order to take into account passive defense strategies, and also to perform long-term management and control of extremely high-risk remote logins and reduce unnecessary triggering of active protection, whitelist rules and/or blacklist rules are proposed in these embodiments of the present invention. When the whitelist rule is enabled, the effective condition of the rule is that only the remote login initiated by the specified IP address and/or IP address segment in the rule is allowed. When the blacklist rule is enabled, the condition for the rule to take effect is that the remote login initiated by the specified IP address and/or IP address segment in the blacklist rule is not allowed, while the remote login initiated by other IP addresses and/or IP address segment is not allowed. allowed. Thereby, unnecessary active protection processes can be reduced by blacklisting IP addresses and/or IP address segments that have been at risk for a long time. Or, when the overall network environment is quite bad and extremely insecure, the corresponding designated IP addresses and/or IP address segments are put into the whitelist to maintain the normal operation of the necessary few remote logins.

另一方面,本发明还提出了一种远程登录安全防护的装置,其中装置包括:至少一个处理器;和存储器,该存储器存储有处理器可运行的程序指令,该程序指令在被处理器运行时执行以下步骤:In another aspect, the present invention also provides an apparatus for remote login security protection, wherein the apparatus includes: at least one processor; and a memory, where the memory stores program instructions executable by the processor, and the program instructions are executed by the processor when the program instructions are executed. perform the following steps:

S1:根据客户端的网络信息生成网络拓扑;S1: Generate a network topology according to the network information of the client;

S2:响应于客户端发出网络异常告警,在网络拓扑中标记异常客户端的异常等级;S2: In response to the client sending a network abnormality alarm, mark the abnormality level of the abnormal client in the network topology;

S3:根据异常等级从异常客户端沿网络拓扑向外辐射指定的防护范围;S3: According to the abnormal level, the designated protection range is radiated from the abnormal client to the outside along the network topology;

S4:使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。S4: Make all clients within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to restrict all remote login behaviors within a specified time.

在本发明的远程登录安全防护的装置的一些实施例中,其中方法进一步包括:In some embodiments of the remote login security protection device of the present invention, the method further comprises:

S5:响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为。S5: In response to the client receiving the control release instruction, close the temporary control to allow remote login behavior.

在本发明的远程登录安全防护的装置的进一步实施例中,步骤S5响应于客户端接收到管控解除指令,关闭临时管控以允许远程登录行为进一步包括:响应于异常客户端关闭临时管控,取消异常客户端的辐射防护范围。In a further embodiment of the remote login security protection device of the present invention, step S5, in response to the client receiving the control release instruction, closing the temporary control to allow the remote login behavior further includes: in response to the abnormal client closing the temporary control, canceling the abnormality Radiation protection coverage of the client.

在本发明的远程登录安全防护的装置的若干实施例中,步骤S4使位于异常客户端辐射防护范围内的所有客户端根据异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:响应于客户端位于至少一个异常客户端辐射防护范围内,根据至少一个异常客户端的异常等级为客户端设置锁定标识,并根据锁定标识的状态启动或解除临时管控。In several embodiments of the remote login security protection device of the present invention, step S4 enables all clients located within the radiation protection range of abnormal clients to initiate corresponding temporary control according to the abnormal level to limit all remote login behaviors within a specified time. Further Including: in response to the client being located within the radiation protection range of at least one abnormal client, setting a lock identifier for the client according to the abnormal level of the at least one abnormal client, and starting or releasing temporary control according to the state of the lock identifier.

在本发明的远程登录安全防护的装置的一个或多个实施例中,该方法进一步包括:In one or more embodiments of the remote login security protection device of the present invention, the method further includes:

S6:为网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或S6: Set a whitelist for clients in the network topology to allow remote logins initiated by specified IP addresses and/or IP address segments; and/or

S7:为网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。S7: Set a blacklist for clients in the network topology to restrict remote logins initiated by specified IP addresses and/or IP address segments.

本发明实施例公开所述的装置、设备等可为各种电子终端设备,例如手机、个人数字助理(PDA)、平板电脑(PAD)、智能电视等,也可以是大型终端设备,如服务器等,因此本发明实施例公开的保护范围不应限定为某种特定类型的装置、设备。本发明实施例公开所述的客户端可以是以电子硬件、计算机软件或两者的组合形式应用于上述任意一种电子终端设备中。The apparatuses, devices, etc. disclosed in the embodiments of the present invention may be various electronic terminal devices, such as mobile phones, personal digital assistants (PDAs), tablet computers (PADs), smart TVs, etc., or large-scale terminal devices, such as servers, etc. Therefore, the protection scope disclosed by the embodiments of the present invention should not be limited to a certain type of apparatus or equipment. The clients disclosed in the embodiments of the present invention may be applied to any of the foregoing electronic terminal devices in the form of electronic hardware, computer software, or a combination of the two.

本文所述的计算机可读存储介质(例如存储器)可以是易失性存储器或非易失性存储器,或者可以包括易失性存储器和非易失性存储器两者。作为例子而非限制性的,非易失性存储器可以包括只读存储器(ROM)、可编程ROM(PROM)、电可编程ROM(EPROM)、电可擦写可编程ROM(EEPROM)或快闪存储器。易失性存储器可以包括随机存取存储器(RAM),该RAM可以充当外部高速缓存存储器。作为例子而非限制性的,RAM可以以多种形式获得,比如同步RAM(DRAM)、动态RAM(DRAM)、同步DRAM(SDRAM)、双数据速率SDRAM(DDR SDRAM)、增强SDRAM(ESDRAM)、同步链路DRAM(SLDRAM)、以及直接Rambus RAM(DRRAM)。所公开的方面的存储设备意在包括但不限于这些和其它合适类型的存储器。Computer-readable storage media (eg, memory) described herein can be volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. By way of example and not limitation, nonvolatile memory may include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable programmable ROM (EEPROM), or flash memory memory. Volatile memory may include random access memory (RAM), which may act as external cache memory. By way of example and not limitation, RAM is available in various forms such as Synchronous RAM (DRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), and Direct Rambus RAM (DRRAM). The storage devices of the disclosed aspects are intended to include, but not be limited to, these and other suitable types of memory.

采用上述技术方案,本发明至少具有如下有益效果:实现了针对大量客户端登录的安全防护策略,为复杂网络环境下,大量客户端的远程登录提供了统一集中管理与保护,根据策略配置进行登录防护,并且通过检测全网的安全状态,根据安全风险的态势感知自我调节,提示风险,从而能够根据全网的安全实时状态的态势感知来主动调整防御策略,以实现有效保护的目的。By adopting the above technical scheme, the present invention has at least the following beneficial effects: realizing a security protection strategy for a large number of client logins, providing unified centralized management and protection for remote login of a large number of clients in a complex network environment, and performing login protection according to the policy configuration , and by detecting the security status of the entire network, self-adjustment according to the situational awareness of security risks, and prompting risks, so that the defense strategy can be actively adjusted according to the situational awareness of the security real-time status of the entire network to achieve the purpose of effective protection.

应当理解的是,在技术上可行的情况下,以上针对不同实施例所列举的技术特征可以相互组合,从而形成本发明范围内的另外实施例。此外,本文所述的特定示例和实施例是非限制性的,并且可以对以上所阐述的结构、步骤及顺序做出相应修改而不脱离本发明的保护范围。It should be understood that, where technically feasible, the technical features listed above for different embodiments can be combined with each other to form additional embodiments within the scope of the present invention. Furthermore, the specific examples and embodiments described herein are non-limiting and corresponding modifications may be made to the structures, steps, and sequences set forth above without departing from the scope of the present invention.

在本申请中,反意连接词的使用旨在包括连接词。定或不定冠词的使用并不旨在指示基数。具体而言,对“该”对象或“一”和“一个”对象的引用旨在表示至少一个这样对象中可能的一个。然而,尽管本发明实施例公开的元素可以以个体形式描述或要求,但除非明确限制为单数,也可以理解为至少一个。此外,可以使用连接词“或”来传达同时存在的特征,而不是互斥方案。换句话说,连接词“或”应理解为包括“和/或”。术语“包括”是包容性的并且具有与“包含”相同的范围。In this application, the use of the antisense connective is intended to include the connective. The use of definite or indefinite articles is not intended to indicate a cardinality. Specifically, references to "the" object or "a" and "an" objects are intended to mean at least one possible one of such objects. However, although elements disclosed in the embodiments of the present invention may be described or claimed in an individual form, unless expressly limited to the singular, they may also be construed to mean at least one. Also, the conjunction "or" can be used to convey concurrent features rather than a mutually exclusive scheme. In other words, the conjunction "or" should be read to include "and/or." The term "comprising" is inclusive and has the same scope as "comprising."

上述实施例,特别是任何“优选”实施例是实施方式的可能示例,并且仅仅为了清楚理解本发明的原理而提出。在基本上不脱离本文描述的技术的精神和原理的情况下,可以对上述实施例做出许多变化和修改。所有修改旨在被包括在本公开的范围内。The above-described embodiments, particularly any "preferred" embodiments, are possible examples of implementations, and are presented merely for a clear understanding of the principles of the invention. Numerous changes and modifications may be made to the above-described embodiments without substantially departing from the spirit and principles of the technology described herein. All modifications are intended to be included within the scope of this disclosure.

Claims (10)

1.一种远程登录安全防护的方法,其特征在于,所述方法包括:1. A method for remote login security protection, wherein the method comprises: 根据客户端的网络信息生成网络拓扑;Generate network topology according to client's network information; 响应于客户端发出网络异常告警,在所述网络拓扑中标记异常客户端的异常等级;In response to the client sending out a network abnormality alarm, marking the abnormality level of the abnormal client in the network topology; 根据所述异常等级从所述异常客户端沿所述网络拓扑向外辐射指定的防护范围;According to the exception level, the specified protection range is radiated outward from the abnormal client along the network topology; 使位于所述异常客户端辐射防护范围内的所有客户端根据所述异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。All clients located within the radiation protection range of the abnormal client can initiate corresponding temporary management and control according to the abnormality level to restrict all remote login behaviors within a specified time. 2.根据权利要求1所述的方法,其特征在于,所述方法进一步包括:2. The method according to claim 1, wherein the method further comprises: 响应于客户端接收到管控解除指令,关闭所述临时管控以允许远程登录行为。In response to the client receiving the control release instruction, the temporary control is turned off to allow remote login behavior. 3.根据权利要求2所述的方法,其特征在于,所述响应于客户端接收到管控解除指令,关闭所述临时管控以允许远程登录行为进一步包括:3 . The method according to claim 2 , wherein, in response to the client receiving a control release instruction, closing the temporary control to allow remote login further comprises: 3 . 响应于异常客户端关闭所述临时管控,取消所述异常客户端的所述辐射防护范围。In response to the abnormal client closing the temporary control, the radiation protection range of the abnormal client is cancelled. 4.根据权利要求1所述的方法,其特征在于,所述使位于所述异常客户端辐射防护范围内的所有客户端根据所述异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:4 . The method according to claim 1 , characterized in that all the clients located within the radiation protection range of the abnormal client start corresponding temporary control according to the abnormal level to restrict all remote clients within a specified time. 5 . Login actions further include: 响应于客户端位于至少一个异常客户端的辐射防护范围内,根据所述至少一个异常客户端的异常等级为所述客户端设置锁定标识,并根据所述锁定标识的状态启动或解除所述临时管控。In response to the client being located within the radiation protection range of at least one abnormal client, a lock flag is set for the client according to the abnormal level of the at least one abnormal client, and the temporary control is activated or released according to the state of the lock flag. 5.根据权利要求1所述的方法,其特征在于,所述方法进一步包括:5. The method of claim 1, wherein the method further comprises: 为所述网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或whitelisting clients in said network topology to allow remote logins initiated by specified IP addresses and/or IP address segments; and/or 为所述网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。A blacklist is set for the clients in the network topology to restrict remote login initiated by the specified IP address and/or IP address segment. 6.一种远程登录安全防护的装置,其特征在于,所述装置包括:6. A device for remote login security protection, wherein the device comprises: 至少一个处理器;和at least one processor; and 存储器,所述存储器存储有处理器可运行的程序指令,所述程序指令在被处理器运行时执行以下步骤:a memory storing program instructions executable by the processor, the program instructions performing the following steps when executed by the processor: 根据客户端的网络信息生成网络拓扑;Generate network topology according to client's network information; 响应于客户端发出网络异常告警,在所述网络拓扑中标记异常客户端的异常等级;In response to the client sending out a network abnormality alarm, marking the abnormality level of the abnormal client in the network topology; 根据所述异常等级从所述异常客户端沿所述网络拓扑向外辐射指定的防护范围;According to the exception level, the specified protection range is radiated outward from the abnormal client along the network topology; 使位于所述异常客户端辐射防护范围内的所有客户端根据所述异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为。All clients located within the radiation protection range of the abnormal client can initiate corresponding temporary management and control according to the abnormality level to restrict all remote login behaviors within a specified time. 7.根据权利要求6所述的装置,其特征在于,所述处理器还配置用于基于所述程序指令执行以下步骤:7. The apparatus of claim 6, wherein the processor is further configured to perform the following steps based on the program instructions: 响应于客户端接收到管控解除指令,关闭所述临时管控以允许远程登录行为。In response to the client receiving the control release instruction, the temporary control is turned off to allow remote login behavior. 8.根据权利要求7所述的装置,其特征在于,所述响应于客户端接收到管控解除指令,关闭所述临时管控以允许远程登录行为进一步包括:8 . The apparatus according to claim 7 , wherein, in response to the client receiving a control release instruction, closing the temporary control to allow remote login further comprises: 8 . 响应于异常客户端关闭所述临时管控,取消所述异常客户端的所述辐射防护范围。In response to the abnormal client closing the temporary control, the radiation protection range of the abnormal client is cancelled. 9.根据权利要求6所述的装置,其特征在于,所述使位于所述异常客户端辐射防护范围内的所有客户端根据所述异常等级启动相应的临时管控以在指定时间内限制所有远程登录行为进一步包括:9 . The device according to claim 6 , characterized in that all clients located within the radiation protection range of the abnormal client are activated to initiate corresponding temporary control according to the abnormal level to restrict all remote clients within a specified time. 10 . Login actions further include: 响应于客户端位于至少一个异常客户端的辐射防护范围内,根据所述至少一个异常客户端的异常等级为所述客户端设置锁定标识,并根据所述锁定标识的状态启动或解除所述临时管控。In response to the client being located within the radiation protection range of at least one abnormal client, a lock flag is set for the client according to the abnormal level of the at least one abnormal client, and the temporary control is activated or released according to the state of the lock flag. 10.根据权利要求6所述的装置,其特征在于,所述处理器还配置用于基于所述程序指令执行以下步骤:10. The apparatus of claim 6, wherein the processor is further configured to perform the following steps based on the program instructions: 为所述网络拓扑中的客户端设置白名单以允许指定IP地址和/或IP地址段发起的远程登录;和/或whitelisting clients in said network topology to allow remote logins initiated by specified IP addresses and/or IP address segments; and/or 为所述网络拓扑中的客户端设置黑名单以限制指定IP地址和/或IP地址段发起的远程登录。A blacklist is set for the clients in the network topology to restrict remote login initiated by the specified IP address and/or IP address segment.
CN201910936520.6A 2019-09-29 2019-09-29 Method and device for remote login safety protection Active CN110753039B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910936520.6A CN110753039B (en) 2019-09-29 2019-09-29 Method and device for remote login safety protection

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910936520.6A CN110753039B (en) 2019-09-29 2019-09-29 Method and device for remote login safety protection

Publications (2)

Publication Number Publication Date
CN110753039A CN110753039A (en) 2020-02-04
CN110753039B true CN110753039B (en) 2022-04-22

Family

ID=69277413

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910936520.6A Active CN110753039B (en) 2019-09-29 2019-09-29 Method and device for remote login safety protection

Country Status (1)

Country Link
CN (1) CN110753039B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111859376A (en) * 2020-07-21 2020-10-30 广州锦行网络科技有限公司 Method for discovering intranet attacker based on windows login information
CN114339489B (en) * 2021-12-28 2023-11-21 深圳创维数字技术有限公司 Methods, equipment and media for terminals to complete server authentication in PON systems

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254153A (en) * 2016-09-19 2016-12-21 腾讯科技(深圳)有限公司 A kind of Network Abnormal monitoring method and apparatus
CN109873811A (en) * 2019-01-16 2019-06-11 光通天下网络科技股份有限公司 Network safety protection method and its network security protection system based on attack IP portrait

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101415017A (en) * 2007-10-16 2009-04-22 中兴通讯股份有限公司 Method for transmitting embedded system document based on telnet protocol
CN101493779A (en) * 2009-02-27 2009-07-29 中国工商银行股份有限公司 Remote terminal control method
CN101764709B (en) * 2009-12-29 2012-02-22 福建星网锐捷网络有限公司 Network physical topology discovering method and network management server based on SNMP
US8982726B2 (en) * 2011-01-17 2015-03-17 Shahram Davari Network device
CN103078938B (en) * 2012-12-31 2015-04-29 中国工商银行股份有限公司 Remote access control system and method
CN104135459A (en) * 2013-05-03 2014-11-05 北京优联实科信息科技有限公司 Access control system and access control method thereof
CN106803037A (en) * 2016-11-28 2017-06-06 全球能源互联网研究院 A kind of software security means of defence and device
CN108156537B (en) * 2017-12-15 2020-01-07 维沃移动通信有限公司 A kind of remote operation method of mobile terminal and mobile terminal
CN108111342B (en) * 2017-12-15 2021-08-27 北京华创网安科技股份有限公司 Visualization-based threat alarm display method
CN109218077A (en) * 2018-08-14 2019-01-15 阿里巴巴集团控股有限公司 Prediction technique, device, electronic equipment and the storage medium of target device
CN109510725B (en) * 2018-11-28 2022-05-17 迈普通信技术股份有限公司 Communication equipment fault detection system and method

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106254153A (en) * 2016-09-19 2016-12-21 腾讯科技(深圳)有限公司 A kind of Network Abnormal monitoring method and apparatus
CN109873811A (en) * 2019-01-16 2019-06-11 光通天下网络科技股份有限公司 Network safety protection method and its network security protection system based on attack IP portrait

Also Published As

Publication number Publication date
CN110753039A (en) 2020-02-04

Similar Documents

Publication Publication Date Title
Xenofontos et al. Consumer, commercial, and industrial iot (in) security: Attack taxonomy and case studies
Wang et al. Security issues and challenges for cyber physical system
Fu et al. Safety, security, and privacy threats posed by accelerating trends in the internet of things
US20200110870A1 (en) Risk assessment for account authorization
CN110753039B (en) Method and device for remote login safety protection
EP3270318B1 (en) Dynamic security module terminal device and method for operating same
US20160014077A1 (en) System, Method and Process for Mitigating Advanced and Targeted Attacks with Authentication Error Injection
CN103441926A (en) Security gateway system of numerically-controlled machine tool network
US9984217B2 (en) Electronic authentication of an account in an unsecure environment
EP3149882A1 (en) Secure mobile framework with operating system integrity checking
US10572675B2 (en) Protecting and monitoring internal bus transactions
US11265340B2 (en) Exception remediation acceptable use logic platform
CN105100268A (en) Security control method and system of Internet-of-things device as well as application server
CN105631344B (en) The access control method and system of secure data, terminal
Mandru Endpoint Security in Remote Work Environments: Addressing the unique challenges of securing endpoints in remote work scenarios
US11811762B2 (en) Sponsor delegation for multi-factor authentication
Kim et al. A study on authentication mechanism in SEaaS for SDN
WO2020038106A1 (en) Bmc management method and system and related device
CN106909401A (en) A kind of control method and device of application program
CN107819787B (en) A system and method for preventing illegal external connection of local area network computers
Baker The ironic state of cybersecurity in medical devices
US20160248591A1 (en) Firmware watermarking method, firmware based on the same, and apparatus for performing firmware watermarking
CN117648100B (en) Application deployment method, device, equipment and storage medium
ES2945060T3 (en) Technique for processing messages sent by a communicating device
Lee et al. Challenges in Certificate Management Over Open RAN Fronthaul Interface

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant