CN112541181A - Method and device for detecting server security - Google Patents

Method and device for detecting server security Download PDF

Info

Publication number
CN112541181A
CN112541181A CN202011528978.7A CN202011528978A CN112541181A CN 112541181 A CN112541181 A CN 112541181A CN 202011528978 A CN202011528978 A CN 202011528978A CN 112541181 A CN112541181 A CN 112541181A
Authority
CN
China
Prior art keywords
server
service
access
target service
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202011528978.7A
Other languages
Chinese (zh)
Inventor
古晶
李沁洋
李海
周骥
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
CCB Finetech Co Ltd
Original Assignee
CCB Finetech Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by CCB Finetech Co Ltd filed Critical CCB Finetech Co Ltd
Priority to CN202011528978.7A priority Critical patent/CN112541181A/en
Publication of CN112541181A publication Critical patent/CN112541181A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • G06F21/577Assessing vulnerabilities and evaluating computer system security
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/368Test management for test version control, e.g. updating test cases to a new software version
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/36Preventing errors by testing or debugging software
    • G06F11/3668Software testing
    • G06F11/3672Test management
    • G06F11/3688Test management for test execution, e.g. scheduling of test suites

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Quality & Reliability (AREA)
  • Computing Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

The invention relates to the technical field of computers, in particular to a method and a device for detecting the security of a server. The method comprises the following steps: determining a target service port in a service running state in a server; acquiring service version information from the target service port; according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port; and generating a server security report according to the vulnerability attack and the record. The technical scheme provided by the application focuses on the server operation environment, potential safety hazards possibly existing in the server safety under the server operation state are comprehensively considered, and the safety of the server is improved through the detection.

Description

Method and device for detecting server security
Technical Field
The invention relates to the technical field of computers, in particular to a method and a device for detecting the security of a server.
Background
The server security is low, a vulnerability is generated, the whole connection system is crashed, and loss is caused, therefore, the server security detection is a necessary preposed step before the server runs, but the existing server security detection scheme is developed before online deployment based on application development, a plurality of sets of test environments are deployed at the development end for function and development related verification to detect the reliability and the security of the function, but the isolation from the production environment is usually only performed in the test environment, and the internal network environments such as an office network are still in a communication state, once the security risk occurs, the terminal security of an intranet user is affected, but the existing server security detection is lack of consideration and scheme for the factor.
Disclosure of Invention
The present application aims to solve at least one of the above technical drawbacks. The technical scheme adopted by the application is as follows:
in a first aspect, an embodiment of the present application discloses a method for detecting server security, where the method includes:
determining a target service port in a service running state in a server;
acquiring service version information from the target service port;
according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port;
and generating a server security report according to the vulnerability attack and the record.
Further, the determining a target service port in a service running state in the server includes:
traversing the server IP list or traversing the server target IP address field; the target IP address field is all IP addresses of target service application operation;
and taking the IP port in the service running state as a target service port.
Further, obtaining the service version information from the target service port includes:
sending a service information request message to the determined target service port;
according to the service information request message, the server feeds back service information running at the target service port to the terminal through the target service port; wherein the information of the running service at least comprises: service introduction information and service version information.
Further, the method further comprises:
judging whether the received service introduction information belongs to a pre-stored feature library or not according to the pre-stored feature library;
and if the service version vulnerability is the target service port, carrying out vulnerability attack and recording on the target service port according to the vulnerability disclosure information of the service version.
Further, the performing vulnerability attacks and recording on the target service port includes:
using POC test to carry out attack test on all loopholes of the version;
and recording all vulnerability attack test results, wherein the test results comprise attack success or attack failure.
In an optional embodiment, the method further comprises:
receiving at least one access request of a client to the target service port;
recording the access request and acquiring the IP address information of the client;
when the access request is determined to be abnormal access according to a pre-stored abnormal access identification rule, judging whether the access of the client to the target service port is successful;
and generating a server safety report according to the judgment result.
In an alternative embodiment, the pre-stored abnormal access identification rule may be:
acquiring the position information of the client according to the IP address information of the access request,
and when the position information of the client is the position outside the domain, determining that the access is abnormal access.
Further, the pre-stored abnormal access identification rule may be:
acquiring the access frequency of initiating an access request through the IP address within preset access time;
judging whether the access frequency of the access request exceeds the determined access frequency threshold;
and if the access frequency threshold is exceeded, identifying that the access request carrying the IP address is an abnormal access request.
Further, the method further comprises:
acquiring an access password rule of a current access target service port;
generating a verification password set according to the access password rule; wherein the set of authentication passwords comprises at least one authentication password;
performing access test on the target service port by using the verification password set;
and generating a server safety report according to the access test result of the target service port.
Further, the output format of the bug attack record and the access test result includes but is not limited to: excel rich text format and xml plain text format.
In an alternative embodiment, the service security report is a GUI interface with interactive functionality, the method further comprising:
the data area in the service safety report can accept the query instruction of the user to the area data;
according to the query instruction, an analysis process of the data can be expanded.
In another aspect, an embodiment of the present application provides an apparatus for detecting server security, where the apparatus includes: the device comprises a scanning module, a communication module, a testing module and a generating module; wherein,
the scanning module is used for determining a target service port in a service running state in the server;
the communication module is used for acquiring service version information from the target service port;
the test module is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability disclosure information of the service version;
and the generating module is used for generating a server security report according to the vulnerability attack and the record.
Further, the scanning module is specifically configured to: traversing the server IP list or traversing the server target IP address field; the target IP address field is all IP addresses of target service application operation; and taking the IP port in the service running state as a target service port.
Further, the communication module is specifically configured to send a service information request message to the determined target service port; the server is also used for receiving the information of the service which is fed back to the terminal through the target service port and operates at the target service port; wherein the information of the running service at least comprises: service introduction information and service version information.
Further, the device also comprises a storage module and a judgment module, wherein,
the storage module is used for storing a feature library of all service features installed on the terminal;
the judging module is used for judging whether the received service introduction information belongs to a pre-stored feature library or not according to the pre-stored feature library;
and if the service version vulnerability discovery information belongs to the vulnerability discovery information, the testing module is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability discovery information of the service version.
Further, the test module comprises a test unit and a recording unit; wherein,
the test unit is used for carrying out attack test on all vulnerabilities of the version by using POC test;
the recording unit is used for recording all vulnerability attack test results, wherein the test results comprise attack success or attack failure.
Furthermore, the communication module is also used for acquiring an access password rule of the current access target service port;
the generating module is further used for generating a verification password set according to the access password rule; wherein the set of authentication passwords comprises at least one authentication password;
the test module is used for performing access test on the target service port by using the verification password set;
and the generating module is used for generating a server safety report according to the access test result of the target service port.
In a third aspect, an embodiment of the present application provides an electronic device, including a processor and a memory;
the memory is used for storing operation instructions;
the processor is configured to execute the method in any of the embodiments by calling the operation instruction.
In a fourth aspect, the present application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the method of any one of the above embodiments.
The scheme for detecting the safety of the server comprises the steps of determining a target service port in a service running state in the server; acquiring service version information from the target service port; according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port; and generating a server security report according to the vulnerability attack and the record. Compared with the prior art that the server detection only considers the test environment and only carries out security detection on the server before service operation or deployment, the embodiment of the application focuses on comprehensively detecting potential safety hazards which possibly exist in the server safety considered comprehensively under the server operation state from the server operation environment, and the security of the server is improved through the detection.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings used in the description of the embodiments of the present application will be briefly described below.
Fig. 1 is a schematic flowchart of a method for detecting server security according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus for detecting server security according to an embodiment of the present disclosure;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to embodiments of the present application, examples of which are illustrated in the accompanying drawings, wherein like or similar reference numerals refer to the same or similar elements or elements having the same or similar function throughout. The embodiments described below with reference to the drawings are exemplary only for the purpose of explaining the present application and are not to be construed as limiting the present invention.
It should be noted that, unless specifically stated otherwise, as used herein, the singular forms "a," "an," "the," and "the" may include the plural forms, and the "first," "second," etc. are defined merely for the purpose of describing a clear solution and are not intended to limit the objects themselves, and of course, the "first" and "second" may be the same terminal, device, user, etc. and may also be the same terminal, device, user. It will be further understood that the terms "comprises" and/or "comprising," when used in this specification, specify the presence of stated features, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, integers, steps, operations, elements, components, and/or groups thereof. As used herein, the term "and/or" includes all or any element and all combinations of one or more of the associated listed items. In addition, it is to be understood that "at least one" in the embodiments of the present application means one or more, "a plurality" means two or more. "and/or" describes the association relationship of the associated objects, meaning that there may be three relationships, e.g., a and/or B, which may mean: a alone, both A and B, and B alone, where A, B may be singular or plural. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a and b, a and c, b and c, or a, b and c, wherein a, b and c can be single or multiple.
Based on the problems of the prior art, the following embodiments of the present invention provide a method for detecting server security to solve at least one of the above-mentioned drawbacks.
To more clearly describe the technical solution of the present application, some concepts, terms or devices that the following embodiments may relate to are described below to help understand the solution of detecting server security disclosed in the present application:
POC (point of sale) tests, namely Proof of Concept, are popular verifiability tests in the industry aiming at specific client applications, and are characterized in that real data operation is carried out on a selected server according to indexes of performance requirements and expansion requirements of users on an adopted system, the data volume and the operation time of a load-bearing user are actually measured and calculated, and the data volume is increased according to the requirements of future service expansion of the users so as to verify the load-bearing capacity and the performance change of the system and a platform.
Fig. 1 shows a schematic flowchart of detecting security of a server according to an embodiment of the present application, and as shown in fig. 1, the method mainly includes:
s101, determining a target service port in a service running state in a server;
in a further optional embodiment, the determining the target service port in the server in the service running state includes:
step 1, traversing a server IP list or a server target IP address field; the target IP address field is all IP addresses of target service application operation;
and 2, taking the IP port in the service running state as a target service port.
The reason for traversing the IP list or address field of the server in this embodiment is that when the server runs a certain service, except for the common default port, the port is changed to an unusual port for security. Service detection needs to be capable of identifying service running characteristics, rather than judging through some single factors, so that detection and judgment of services need to be supported by a rich characteristic data set capable of being updated continuously, a service port (namely a service port in a running state) where a server is alive is detected rapidly through a SYN half-scanning mode, and if the server is alive, security detection is performed on the surviving port, namely the mode of performing half-scanning and then performing comprehensive detection ensures detection comprehensiveness and improves detection speed.
S102, acquiring service version information from the target service port;
in a further optional embodiment, obtaining the service version information from the target service port comprises:
step 1, sending a service information request message to a determined target service port;
step 2, according to the service information request message, the server feeds back the information of the service running at the target service port to the terminal through the target service port; wherein the information of the running service at least comprises: service introduction information and service version information.
In a further optional embodiment, the method further comprises:
step 1, judging whether the received service introduction information belongs to a pre-stored feature library or not according to the pre-stored feature library;
and 2, if the service version vulnerability discovery information belongs to the vulnerability discovery information, carrying out vulnerability attack and recording on the target service port.
S103, according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port;
the service version vulnerability disclosure information is obtained from some websites or organizations which disclose the vulnerability information of each version of the service, and then all vulnerabilities of the version are subjected to attack testing by using POC testing; and recording all vulnerability attack test results, wherein the test results comprise attack success or attack failure. And if the attack fails, the security of the server is ensured, and if the attack succeeds, the server has the security hidden trouble in the aspect.
And S104, generating a server security report according to the vulnerability attack and the record.
In a further optional embodiment, the method further comprises:
step 1, obtaining an access password rule of a current access target service port;
step 2, generating a verification password set according to the access password rule; wherein the set of authentication passwords comprises at least one authentication password;
step 3, carrying out access test on the target service port by using the verification password set;
and 4, generating a server safety report according to the access test result of the target service port.
For example, a common weak password dictionary is used for judging services with user login behaviors such as SSH, FTP and the like, and a new weak password dictionary is generated according to the characteristics (company name, project abbreviation, employee name pinyin and the like) of a currently running client for checking, so that the possibility of detecting the weak password is greatly improved.
In a further optional embodiment, the method comprises: the output format of the bug attack record and the access test result includes but is not limited to: excel rich text format and xml plain text format.
In an optional embodiment, for the server detection, it may further be determined whether the server is safe by determining whether the abnormal IP address successfully accesses the service port, where the determining step includes:
step 1, receiving at least one access request of a client to the target service port;
step 2, recording the access request and acquiring the IP address information of the client;
step 3, when the access request is determined to be abnormal access according to the pre-stored abnormal access identification rule, judging whether the access of the client to the target service port is successful;
in an alternative embodiment, the pre-stored abnormal access identification rule may be:
acquiring the position information of the client according to the IP address information of the access request,
and when the position information of the client is the position outside the domain, determining that the access is abnormal access.
In another alternative embodiment, the pre-stored abnormal access identification rule may be:
acquiring the access frequency of initiating an access request through the IP address within preset access time;
judging whether the access frequency of the access request exceeds the determined access frequency threshold;
and if the access frequency threshold is exceeded, identifying that the access request carrying the IP address is an abnormal access request.
And 4, generating a server safety report according to the judgment result.
In an alternative embodiment, the service security report is a GUI interface with interactive function, and various data and diagrams can be included in the GUI security report. The data area in the service safety report can accept the query instruction of the user to the area data; according to the query instruction, the data analysis process can be expanded, namely the data can be analyzed by clicking the data expansion process of the area according to the safety detection result, and reason analysis and suggestions for improving safety can be further expanded.
Based on the method for detecting the security of the server shown in fig. 1, another aspect of the present application provides an apparatus for detecting the security of the server, as shown in fig. 2, the apparatus may include: 201 a scanning module, 202 a communication module, 203 a testing module and 204 a generating module; wherein,
the 201 scanning module is configured to determine a target service port in a service running state in a server;
the 202 communication module is configured to obtain service version information from the target service port;
the 203 test module is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability disclosure information of the service version;
and the 204 generation module is used for generating a server security report according to the vulnerability attack and record.
In a further optional embodiment, the 201 scan module is specifically configured to: traversing the server IP list or traversing the server target IP address field; the target IP address field is all IP addresses of target service application operation; and taking the IP port in the service running state as a target service port.
In a further optional embodiment, the 202 communication module is specifically configured to send a service information request message to the determined target service port; the server is also used for receiving the information of the service which is fed back to the terminal through the target service port and operates at the target service port; wherein the information of the running service at least comprises: service introduction information and service version information.
In a further alternative embodiment, the apparatus further comprises 205 a storage module and 206 a determination module, wherein,
the 205 storage module is used for storing a feature library of all service features installed on the terminal;
the 206 judging module is configured to judge whether the received service introduction information belongs to a pre-stored feature library according to the pre-stored feature library;
if the service version vulnerability discovery information belongs to the vulnerability discovery information, the testing module 203 is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability discovery information of the service version.
In a further alternative embodiment, the 203 test module comprises a 2031 test unit and a 2032 recording unit; wherein,
the 2031 test unit is configured to perform attack tests on all vulnerabilities of the version by using POC tests, respectively;
the 2032 recording unit is configured to record all vulnerability attack test results, where the test results include attack success or attack failure.
In a further optional embodiment, the 202 communication module is further configured to obtain an access password rule of a current access target service port;
the 204 generation module is further configured to generate a verification password set according to the access password rule; wherein the set of authentication passwords comprises at least one authentication password;
the 203 testing module is configured to perform an access test on the target service port by using the verification password set;
and the 204 generation module is used for generating a server security report according to the access test result of the target service port.
In an optional embodiment, the determining module 206 may further determine whether the server is safe by determining whether the abnormal IP address successfully accesses the service port, where the determining step includes:
step 1, receiving at least one access request of a client to the target service port;
step 2, recording the access request and acquiring the IP address information of the client;
and 3, judging whether the access of the client to the target service port is successful or not when the access request is determined to be abnormal access according to a pre-stored abnormal access identification rule.
In an alternative embodiment, the pre-stored abnormal access identification rule may be:
acquiring the position information of the client according to the IP address information of the access request,
and when the position information of the client is the position outside the domain, determining that the access is abnormal access.
In another alternative embodiment, the pre-stored abnormal access identification rule may be:
acquiring the access frequency of initiating an access request through the IP address within preset access time;
judging whether the access frequency of the access request exceeds the determined access frequency threshold;
and if the access frequency threshold is exceeded, identifying that the access request carrying the IP address is an abnormal access request.
And 4, generating a server safety report according to the judgment result.
In an optional embodiment, the apparatus further comprises 207 a display module, wherein the display module is configured to display a service security report of a GUI interface with an interactive function, and the GUI security report may include various data and graphs. The data area in the service safety report can accept the query instruction of the user to the area data; according to the query instruction, the data analysis process can be expanded, namely the data can be analyzed by clicking the data expansion process of the area according to the safety detection result, and reason analysis and suggestions for improving safety can be further expanded.
It is understood that the above-mentioned respective constituent devices of the apparatus for detecting server security in the present embodiment have functions of implementing the corresponding steps of the method in the embodiment shown in fig. 1. The function can be realized by hardware, and can also be realized by executing corresponding software by hardware. The hardware or software includes one or more modules or means corresponding to the functions described above. The modules and devices can be software and/or hardware, and the modules and devices can be realized independently or integrated by a plurality of modules and devices. For the functional description of each module and apparatus, reference may be specifically made to the corresponding description of the method in the embodiment shown in fig. 1, and therefore, the beneficial effects that can be achieved by the method may refer to the beneficial effects in the corresponding method provided above, which are not described again here.
It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to the specific structure of the apparatus for detecting server security. In other embodiments of the present application, the means for detecting server security may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware.
The embodiment of the application provides an electronic device, which comprises a processor and a memory;
a memory for storing operating instructions;
and the processor is used for executing the method for detecting the security of the server provided by any embodiment of the application by calling the operation instruction.
As an example, fig. 3 shows a schematic structural diagram of an electronic device to which the embodiment of the present application is applied, and as shown in fig. 3, the electronic device 300 includes: a processor 301 and a memory 303. Wherein processor 301 is coupled to memory 303, such as via bus 302. Optionally, the electronic device 300 may further include a transceiver 304. It should be noted that the practical application of the transceiver 304 is not limited to one. It is to be understood that the illustrated structure of the embodiment of the present invention does not constitute a specific limitation to the specific structure of the electronic device 300. In other embodiments of the present application, electronic device 300 may include more or fewer components than shown, or some components may be combined, some components may be split, or a different arrangement of components. The illustrated components may be implemented in hardware, software, or a combination of software and hardware. Optionally, the electronic device may further include a display screen 305 for displaying images or receiving operation instructions of a user as needed.
The processor 301 is applied to the embodiment of the present application, and is configured to implement the method shown in the foregoing method embodiment. The transceiver 304 may include a receiver and a transmitter, and the transceiver 304 is applied in the embodiment of the present application and is used for implementing the function of the electronic device of the embodiment of the present application to communicate with other devices when executed.
The Processor 301 may be a CPU (Central Processing Unit), a general-purpose Processor, a DSP (Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), an FPGA (Field Programmable Gate Array) or other Programmable logic device, a transistor logic device, a hardware component, or any combination thereof. Which may implement or perform the various illustrative logical blocks, modules, and circuits described in connection with the disclosure. The processor 301 may also be a combination of computing functions, e.g., comprising one or more microprocessors, a combination of a DSP and a microprocessor, or the like.
Processor 301 may also include one or more processing units, such as: the processor 301 may include an Application Processor (AP), a modem processor, a Graphics Processing Unit (GPU), an Image Signal Processor (ISP), a controller, a memory, a video codec, a Digital Signal Processor (DSP), a baseband processor, and/or a Neural-Network Processing Unit (NPU), etc. The different processing units may be separate devices or may be integrated into one or more processors. The controller may be, among other things, a neural center and a command center of the electronic device 300. The controller can generate an operation control signal according to the instruction operation code and the timing signal to complete the control of instruction fetching and instruction execution. A memory may also be provided in processor 301 for storing instructions and data. In some embodiments, the memory in the processor 301 is a cache memory. The memory may hold instructions or data that have just been used or recycled by the processor 301. If the processor 301 needs to reuse the instruction or data, it can be called directly from the memory. Avoiding repeated accesses reduces the latency of the processor 301, thereby increasing the efficiency of the system.
The processor 301 may operate the method for detecting the server security provided in the embodiment of the present application, so as to reduce the operation complexity of the user, improve the intelligent degree of the terminal device, and improve the user experience. The processor 301 may include different devices, for example, when the CPU and the GPU are integrated, the CPU and the GPU may cooperate to execute the method for detecting the security of the server provided by the embodiment of the present application, for example, part of the algorithm in the method for detecting the security of the server is executed by the CPU, and another part of the algorithm is executed by the GPU, so as to obtain faster processing efficiency.
Bus 302 may include a path that transfers information between the above components. The bus 302 may be a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus 302 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 3, but this does not mean only one bus or one type of bus.
The Memory 303 may be a ROM (Read Only Memory) or other type of static storage device that can store static information and instructions, a RAM (Random Access Memory) or other type of dynamic storage device that can store information and instructions, an EEPROM (Electrically Erasable Programmable Read Only Memory), a CD-ROM (Compact disk), a high speed Random Access Memory, a non-volatile Memory such as at least one magnetic disk storage device, a flash Memory device, a universal flash Memory (UFS), or other optical disk storage, optical disk storage (including Compact disk, laser disk, optical disk, digital versatile disk, blu-ray disk, etc.), a magnetic disk storage medium or other magnetic storage device, a magnetic disk storage medium, or other magnetic storage device, Or any other medium which can be used to carry or store desired program code in the form of instructions or data structures and which can be accessed by a computer, but is not limited to such.
Optionally, the memory 303 is used for storing application program codes for executing the scheme of the present application, and is controlled by the processor 301 to execute. The processor 301 is configured to execute the application program code stored in the memory 303 to implement the method for detecting the security of the server provided in any embodiment of the present application.
The memory 303 may be used to store computer-executable program code, which includes instructions. The processor 301 executes various functional applications of the electronic device 300 and data processing by executing instructions stored in the memory 303. The memory 303 may include a program storage area and a data storage area. Wherein, the storage program area can store the codes of the operating system and the application program, etc. The storage data area may store data created during use of the electronic device 300 (e.g., images, video, etc. captured by a camera application), and the like.
The memory 303 may further store one or more computer programs corresponding to the method for detecting server security provided by the embodiment of the present application. The one or more computer programs stored in the memory 303 and configured to be executed by the one or more processors 301 include instructions that may be used to perform the various steps in the respective embodiments described above.
Of course, the code of the method for detecting the security of the server provided in the embodiment of the present application may also be stored in the external memory. In this case, the processor 301 may execute the code of the method for detecting the security of the server stored in the external memory through the external memory interface, and the processor 301 may control a flow of executing the method for detecting the security of the server.
The display screen 305 includes a display panel. The display panel may be a Liquid Crystal Display (LCD), an organic light-emitting diode (OLED), an active-matrix organic light-emitting diode (active-matrix organic light-emitting diode, AMOLED), a flexible light-emitting diode (FLED), a miniature, a Micro-oeld, a quantum dot light-emitting diode (QLED), or the like. In some embodiments, the electronic device 300 may include 1 or N display screens 305, N being a positive integer greater than 1. The display screen 305 may be used to display information input by or provided to the user as well as various Graphical User Interfaces (GUIs). For example, the display screen 305 may display a photograph, video, web page, or file, etc.
The electronic device provided by the embodiment of the present application is applicable to any embodiment of the above method, and therefore, the beneficial effects that can be achieved by the electronic device can refer to the beneficial effects in the corresponding method provided above, and are not described again here.
The embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the computer program implements the method for detecting the security of the server shown in the above method embodiment.
The computer-readable storage medium provided in the embodiments of the present application is applicable to any embodiment of the foregoing method, and therefore, the beneficial effects that can be achieved by the computer-readable storage medium can refer to the beneficial effects in the corresponding method provided above, and are not described herein again.
The embodiment of the present application further provides a computer program product, which when running on a computer, causes the computer to execute the above related steps to implement the method in the above embodiment. The computer program product provided in the embodiments of the present application is applicable to any of the embodiments of the method described above, and therefore, the beneficial effects that can be achieved by the computer program product can refer to the beneficial effects in the corresponding method provided above, and are not described herein again.
The scheme for detecting the safety of the server comprises the steps of determining a target service port in a service running state in the server; acquiring service version information from the target service port; according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port; and generating a server security report according to the vulnerability attack and the record. Compared with the prior art that only the test environment is considered in server detection and the server is only subjected to security detection before service operation or deployment, the technical scheme provided by the embodiment of the application emphasizes comprehensive detection on potential safety hazards possibly existing in the server safety considered comprehensively in the server operation state from the server operation environment, and the security of the server is improved through the detection.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the above-described apparatus embodiments are merely illustrative, and for example, a module or a unit may be divided into only one logical function, and may be implemented in other ways, for example, a plurality of units or components may be combined or integrated into another apparatus, or some features may be discarded or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
Units described as separate parts may or may not be physically separate, and parts displayed as units may be one physical unit or a plurality of physical units, may be located in one place, or may be distributed to a plurality of different places. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a readable storage medium. Based on such understanding, the technical solutions of the embodiments of the present application may be essentially or partially contributed to by the prior art, or all or part of the technical solutions may be embodied in the form of a software product, where the software product is stored in a storage medium and includes several instructions to enable a device (which may be a single chip, a chip, or the like) or a processor (processor) to execute all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It should be understood that, although the steps in the flowcharts of the figures are shown in order as indicated by the arrows, the steps are not necessarily performed in order as indicated by the arrows. The steps are not performed in the exact order shown and may be performed in other orders unless explicitly stated herein. Moreover, at least a portion of the steps in the flow chart of the figure may include multiple sub-steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, which are not necessarily performed in sequence, but may be performed alternately or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of changes or substitutions within the technical scope of the present application, and can make several modifications and decorations, and these changes, substitutions, improvements and decorations should also be considered to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (16)

1. A method for detecting server security, the method comprising:
determining a target service port in a service running state in a server;
acquiring service version information from the target service port;
according to the service version vulnerability disclosure information, carrying out vulnerability attack and recording on the target service port;
and generating a server security report according to the vulnerability attack and the record.
2. The method for detecting the security of the server according to claim 1, wherein the determining the target service port in the server in the service running state comprises:
traversing the server IP list or traversing the server target IP address field; the target IP address field is all IP addresses of target service application operation;
and determining the IP port in the service running state as the target service port.
3. The method of detecting server security according to claim 2, wherein obtaining service version information from the target service port comprises:
sending a service information request message to the determined target service port;
according to the service information request message, the server feeds back service information running at the target service port to the terminal through the target service port; wherein the information of the running service at least comprises: service introduction information and service version information.
4. The method for detecting server security according to claim 3, wherein the method further comprises:
judging whether the received service introduction information belongs to a pre-stored feature library or not according to the pre-stored feature library;
and if the service version vulnerability is the target service port, carrying out vulnerability attack and recording on the target service port according to the vulnerability disclosure information of the service version.
5. The method for detecting the security of the server according to claim 4, wherein the performing of the vulnerability attack and the recording on the target service port comprises:
using POC test to carry out attack test on all loopholes of the version;
and recording all vulnerability attack test results, wherein the test results comprise attack success or attack failure.
6. The method for detecting the security of the server according to claim 1 or 5, wherein the method further comprises:
receiving at least one access request of a client to the target service port;
recording the access request and acquiring the IP address information of the client;
when the access request is determined to be abnormal access according to a pre-stored abnormal access identification rule, judging whether the access of the client to the target service port is successful;
and generating a server safety report according to the judgment result.
7. The method for detecting the security of the server according to claim 6, wherein the pre-stored abnormal access identification rule comprises:
acquiring the position information of the client according to the IP address information of the access request,
and when the position information of the client is the position outside the domain, determining that the access is abnormal access.
8. The method for detecting the security of the server according to claim 6, wherein the pre-stored abnormal access identification rule comprises:
acquiring the access frequency of initiating an access request through the IP address within preset access time;
judging whether the access frequency of the access request exceeds the determined access frequency threshold;
and if the access frequency threshold is exceeded, identifying that the access request carrying the IP address is an abnormal access request.
9. The method for detecting the security of the server according to claim 7 or 8, wherein the method further comprises:
acquiring an access password rule of a current access target service port;
generating a verification password set according to the access password rule; wherein the set of authentication passwords comprises at least one authentication password;
performing access test on the target service port by using the verification password set;
and generating a server safety report according to the access test result of the target service port.
10. The method for detecting the security of the server according to claim 9, wherein the method comprises: output formats of the vulnerability attack record and the access test result include, but are not limited to, an Excel rich text format and an xml plain text format.
11. The method for detecting the security of the server according to claim 1 or 10, wherein the service security report is a GUI interface with interactive function; the method further comprises the following steps:
the data area in the service safety report can accept the query instruction of the user to the area data;
according to the query instruction, an analysis process of the data can be expanded.
12. An apparatus for detecting server security, the apparatus comprising: the device comprises a scanning module, a communication module, a testing module and a generating module; wherein,
the scanning module is used for determining a target service port in a service running state in the server;
the communication module is used for acquiring service version information from the target service port;
the test module is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability disclosure information of the service version;
and the generating module is used for generating a server security report according to the vulnerability attack and the record.
13. The apparatus for detecting server security according to claim 12, wherein the apparatus further comprises a storage module and a determination module, wherein,
the storage module is used for storing a feature library of all service features installed on the terminal;
the judging module is used for judging whether the received service introduction information belongs to a pre-stored feature library or not according to the pre-stored feature library;
and if the service version vulnerability discovery information belongs to the vulnerability discovery information, the testing module is used for carrying out vulnerability attack and recording on the target service port according to the vulnerability discovery information of the service version.
14. The apparatus for detecting server security according to claim 12 or 13, wherein the testing module includes a testing unit and a recording unit; wherein,
the test unit is used for carrying out attack test on all vulnerabilities of the version by using POC test;
the recording unit is used for recording all vulnerability attack test results, wherein the test results comprise attack success or attack failure.
15. An electronic device comprising a processor and a memory;
the memory is used for storing operation instructions;
the processor is used for executing the method of any one of claims 1-11 by calling the operation instruction.
16. A computer-readable storage medium, characterized in that the storage medium has stored thereon a computer program which, when being executed by a processor, carries out the method of any one of claims 1-11.
CN202011528978.7A 2020-12-22 2020-12-22 Method and device for detecting server security Pending CN112541181A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011528978.7A CN112541181A (en) 2020-12-22 2020-12-22 Method and device for detecting server security

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011528978.7A CN112541181A (en) 2020-12-22 2020-12-22 Method and device for detecting server security

Publications (1)

Publication Number Publication Date
CN112541181A true CN112541181A (en) 2021-03-23

Family

ID=75019651

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011528978.7A Pending CN112541181A (en) 2020-12-22 2020-12-22 Method and device for detecting server security

Country Status (1)

Country Link
CN (1) CN112541181A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113392410A (en) * 2021-08-17 2021-09-14 腾讯科技(深圳)有限公司 Interface security detection method and device, computer equipment and storage medium
CN114629832A (en) * 2022-03-17 2022-06-14 广州超云科技有限公司 Remote automatic test method, system, electronic equipment and storage medium
CN114884699A (en) * 2022-04-13 2022-08-09 中国银行股份有限公司 Vulnerability detection method, device, equipment and storage medium
CN115150129A (en) * 2022-06-06 2022-10-04 阿里云计算有限公司 Container safety control method, container processing method, electronic device, and storage medium
CN115664862A (en) * 2022-12-27 2023-01-31 深圳市四格互联信息技术有限公司 Security baseline scanning method, device and storage medium
CN116776338A (en) * 2023-07-28 2023-09-19 上海螣龙科技有限公司 Multilayer filtering high-precision vulnerability detection method, device, equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN106998317A (en) * 2016-01-22 2017-08-01 高德信息技术有限公司 Abnormal access asks recognition methods and device
CN107515820A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Monitoring server method and device, detection service device
CN107577947A (en) * 2017-08-14 2018-01-12 携程旅游信息技术(上海)有限公司 Leak detection method, system, storage medium and the electronic equipment of information system

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104363236A (en) * 2014-11-21 2015-02-18 西安邮电大学 Automatic vulnerability validation method
CN106998317A (en) * 2016-01-22 2017-08-01 高德信息技术有限公司 Abnormal access asks recognition methods and device
CN107515820A (en) * 2016-06-17 2017-12-26 阿里巴巴集团控股有限公司 Monitoring server method and device, detection service device
CN106973071A (en) * 2017-05-24 2017-07-21 北京匡恩网络科技有限责任公司 A kind of vulnerability scanning method and apparatus
CN107577947A (en) * 2017-08-14 2018-01-12 携程旅游信息技术(上海)有限公司 Leak detection method, system, storage medium and the electronic equipment of information system

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113392410A (en) * 2021-08-17 2021-09-14 腾讯科技(深圳)有限公司 Interface security detection method and device, computer equipment and storage medium
CN113392410B (en) * 2021-08-17 2022-02-11 腾讯科技(深圳)有限公司 Interface security detection method and device, computer equipment and storage medium
CN114629832A (en) * 2022-03-17 2022-06-14 广州超云科技有限公司 Remote automatic test method, system, electronic equipment and storage medium
CN114884699A (en) * 2022-04-13 2022-08-09 中国银行股份有限公司 Vulnerability detection method, device, equipment and storage medium
CN114884699B (en) * 2022-04-13 2024-03-19 中国银行股份有限公司 Vulnerability detection method, device, equipment and storage medium
CN115150129A (en) * 2022-06-06 2022-10-04 阿里云计算有限公司 Container safety control method, container processing method, electronic device, and storage medium
CN115664862A (en) * 2022-12-27 2023-01-31 深圳市四格互联信息技术有限公司 Security baseline scanning method, device and storage medium
CN116776338A (en) * 2023-07-28 2023-09-19 上海螣龙科技有限公司 Multilayer filtering high-precision vulnerability detection method, device, equipment and medium
CN116776338B (en) * 2023-07-28 2024-05-10 上海螣龙科技有限公司 Multilayer filtering high-precision vulnerability detection method, device, equipment and medium

Similar Documents

Publication Publication Date Title
CN112541181A (en) Method and device for detecting server security
US11431676B2 (en) Method, apparatus, and system for detecting terminal security status
US11188645B2 (en) Identifying whether an application is malicious
US10601865B1 (en) Detection of credential spearphishing attacks using email analysis
RU2637477C1 (en) System and method for detecting phishing web pages
US10460114B1 (en) Identifying visually similar text
JP2004164617A (en) Automated detection of cross site scripting vulnerability
US20190222587A1 (en) System and method for detection of attacks in a computer network using deception elements
US11809556B2 (en) System and method for detecting a malicious file
US11481489B2 (en) System and method for generating a representation of a web resource to detect malicious modifications of the web resource
CN116132175B (en) Event-driven network engine-based remote back door detection method
RU2673711C1 (en) Method for detecting anomalous events on basis of convolution array of safety events
CN112182561B (en) Rear door detection method and device, electronic equipment and medium
US11736512B1 (en) Methods for automatically preventing data exfiltration and devices thereof
WO2017129068A1 (en) Event execution method and device and system therefor
CN111835706A (en) Method and device for detecting malicious extension of browser and computer equipment
US20230315826A1 (en) User verification with state machines
CN114257415B (en) Network attack defending method, device, computer equipment and storage medium
CN114121049B (en) Data processing method, device and storage medium
US12028214B1 (en) Discovering computing entities communicating with a network communication protocol
EP3547646B1 (en) System and method of detecting a modification of a web resource
US20240048593A1 (en) Dynamic protection of web forms
US20220269785A1 (en) Enhanced cybersecurity analysis for malicious files detected at the endpoint level
CN117807596A (en) Malicious behavior detection method and device and electronic equipment
Shuang Using Context to Verify Human Intent

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination