CN111031067A - Monitoring data transmission method and device of distributed system and electronic equipment - Google Patents

Monitoring data transmission method and device of distributed system and electronic equipment Download PDF

Info

Publication number
CN111031067A
CN111031067A CN201911364926.8A CN201911364926A CN111031067A CN 111031067 A CN111031067 A CN 111031067A CN 201911364926 A CN201911364926 A CN 201911364926A CN 111031067 A CN111031067 A CN 111031067A
Authority
CN
China
Prior art keywords
monitoring
client
distributed system
legal
host
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201911364926.8A
Other languages
Chinese (zh)
Inventor
张曙华
杨安荣
李仡
徐丽
李刚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Zhongxin Information Development Co ltd
Original Assignee
Shanghai Zhongxin Information Development Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Zhongxin Information Development Co ltd filed Critical Shanghai Zhongxin Information Development Co ltd
Priority to CN201911364926.8A priority Critical patent/CN111031067A/en
Publication of CN111031067A publication Critical patent/CN111031067A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0807Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/56Provisioning of proxy services
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0643Hash functions, e.g. MD5, SHA, HMAC or f9 MAC

Abstract

The invention provides a monitoring data transmission method, a monitoring data transmission device and electronic equipment of a distributed system, wherein after monitoring data of the distributed system is acquired, a monitoring result is generated according to preset basic information and monitoring data of a client; sending the monitoring result of the distributed system to the host monitoring server according to the address information of the pre-stored host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored. The invention ensures the security of monitoring data transmission of the distributed system, reduces the transmission cost and improves the stability.

Description

Monitoring data transmission method and device of distributed system and electronic equipment
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting monitoring data of a distributed system, and an electronic device.
Background
In the related art, during the transmission of monitoring data in a distributed system, a dedicated line and Virtual Private Network (VPN) technology is usually adopted to ensure the security of transmitting the monitoring data. Specifically, the method is realized by connecting a host monitoring server and a client through an SSL (Secure Sockets Layer) VPN, forcibly starting the client and automatically connecting the VPN; however, this approach is costly and the stability of the transfer process is low.
Disclosure of Invention
In view of the above, an object of the present invention is to provide a method and an apparatus for transmitting monitoring data of a distributed system, and an electronic device, so as to ensure security of transmission of the monitoring data of the distributed system, reduce transmission cost, and improve stability.
In a first aspect, an embodiment of the present invention provides a method for transmitting monitoring data of a distributed system, where the method is applied to a client; the client is in communication connection with the host monitoring server; the method comprises the following steps: acquiring monitoring data of a distributed system; generating a monitoring result according to preset basic information and monitoring data of the client; sending the monitoring result of the distributed system to the host monitoring server according to the address information of the pre-stored host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
With reference to the first aspect, an embodiment of the present invention provides a first possible implementation manner of the first aspect, where the method further includes: receiving a monitoring instruction sent by a host monitoring server through a preset first transmission control protocol port; judging whether the monitoring instruction is legal or not according to a preset second white list; and if the code is legal, executing a monitoring instruction.
With reference to the first possible implementation manner of the first aspect, an embodiment of the present invention provides a second possible implementation manner of the first aspect, where the monitoring instruction includes an IP address of the host monitoring server; judging whether the monitoring instruction is legal or not according to a preset second white list, wherein the step comprises the following steps of: searching the IP address of the host monitoring server in a preset second white list; and if so, determining that the monitoring instruction is legal.
In a second aspect, an embodiment of the present invention provides a method for transmitting monitoring data of a distributed system, where the method is applied to a host monitoring server; the host monitoring server is in communication connection with the client; the method comprises the following steps: receiving a monitoring result of the distributed system sent by a client; the monitoring result comprises monitoring data and basic information of the client; determining whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
With reference to the second aspect, an embodiment of the present invention provides a first possible implementation manner of the second aspect, where the basic information of the client includes an IP address and an identity of the client; determining whether the monitoring result is legal or not according to the basic information and a preset first white list, wherein the step comprises the following steps of: searching an IP address of a client in a preset white list; if the identity identification is found, judging whether the identity identification is consistent with a pre-stored identification of the client; and if the monitoring results are consistent, determining that the monitoring results are legal.
With reference to the second aspect, an embodiment of the present invention provides a second possible implementation manner of the second aspect, where the method further includes: sending a monitoring instruction to the client according to the address information of the pre-stored client, so that the client judges whether the monitoring instruction is legal or not according to a preset second white list; if the code is legal, executing a monitoring instruction; the monitoring instruction comprises an IP address of the host monitoring server; the address information of the client comprises an IP address of the client and a first transmission control protocol port.
In a third aspect, an embodiment of the present invention provides a monitoring data transmission device for a distributed system, where the monitoring data transmission device is disposed at a client; the client is in communication connection with the host monitoring server; the device includes: the data acquisition module is used for acquiring monitoring data of the distributed system; the result generation module is used for generating a monitoring result according to the preset basic information and the monitoring data of the client; the result sending module is used for sending the monitoring result of the distributed system to the host monitoring server according to the prestored address information of the host monitoring server so that the host monitoring server can determine whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
In a fourth aspect, an embodiment of the present invention provides a monitoring data transmission device for a distributed system, where the monitoring data transmission device is disposed in a host monitoring server; the host monitoring server is in communication connection with the client; the device includes: the result receiving module is used for receiving the monitoring result of the distributed system sent by the client; the monitoring result comprises monitoring data and basic information of the client; the legality determining module is used for determining whether the monitoring result is legal or not according to the basic information and a preset first white list; and the data storage module is used for storing the monitoring data of the distributed system if the monitoring data is legal.
In a fifth aspect, embodiments of the present invention provide an electronic device, which includes a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor executes the machine executable instructions to implement the above method applied to a client.
In a sixth aspect, an embodiment of the present invention provides a host monitoring server, which includes a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor executes the machine executable instructions to implement the above method applied to the host monitoring server.
The embodiment of the invention has the following beneficial effects:
the embodiment of the invention provides a monitoring data transmission method, a monitoring data transmission device and electronic equipment of a distributed system, wherein after monitoring data of the distributed system is obtained, a monitoring result is generated according to preset basic information and monitoring data of a client; sending the monitoring result of the distributed system to the host monitoring server according to the address information of the pre-stored host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored. The method ensures the security of monitoring data transmission of the distributed system, reduces the transmission cost and improves the stability.
Additional features and advantages of the invention will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the invention as set forth above.
In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and other drawings can be obtained by those skilled in the art without creative efforts.
Fig. 1 is a flowchart of a monitoring data transmission method for a distributed system according to an embodiment of the present invention;
fig. 2 is a flowchart of another monitoring data transmission method for a distributed system according to an embodiment of the present invention;
fig. 3 is a flowchart of another monitoring data transmission method for a distributed system according to an embodiment of the present invention;
fig. 4 is a schematic diagram of information interaction between a central main monitoring end and an agent server end according to an embodiment of the present invention;
fig. 5 is a schematic diagram of a distributed resource monitoring according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a Token authentication process according to an embodiment of the present invention;
fig. 7 is a schematic structural diagram of a monitoring data transmission apparatus for a distributed system according to an embodiment of the present invention;
fig. 8 is a schematic structural diagram of a monitoring data transmission apparatus of another distributed system according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions of the present invention will be described clearly and completely with reference to the following embodiments, and it should be understood that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
With the rapid development of economy, the scale and the number of machine rooms of enterprises and public institutions are greatly increased, and the construction of the machine rooms of the information data centers is developed from the original single machine room to the multiple machine rooms in different places. How to carry out information interaction and data exchange among a plurality of remote computer rooms, and how to supervise each computer room resource by managers becomes the current common demand. At present, remote multi-computer rooms are mainly supervised through private lines or Virtual Private Networks (VPN), and the problems that the construction cost is high, the same IP address cannot be monitored, and the pressure of a main monitoring server is high are solved.
In the related art, the security of transmitting the monitoring data is ensured by adopting a special line and a VPN technology. Specifically, the system can be realized by a whole network management monitoring system based on a Virtual Private Network (VPN) technology, and the system comprises a host monitoring server, at least one console and clients, wherein the server is connected with each client and the console through a Secure Socket Layer (SSL) VPN, the clients forcibly start and automatically perform VPN connection, and the hosts departing from a local area network range are forcibly brought into a management monitoring range through the VPN technology to realize the centralized monitoring and management of the whole network range.
The mode improves the monitoring range to a certain extent, and is separated from a local area network to realize several kinds of supervision in the whole network range. But there are also certain limitations and drawbacks in the actual use process. Firstly, a VPN server needs to be deployed at a main monitoring end, and then the VPN server is dialed in by a remote machine room through a VPN, so that extra cost needs to be increased. Secondly, in the running process, once the VPN service is interrupted, the transmission of remote monitoring data is directly influenced. In addition, in the actual monitoring, the resources of the same IP address cannot be monitored by using the VPN technology, and the pressure of the main monitoring service end is also increased.
Based on the above technical problem, embodiments of the present invention provide a method and an apparatus for transmitting monitoring data of a distributed system, and an electronic device, which can be applied to various distributed systems.
To facilitate understanding of the embodiment, first, a detailed description is given to a monitoring data transmission method of a distributed system disclosed in the embodiment of the present invention.
The embodiment of the invention provides a monitoring data transmission method of a distributed system, which is applied to a client; the client is in communication connection with the host monitoring server; as shown in fig. 1, the method comprises the steps of:
and S100, acquiring monitoring data of the distributed system.
The distributed system is provided with sub-equipment at a plurality of places, such as a machine room consisting of computers. A first client at a certain place can acquire monitoring data of sub-equipment at the place; the monitoring data can be obtained by monitoring the sub-device by the sub-device, and can also be obtained by monitoring the sub-device by the external device. The client can acquire the monitoring data at a certain frequency.
And step S102, generating a monitoring result according to the preset basic information and monitoring data of the client.
The basic information of the client may include an IP address and an identity of the client. The identity identifiers can be stored in the client and the host monitoring server at the same time, and can be distributed to the client by the host monitoring server when the client communicates with the host monitoring server for the first time. The monitoring result not only comprises monitoring data, but also comprises basic information of the client; and generating a monitoring result by the basic information and the monitoring data in a preset format.
Step S104, sending the monitoring result of the distributed system to the host monitoring server according to the prestored address information of the host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
The address information of the host monitoring server may include an IP address and a TCP (Transmission Control Protocol) port of the host monitoring server. The host monitoring server and the client may communicate with each other through an ISP (Internet Service provider) operator line, which is commonly referred to as the Internet. When the IP address and the TCP port of the host monitor server are predetermined, the monitoring result of the distributed system may be sent to the host monitor server, so that the host monitor receives the monitoring result through the TCP port thereof.
When the host monitoring server receives the monitoring result, the legality of the monitoring result needs to be judged; firstly, whether the IP address of a client sending a monitoring result is in a first white list can be judged; if so, judging whether the identity of the client is consistent with the identity of the client pre-stored by the host monitor, if so, determining that the monitoring result is legal, and storing the monitoring result by the host monitor.
The embodiment of the invention provides a monitoring data transmission method of a distributed system, which comprises the steps of obtaining monitoring data of the distributed system, and generating a monitoring result according to preset basic information and monitoring data of a client; sending the monitoring result of the distributed system to the host monitoring server according to the address information of the pre-stored host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored. The method ensures the security of monitoring data transmission of the distributed system, reduces the transmission cost and improves the stability.
The embodiment of the invention also provides another monitoring data transmission method of the distributed system, which is realized on the basis of the method of the embodiment; the method mainly describes a process that a client receives a monitoring instruction sent by a host monitoring server, and as shown in fig. 2, the method comprises the following steps:
step S200, receiving a monitoring instruction sent by a host monitoring server through a preset first transmission control protocol port; because the host monitoring server and the client communicate through the internet, the client receives the monitoring instruction sent by the host monitoring server through the transmission control protocol port.
Step S202, judging whether the monitoring instruction is legal or not according to a preset second white list; if the code is legal, executing step S204; if not, the method is ended.
Specifically, the second white list stores an IP address that can be associated with a host monitoring server of a remote control end; the monitoring instruction generally includes an IP address of the host monitoring server; therefore, the IP address of the host monitoring server can be searched in the preset second white list; if the monitoring instruction is found to be legal, determining that the monitoring instruction is legal; and if the monitoring instruction is not found, determining that the monitoring instruction is illegal.
Step S204, executing the monitoring instruction; specifically, the corresponding monitoring task may be executed according to the specific content of the monitoring instruction.
In the method, a monitoring instruction sent by a host monitoring server is received through a preset first transmission control protocol port, and whether the monitoring instruction is legal or not is judged according to a preset second white list; and if the instruction is legal, executing the monitoring instruction. The mode reduces the transmission cost and improves the stability on the basis of ensuring the transmission safety of the monitoring data of the distributed system.
Corresponding to the embodiment, the embodiment of the invention also provides another monitoring data transmission method of the distributed system, which is applied to a host monitoring server; the host monitoring server is in communication connection with the client; as shown in fig. 3, the method comprises the steps of:
step S300, receiving a monitoring result of the distributed system sent by the client; the monitoring result comprises monitoring data and basic information of the client;
step S302, determining whether a monitoring result is legal or not according to the basic information and a preset first white list;
in the actual implementation process, the basic information of the client comprises an IP address and an identity of the client; the step S302 can be specifically implemented by the following steps:
(1) and searching the IP address of the client in a preset white list.
(2) And if so, judging whether the identity identification is consistent with the pre-stored identification of the client.
(3) And if the monitoring results are consistent, determining that the monitoring results are legal.
And S304, if the data is legal, storing the monitoring data of the distributed system.
In some cases, the host monitoring server further needs to send a monitoring instruction to the client, and the process is specifically implemented by:
sending a monitoring instruction to the client according to the address information of the pre-stored client, so that the client judges whether the monitoring instruction is legal or not according to a preset second white list; if the code is legal, executing a monitoring instruction; the monitoring instruction comprises an IP address of the host monitoring server; the address information of the client comprises an IP address of the client and a first transmission control protocol port.
The embodiment of the invention provides a monitoring data transmission method of a distributed system, which is characterized in that after a monitoring result of the distributed system sent by a client is received, whether the monitoring result is legal or not is determined according to basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored. The method ensures the security of monitoring data transmission of the distributed system, reduces the transmission cost and improves the stability.
The embodiment of the invention also provides another monitoring data transmission method of the distributed system, which completely bases on the ISP operator line and solves the problem of centralized and effective monitoring and unified management of enterprises and public institutions on the foreign information environment through the double security authentication modes of the IP white list and Token encryption and decryption. The method can ensure the safety of transmitting the monitoring data through the Internet, and has the advantages of convenient deployment and strong expandability.
The method mainly comprises the steps that a central main monitoring terminal (equivalent to a host monitoring server in the embodiment) is deployed in a central machine room, and a proxy server (equivalent to a client in the embodiment, also called a remote proxy server) is deployed in a remote machine room; the main monitoring terminal sends a monitoring task (equivalent to a monitoring instruction in the embodiment) to the proxy server terminal of the remote machine room through the internet, and after receiving the monitoring task, the remote proxy server terminal collects the running state information of the information equipment and the network of the remote machine room and pushes the monitoring data of each remote machine room to the central main monitoring terminal through the internet in real time, so that the monitoring of the distributed information resources is realized.
Based on the above method, a schematic diagram of information interaction between the central main monitoring terminal and the agent server terminal is shown in fig. 4, and the implementation process of each step pointed by an arrow in fig. 4 is as follows:
1. the main monitoring end server issues the IP address and the TCP port on the Internet through the independent Internet IP address and the TCP port communicated with the remote proxy server. When the main monitoring server communicates with other devices, it needs to refer to the Simple Network Management Protocol (SNMP) and the process file (OS agent) of the operating system.
2. The remote proxy server tests the availability of the internet IP and TCP port of the main monitor, writes the IP and TCP port of the main monitor into the configuration file, wherein the IP of the main monitor is written into the IP white list (equivalent to the second white list in the above embodiment) of the remote proxy server.
3. After the configuration is completed, the remote server initiates a host registration application to the main monitoring terminal, and sends a Token authentication request after the host registration application is authenticated by an IP white list (which is equivalent to the first white list in the above embodiment).
The Token authentication (JSON Web Token) is called JWT for short and consists of a JWT header, a payload and a signature. It defines a compact, self-contained protocol format for passing JSON (JSON object notation) objects between two communicating parties. The transmitted information can be verified and trusted by digital signature through a public key/secret key of an HMAC (Hash-based Message authentication code) algorithm or an RSA (RSA algorithm, RSA encryption algorithm), so that the information is prevented from being tampered. Once the user logs in, each subsequent request carries JWT, and after Token signature authentication is passed, the requester is allowed to access the routes, services and resources allowed by the Token. The HMAC algorithm is a method for performing message authentication based on a Hash function and a secret key. Based on the information abstract, the method generates a fixed-length information abstract as output by using a key and a message as input through a Hash algorithm. It is the key and plaintext that perform two rounds of hash operations similar to salt addition.
In the Token certification process, the JWT header and payload of JWT needs to save the JSON object serialized string using the Base64URL (universal resource Locator) algorithm. The Base64URL algorithm is similar to the Base64 algorithm, a method for representing binary based on 64 printable characters. In a slight difference, a token, JWT, the Base64 algorithm uses "═, +", "/" three characters, which are stored in a URL (for example, api. example/: remove "-" instead, replace "+" with "-" and "/" with "_" instead.
4. After receiving the Token authentication request of the remote proxy server, the main monitoring terminal checks whether the Token carried in the request is legal or not, and obtains relevant information from the Token. And allowing the main monitoring terminal to receive the monitoring data of the remote agent server terminal after the Token signature passes the authentication.
5. And the main monitoring terminal issues a monitoring task and appoints a certain remote agent server terminal to monitor.
6. And after receiving the monitoring task, the remote proxy server acquires the running state information of the monitoring equipment by using a protocol specified in the task.
7. And the remote proxy server locally stores the monitoring data acquired in the last step and submits the monitoring data to the main monitoring terminal in real time.
8. And the main monitoring terminal receives the monitoring data of the remote agent server terminal and stores the monitoring data locally.
The main monitoring end may also be referred to as a local server, and a schematic diagram of distributed resource monitoring based on the local server, a remote agent end (equivalent to the client) and a remote information resource (belonging to a distributed system) is shown in fig. 5, which can be briefly described as follows: the method comprises the steps that a remote agent end is deployed in a remote machine room, then a main monitoring end issues an acquisition task (also called a monitoring task) to an agent server end of the remote machine room through the Internet, the remote agent end acquires state monitoring data to an informationized device (also called a remote informationized resource) of the remote machine room after receiving the monitoring task, the informationized device uploads the data to the remote agent end, and the remote agent end transmits the monitoring data (also called an uploading acquisition task) to the main monitoring server end through the Internet after receiving the data; in addition, the local server can also collect data of local information resources (belonging to a distributed system), and the local information resources upload data to the local server.
In the method, the security of data transmission in the monitoring process is realized by adopting an IP white list and Token authentication dual security authentication mechanism. When receiving the request of the remote agent, the main monitoring terminal firstly checks the IP address of the requesting party, filters and intercepts the request which does not belong to the white list, and then carries out Token signature authentication to strengthen the security in the process of monitoring data transmission.
Firstly, an IP white list authentication method is specifically introduced: the foreign agent server manages the IP addresses allowed to be accessed in the database. When the foreign agent receives the request, the IP address of the requester is filtered through the interceptor, and the request which does not belong to the IP address in the white list is intercepted.
Then, a Token authentication method is introduced: token authentication (JSON Web Token), abbreviated JWT, is used to pass JSON objects between a server and a client without saving session data at the server. The transferred information can be verified and trusted by digital signature by HMAC algorithm or public/secret key of RSA. The JWT workflow is illustrated in FIG. 6, where an HTTP POST request is used, from which a username and password are sent; after receiving the Token, the client may carry the Token in the header when sending a protected API (Application Programming Interface) request. JWT consists mainly of three parts, a JWT header, payload and signature, as follows:
(1) JWT head (Header)
The JWT header portion is a JSON object that describes JWT metadata and contains two parts, the token type and the encryption algorithm used. Generally as follows:
{
“alg”:“HS256”,
“typ”:“JWT”
}
in the above code, the alg attribute indicates the algorithm used by the signature, and defaults to HMAC SHA256 (written as HS 256); the typ attribute indicates the type of token, and the JWT token is written collectively as JWT.
The JWT head is composed of Base64 codes, and the JSON objects are converted into character strings to be stored by using a Base64URL algorithm. The algorithm is similar to the common Base64 algorithm, with slight differences.
The URL (for example, api. example/: remove "-" instead, replace "+" with "-" and "/" with "_" instead.
(2) Payload (Payload)
The payload is the body content part of the JWT for holding the information to be transferred, i.e. a JSON object. Commonly used are iss (issuer), exp (expiration time), sub (subject), aud (user), nbf (not available until then), iat (time of issue), and jti (JWT ID, used to identify the JWT).
In addition, private fields can be customized as follows:
{
“sub”:“1234567890”,
“name”:“chongchong”,
“admin”:true
}
by default, the JWT is unencrypted, and anyone can read its contents, so no private information field is constructed to store secret information to prevent information leakage.
Payload like JWT, JSON objects are serialized into strings using the Base64URL algorithm for storage.
(3) Signature (Signature)
The signature part generates hash through an algorithm specified by the JWT header, and digitally signs the serialized JWT header and payload to ensure that the JWT header and payload are not tampered.
First, a password (secret) needs to be specified, which is stored only in the server and cannot be disclosed to the user. The signature is then generated using the signature algorithm specified in the JWT header (HMAC SHA256 by default). The formula is as follows:
HMACSHA256(base64UrlEncode(header)+“.”+base64UrlEncode(payload),secret)
wherein HMACSHA256 is an HMAC algorithm with SHA-256. The HMAC algorithm is based on a message digest algorithm, with a key and a message as inputs, to generate a message digest of fixed length as an output. It is the practice to perform two rounds of hashing on the key and plaintext, similar to salt processing. Where the key may be of any length, if the length exceeds the length of the message digest algorithm message packet, the digest algorithm is used to calculate a digest of the key as the new key. Since key length is related to security strength, it is generally not recommended to use keys that are too short, and it is recommended to use a length that is greater than the message digest output value.
The HMAC algorithm uses a hash function and a key, denoted H and K, respectively. The information is grouped by the information digest function, and the length of each information block is marked as B. And recording the length of the message abstract as L through the message abstract with the fixed length output by the message abstract algorithm. The length of the key K is theoretically arbitrary, but for security reasons it is recommended that the key is chosen to be not less than L.
The HMAC algorithm formula for JWT digital signatures is as follows:
HMAC(K,M)=H(K⊕opad∣H(K⊕ipad∣M))
here, ipad is 0x36 of one byte and opad is 0x5c of one byte, and M represents a message input.
According to the above algorithm formula, the operation steps of the HMAC algorithm can be described:
(1) the length of the key K is checked. If the length of K is larger than B, a new key with the length of L is calculated by using a digest algorithm. If the length of the rear K is smaller than B, 0 is added to the rear of the rear K to make the length of the rear K equal to B.
(2) And carrying out XOR operation on the key character string with the length of B word generated in the last step and the ipad.
(3) And filling the data stream text needing to be processed into the result character string of the second step.
(4) The hash function H is used to compute the information digest value of the data stream generated in the last step.
(5) And carrying out XOR operation on the B-word long key character string generated in the first step and the opad.
(6) And filling the result obtained in the fourth step into the result obtained in the fifth step.
(7) The hash function H is used to calculate the digest value of the data stream generated in the last step, and the output result is the final HMAC value.
When the signature hash is computed, the JWT header, payload, and signature are combined into a string by the ". quadrature..
After the signature hash is computed, the three parts of the JWT header, payload, and signature hash are combined into a string, each separated by ". multidot..
The method provides a safe, low-cost and convenient-to-deploy monitoring data transmission method for the distributed system. And in the process of butting the central main monitoring terminal and the agent server terminal, a double safety authentication mode of IP white list + Token signature algorithm authentication is adopted, so that the safety in the monitoring data transmission process is effectively improved under the conditions of not increasing the cost and reducing the service availability. The method is completely based on the ISP operator line, a private line or a VPN does not need to be deployed, and the possibility of monitoring transmission interruption caused by unstable VPN service in the transmission process is avoided; by utilizing the security mechanism of the IP white list + Token signature algorithm, the risk of data leakage and hacker stealing is effectively avoided, and the security of internet data transmission is ensured.
Corresponding to the embodiment of the monitoring data transmission method of the distributed system, the embodiment of the invention also provides a monitoring data transmission device of the distributed system, which is arranged at the client; the client is in communication connection with the host monitoring server; as shown in fig. 7, the apparatus includes:
a data obtaining module 700, configured to obtain monitoring data of a distributed system;
a result generating module 702, configured to generate a monitoring result according to preset basic information and monitoring data of the client;
a result sending module 704, configured to send the monitoring result of the distributed system to the host monitoring server according to the pre-stored address information of the host monitoring server, so that the host monitoring server determines whether the monitoring result is legal according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
The embodiment of the invention provides a monitoring data transmission device of a distributed system, which is used for generating a monitoring result according to preset basic information and monitoring data of a client after acquiring the monitoring data of the distributed system; sending the monitoring result of the distributed system to the host monitoring server according to the address information of the pre-stored host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored. The method ensures the security of monitoring data transmission of the distributed system, reduces the transmission cost and improves the stability.
Further, the above apparatus further comprises: the instruction receiving module is used for receiving a monitoring instruction sent by the host monitoring server through a preset first transmission control protocol port; the instruction validity judging module is used for judging whether the monitoring instruction is legal or not according to a preset second white list; and the instruction execution module is used for executing the monitoring instruction if the monitoring instruction is legal.
Further, the monitoring instruction includes an IP address of the host monitoring server; the instruction validity judging module is further configured to: searching the IP address of the host monitoring server in a preset second white list; and if so, determining that the monitoring instruction is legal.
The monitoring data transmission device of the distributed system provided by the embodiment of the invention has the same technical characteristics as the monitoring data transmission method of the distributed system provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
Corresponding to the embodiment of the monitoring data transmission method of another distributed system, the embodiment of the invention also provides a monitoring data transmission device of another distributed system, which is arranged on the host monitoring server; the host monitoring server is in communication connection with the client; as shown in fig. 8, the apparatus includes:
a result receiving module 800, configured to receive a monitoring result of the distributed system sent by the client; the monitoring result comprises monitoring data and basic information of the client;
a legality determining module 802, configured to determine whether the monitoring result is legal according to the basic information and a preset first white list;
and the data storage module 804 is used for storing the monitoring data of the distributed system if the monitoring data is legal.
Further, the basic information of the client includes an IP address and an identity of the client; the legitimacy determination module 802 is further configured to: searching an IP address of a client in a preset white list; if the identity identification is found, judging whether the identity identification is consistent with a pre-stored identification of the client; and if the monitoring results are consistent, determining that the monitoring results are legal.
Further, the above apparatus further comprises: the instruction sending module is used for sending a monitoring instruction to the client according to the prestored address information of the client so that the client can judge whether the monitoring instruction is legal or not according to a preset second white list; if the code is legal, executing a monitoring instruction; the monitoring instruction comprises an IP address of the host monitoring server; the address information of the client comprises an IP address of the client and a first transmission control protocol port.
The monitoring data transmission device of the distributed system provided by the embodiment of the invention has the same technical characteristics as the monitoring data transmission method of the distributed system provided by the embodiment, so that the same technical problems can be solved, and the same technical effects can be achieved.
An embodiment of the present invention further provides an electronic device, which is shown in fig. 9 and includes a processor and a memory, where the memory stores machine executable instructions that can be executed by the processor, and the processor executes the machine executable instructions to implement the monitoring data transmission method of the distributed system.
An embodiment of the present invention further provides a host monitoring server, which has a structure similar to that of the electronic device described above, and as shown in fig. 9, the host monitoring server includes a processor and a memory, where the memory stores machine executable instructions capable of being executed by the processor, and the processor executes the machine executable instructions to implement the monitoring data transmission method of the distributed system described above.
Further, the host monitoring server shown in fig. 9 further includes a bus 132 and a communication interface 133, and the processor 130, the communication interface 133 and the memory 131 are connected through the bus 132.
The Memory 131 may include a high-speed Random Access Memory (RAM) and may also include a non-volatile Memory (non-volatile Memory), such as at least one disk Memory. The communication connection between the network element of the system and at least one other network element is realized through at least one communication interface 133 (which may be wired or wireless), and the internet, a wide area network, a local network, a metropolitan area network, and the like can be used. The bus 132 may be an ISA bus, PCI bus, EISA bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 9, but this does not indicate only one bus or one type of bus.
The processor 130 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 130. The Processor 130 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; the device can also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field-Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, or a discrete hardware component. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in the memory 131, and the processor 130 reads the information in the memory 131 and completes the steps of the method of the foregoing embodiment in combination with the hardware thereof.
The embodiment of the present invention further provides a machine-readable storage medium, where the machine-readable storage medium stores machine-executable instructions, and when the machine-executable instructions are called and executed by a processor, the machine-executable instructions cause the processor to implement the monitoring data transmission method of the distributed system, and specific implementation may refer to method embodiments, and is not described herein again.
The monitoring data transmission method and apparatus for a distributed system and the computer program product of the gateway host monitoring server provided in the embodiments of the present invention include a computer-readable storage medium storing a program code, where instructions included in the program code may be used to execute the method described in the foregoing method embodiments, and specific implementation may refer to the method embodiments, and details are not described here.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present invention or a part thereof, which essentially contributes to the prior art, can be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing a computer device (which may be a personal computer, a host monitoring server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
Finally, it should be noted that: the above-mentioned embodiments are only specific embodiments of the present invention, which are used for illustrating the technical solutions of the present invention and not for limiting the same, and the protection scope of the present invention is not limited thereto, although the present invention is described in detail with reference to the foregoing embodiments, those skilled in the art should understand that: any person skilled in the art can modify or easily conceive the technical solutions described in the foregoing embodiments or equivalent substitutes for some technical features within the technical scope of the present disclosure; such modifications, changes or substitutions do not depart from the spirit and scope of the embodiments of the present invention, and they should be construed as being included therein. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims (10)

1. A monitoring data transmission method of a distributed system is characterized in that the method is applied to a client; the client is in communication connection with the host monitoring server; the method comprises the following steps:
acquiring monitoring data of the distributed system;
generating a monitoring result according to preset basic information of the client and the monitoring data;
sending the monitoring result of the distributed system to the host monitoring server according to the pre-stored address information of the host monitoring server, so that the host monitoring server determines whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
2. The method of claim 1, further comprising:
receiving a monitoring instruction sent by the host monitoring server through a preset first transmission control protocol port;
judging whether the monitoring instruction is legal or not according to a preset second white list;
and if the instruction is legal, executing the monitoring instruction.
3. The method of claim 2, wherein the monitoring instruction comprises an IP address of the host monitoring server; judging whether the monitoring instruction is legal or not according to a preset second white list, wherein the step comprises the following steps of:
searching the IP address of the host monitoring server in a preset second white list;
and if so, determining that the monitoring instruction is legal.
4. A monitoring data transmission method of a distributed system is characterized in that the method is applied to a host monitoring server; the host monitoring server is in communication connection with the client; the method comprises the following steps:
receiving a monitoring result of the distributed system sent by the client; the monitoring result comprises monitoring data and basic information of the client;
determining whether the monitoring result is legal or not according to the basic information and a preset first white list;
and if the data is legal, the monitoring data of the distributed system is stored.
5. The method of claim 4, wherein the basic information of the client comprises an IP address and an identity of the client;
determining whether the monitoring result is legal or not according to the basic information and a preset first white list, wherein the step comprises the following steps of:
searching the IP address of the client in a preset white list;
if the identity identification is found, judging whether the identity identification is consistent with a pre-stored identification of the client;
and if the monitoring results are consistent, determining that the monitoring results are legal.
6. The method of claim 4, further comprising:
sending a monitoring instruction to the client according to prestored address information of the client, so that the client judges whether the monitoring instruction is legal or not according to a preset second white list; if the monitoring instruction is legal, executing the monitoring instruction; the monitoring instruction comprises an IP address of the host monitoring server; the address information of the client comprises an IP address of the client and a first transmission control protocol port.
7. The monitoring data transmission device of the distributed system is characterized in that the device is arranged at a client; the client is in communication connection with the host monitoring server; the device comprises:
the data acquisition module is used for acquiring monitoring data of the distributed system;
the result generation module is used for generating a monitoring result according to preset basic information of the client and the monitoring data;
the result sending module is used for sending the monitoring result of the distributed system to the host monitoring server according to the prestored address information of the host monitoring server so that the host monitoring server can determine whether the monitoring result is legal or not according to the basic information and a preset first white list; and if the data is legal, the monitoring data of the distributed system is stored.
8. The monitoring data transmission device of the distributed system is characterized in that the device is arranged on a host monitoring server; the host monitoring server is in communication connection with the client; the device comprises:
the result receiving module is used for receiving the monitoring result of the distributed system sent by the client; the monitoring result comprises monitoring data and basic information of the client;
a legality determining module, configured to determine whether the monitoring result is legal according to the basic information and a preset first white list;
and the data storage module is used for storing the monitoring data of the distributed system if the monitoring data is legal.
9. An electronic device comprising a processor and a memory, the memory storing machine executable instructions executable by the processor, the processor executing the machine executable instructions to implement the method of any one of claims 1 to 3.
10. A host monitoring server comprising a processor and a memory, the memory storing machine executable instructions executable by the processor, the processor executing the machine executable instructions to implement the method of any one of claims 4 to 6.
CN201911364926.8A 2019-12-24 2019-12-24 Monitoring data transmission method and device of distributed system and electronic equipment Pending CN111031067A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201911364926.8A CN111031067A (en) 2019-12-24 2019-12-24 Monitoring data transmission method and device of distributed system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201911364926.8A CN111031067A (en) 2019-12-24 2019-12-24 Monitoring data transmission method and device of distributed system and electronic equipment

Publications (1)

Publication Number Publication Date
CN111031067A true CN111031067A (en) 2020-04-17

Family

ID=70213697

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201911364926.8A Pending CN111031067A (en) 2019-12-24 2019-12-24 Monitoring data transmission method and device of distributed system and electronic equipment

Country Status (1)

Country Link
CN (1) CN111031067A (en)

Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110017173A (en) * 2009-08-13 2011-02-21 이니텍(주) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server
CN102724186A (en) * 2012-06-06 2012-10-10 珠海市君天电子科技有限公司 System and method for detecting phishing websites
CN105872850A (en) * 2015-12-07 2016-08-17 乐视云计算有限公司 Live data pushing method and equipment based on white list
CN106304141A (en) * 2015-06-10 2017-01-04 美的集团股份有限公司 Networking management method based on ZigBee-network and system
CN107172020A (en) * 2017-04-28 2017-09-15 湖北微源卓越科技有限公司 A kind of network data security exchange method and system
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack
CN108156043A (en) * 2018-02-24 2018-06-12 浙江远望通信技术有限公司 A kind of video monitoring safety cut-in method based on white list and constraint set flow control
CN108521399A (en) * 2018-02-24 2018-09-11 浙江远望通信技术有限公司 A kind of video monitoring safety cut-in method based on equipment feature recognition and white list
CN109639811A (en) * 2018-12-21 2019-04-16 北京金山云网络技术有限公司 Data transmission method, date storage method, device, server and storage medium
CN110166459A (en) * 2019-05-24 2019-08-23 深圳前海微众银行股份有限公司 A kind of means of defence and device of unserializing loophole

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
KR20110017173A (en) * 2009-08-13 2011-02-21 이니텍(주) The method of counteracting distributed denial of service attack using network filter monitoring white list and dummy web server
CN102724186A (en) * 2012-06-06 2012-10-10 珠海市君天电子科技有限公司 System and method for detecting phishing websites
CN106304141A (en) * 2015-06-10 2017-01-04 美的集团股份有限公司 Networking management method based on ZigBee-network and system
CN105872850A (en) * 2015-12-07 2016-08-17 乐视云计算有限公司 Live data pushing method and equipment based on white list
CN107172020A (en) * 2017-04-28 2017-09-15 湖北微源卓越科技有限公司 A kind of network data security exchange method and system
CN107438074A (en) * 2017-08-08 2017-12-05 北京神州绿盟信息安全科技股份有限公司 The means of defence and device of a kind of ddos attack
CN108156043A (en) * 2018-02-24 2018-06-12 浙江远望通信技术有限公司 A kind of video monitoring safety cut-in method based on white list and constraint set flow control
CN108521399A (en) * 2018-02-24 2018-09-11 浙江远望通信技术有限公司 A kind of video monitoring safety cut-in method based on equipment feature recognition and white list
CN109639811A (en) * 2018-12-21 2019-04-16 北京金山云网络技术有限公司 Data transmission method, date storage method, device, server and storage medium
CN110166459A (en) * 2019-05-24 2019-08-23 深圳前海微众银行股份有限公司 A kind of means of defence and device of unserializing loophole

Similar Documents

Publication Publication Date Title
CN109088889B (en) SSL encryption and decryption method, system and computer readable storage medium
US9985994B2 (en) Enforcing compliance with a policy on a client
US7836121B2 (en) Dynamic executable
US9237021B2 (en) Certificate grant list at network device
US8869258B2 (en) Facilitating token request troubleshooting
CN110198297B (en) Flow data monitoring method and device, electronic equipment and computer readable medium
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
US11290283B2 (en) Automated replacement of self-signed server certificates
CN112235266A (en) Data processing method, device, equipment and storage medium
CN110213247A (en) A kind of method and system improving pushed information safety
CN108900324B (en) Method and device for checking communication performance of virtual machine
WO2023279782A1 (en) Access control method, access control system and related device
CN110581838B (en) Method for continuously requesting data stream, electronic device and computer equipment
Chen et al. A full lifecycle authentication scheme for large-scale smart IoT applications
Khan et al. Resource efficient authentication and session key establishment procedure for low-resource IoT devices
CN112839062B (en) Port hiding method, device and equipment with mixed authentication signals
US11784993B2 (en) Cross site request forgery (CSRF) protection for web browsers
WO2022099683A1 (en) Data transmission method and apparatus, device, system, and storage medium
CN112689014A (en) Double-full-duplex communication method and device, computer equipment and storage medium
CN109587134B (en) Method, apparatus, device and medium for secure authentication of interface bus
CN115632963A (en) Method, device, apparatus and medium for confirming tunnel connection state
CN115766119A (en) Communication method, communication apparatus, communication system, and storage medium
CN111031067A (en) Monitoring data transmission method and device of distributed system and electronic equipment
CN113505382A (en) Micro-service authentication method, electronic device and storage medium
CN113992387A (en) Resource management method, device, system, electronic equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
CB02 Change of applicant information
CB02 Change of applicant information

Address after: 200040, room 710, 302 Changping Road, Shanghai, Jingan District

Applicant after: Shanghai Xinlian Information Development Co.,Ltd.

Address before: 200040, room 710, 302 Changping Road, Shanghai, Jingan District

Applicant before: SHANGHAI ZHONGXIN INFORMATION DEVELOPMENT Co.,Ltd.

RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200417