CN114401124A - Firewall login method and device, electronic equipment and computer program product - Google Patents

Firewall login method and device, electronic equipment and computer program product Download PDF

Info

Publication number
CN114401124A
CN114401124A CN202111638800.2A CN202111638800A CN114401124A CN 114401124 A CN114401124 A CN 114401124A CN 202111638800 A CN202111638800 A CN 202111638800A CN 114401124 A CN114401124 A CN 114401124A
Authority
CN
China
Prior art keywords
account
login
information
verification
firewall
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111638800.2A
Other languages
Chinese (zh)
Other versions
CN114401124B (en
Inventor
高福亮
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
BEIJING ZHONGKE WANGWEI INFORMATION TECHNOLOGY CO LTD
Original Assignee
BEIJING ZHONGKE WANGWEI INFORMATION TECHNOLOGY CO LTD
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by BEIJING ZHONGKE WANGWEI INFORMATION TECHNOLOGY CO LTD filed Critical BEIJING ZHONGKE WANGWEI INFORMATION TECHNOLOGY CO LTD
Priority to CN202111638800.2A priority Critical patent/CN114401124B/en
Publication of CN114401124A publication Critical patent/CN114401124A/en
Application granted granted Critical
Publication of CN114401124B publication Critical patent/CN114401124B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The application relates to the technical field of firewall security, and provides a firewall login method, a firewall login device, electronic equipment and a computer program product, wherein the method comprises the following steps: performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result; if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained; and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view. According to the firewall login method, account information verification, password information verification and first login verification need to be carried out on the logged-in three-right account in the firewall login process, so that the security of the firewall is improved.

Description

Firewall login method and device, electronic equipment and computer program product
Technical Field
The present application relates to the field of firewall security technologies, and in particular, to a firewall login method, a firewall login device, an electronic device, and a computer program product.
Background
In the existing firewall login method, functions of login verification of a three-right account, login failure times over-limit locking, password modification for the first login or password expiration, login re-login after timeout, authorized login verification and the like are not provided, so that the security of the firewall is insufficient.
Disclosure of Invention
The application provides a firewall login method, a firewall login device, electronic equipment and a computer program product, and aims to improve the security of firewall login.
In a first aspect, the present application provides a firewall login method, including:
performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained;
and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view.
In one embodiment, the three-right account includes a system administrator account, a secured secretor account, and a secured auditor account, including:
after the login verification of the three-right account is determined to be successful, shielding the account information, the password information, the grade information, the operable command and the service content of the system administrator account, the safety secretor account and the safety auditor account from each other;
if the current login-verified three-right account is the system administrator account, and the operation instruction is to modify the account information and the level information of the security auditor account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
if the currently logged-in and verified three-right account is the security secretor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
and if the currently logged-in and verified three-right account is the security auditor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security secretor account, returning prompt information of failed modification.
If the second login verification result is successful verification and the third-right account is determined to be not the first login verification, entering a firewall command view, including:
if the second login verification result is successful verification and the three-right account is determined to be non-first login verification, determining the period distance between the user password period of the password information to be verified and a preset modification period;
if the period distance reaches a preset distance threshold, outputting a password modification frame, and determining first new input password information in the password modification frame;
if the first new input password information meets the preset requirement, determining whether the first new input password information is the same as the password information to be verified;
and if the first new input password information is not the same as the password information to be verified, entering the firewall command view.
If the first login verification result is successful, performing login verification on password information to be verified of the three-right account to obtain a second login verification result, further comprising:
if the second login verification result is successful and the third-right account is determined to be the first login verification, outputting a password modification frame and determining second newly-input password information in the password modification frame;
if the second newly input password information meets the preset requirement, determining whether the second newly input password information is the same as the password information to be verified;
and if the second newly input password information is different from the password information to be verified, entering the firewall command view.
The login verification of the password information to be verified of the three-right account to obtain a second login verification result comprises the following steps:
if the password information to be verified is inconsistent with the preset password information of the three-right account, outputting a second login verification result of password verification failure;
and if the login authentication time of the password information to be authenticated reaches the preset authentication time, outputting a second login authentication result of the overtime authentication failure.
The login verification of the password information to be verified of the three-right account to obtain a second login verification result comprises the following steps:
determining the password error times of the password information to be verified in the login verification process, and determining whether the password error times reach the preset error times;
and if the password error frequency reaches the preset error frequency, outputting a second login verification result of the verification failure of the three-right account.
If the first login verification result is successful, performing login verification on password information to be verified of the three-right account to obtain a second login verification result, further comprising:
if the second login verification result is that password verification fails, outputting prompt information of password error and remaining locking times;
if the second login verification result is overtime verification failure, outputting prompt information of password verification overtime and re-login verification;
and if the second login verification result is that the verification of the three-right account fails, outputting prompt information of locking and locking duration of the three-right account.
In a second aspect, the present application further provides a firewall login apparatus, including:
the first login verification module is used for performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
the second login verification module is used for performing login verification on password information to be verified of the three-right account if the first login verification result is successful to obtain a second login verification result;
and the login module is used for entering a firewall command view if the second login verification result is successful and the three-right account number is determined to be not the first login verification.
In a third aspect, the present application further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and executable on the processor, where the processor implements the steps of the firewall login method in the first aspect when executing the computer program.
In a fourth aspect, the present application further provides a computer program product, which includes a computer program, and when the computer program is executed by the processor, the steps of the firewall login method of the first aspect are implemented.
In a fifth aspect, the present application further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, performs the steps of the firewall login method of the first aspect.
According to the firewall login method, the firewall login device, the electronic equipment and the computer program product, account information verification and password information verification are required to be carried out on the logged-in three-right account in the firewall login process, and the first login verification is carried out, so that the security of the firewall is improved.
Drawings
In order to more clearly illustrate the technical solutions in the present application or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic flow chart of a firewall login method provided in the present application;
FIG. 2 is a second schematic flowchart of a firewall login method provided in the present application;
FIG. 3 is a schematic structural diagram of a firewall login device provided in the present application;
fig. 4 is a schematic structural diagram of an electronic device provided in the present application.
Detailed Description
To make the purpose, technical solutions and advantages of the present application clearer, the technical solutions in the present application will be clearly and completely described below with reference to the drawings in the present application, and it is obvious that the described embodiments are some, but not all embodiments of the present application. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The following describes a firewall login method, a firewall login device, an electronic device, and a computer program product provided by the present application with reference to fig. 1 to 4.
The present application provides a firewall login method, referring to fig. 1 to 4, fig. 1 is one of the flow diagrams of the firewall login method provided in the present application; FIG. 2 is a second schematic flowchart of a firewall login method provided in the present application; FIG. 3 is a schematic structural diagram of a firewall login device provided in the present application; fig. 4 is a schematic structural diagram of an electronic device provided in the present application.
While a logical order is shown in the flow chart, in some cases, the steps shown or described may be performed in a different order than shown.
The embodiment of the application takes the electronic device as an execution subject for example, and the embodiment of the application takes the firewall login verification system as one of the forms of the electronic device, so that the electronic device is not limited.
The firewall login method provided by the embodiment of the application comprises the following steps:
and step S10, performing login verification on the account information to be verified of the three-right account according to the login verification instruction of the firewall to obtain a first login verification result.
It should be noted that before the firewall login verification system performs login verification on the three-right account, the firewall login verification system needs to initialize the system, where the three-right account is a system administrator account root, a security secretor account secadm, and a security auditor account audiodm. It can be understood that the firewall login verification system needs to configure and load the account information, the password information and the level information of the three-right account, and simultaneously store the account information, the password information and the level information of the three-right account into a data structure and write the information into a database.
Therefore, when the firewall login verification system detects that a user triggers a login verification instruction of the firewall, login verification is carried out through account information, password information and level information configured in the database by the three-right account, and different operations are executed according to verification results of the account information and the password information of the three-right account.
Since the verification processes of the system administrator account root, the security secretor account secadm and the security auditor account audiodm are the same, the embodiment takes the system administrator account root as an example, and the specific steps are as follows:
when the firewall login verification system detects a login verification instruction of the firewall, account information to be verified of a system administrator account root is obtained, login verification is conducted on the account information to be verified through the account information of the system administrator account root in the database, namely whether the account information to be verified is consistent with the account information of the system administrator account root in the database or not is verified, and a first login verification result is obtained. The first login verification result may be that the account information to be verified is consistent with the account information of the system administrator account root in the database, or that the account information to be verified is inconsistent with the account information of the system administrator account root in the database.
In addition, the first login authentication result can also be used for performing overtime authentication on the account information to be authenticated of the system administrator account root, namely the authentication duration of the account information to be authenticated exceeds the authentication duration set by the firewall login authentication system. It should be noted that, the authentication interface of the firewall login authentication system is linked with the Web interface, so that there are two possibilities for the authentication overtime, and the first possibility is that the authentication of the account information to be authenticated by the authentication interface of the firewall login authentication system exceeds the set authentication duration. The second possibility is that the response of the Web interface exceeds the set verification duration, which may cause the timeout verification of the account information to be verified of the system administrator account root. Therefore, in this case, the firewall Login verification system returns prompt information indicating that the account information verification is overtime, and prompts the user to re-input the account information for verification, where the prompt information is "Login timeout, lease Login again".
Further, when the timeout verification duration of the account information to be verified of the system administrator root does not reach the set verification duration, the firewall login verification system starts a background detection thread, and if an operation is performed within the timeout verification duration, the timeout time is cleared. If the overtime verification duration reaches the set verification duration and no operation is performed, returning prompt information of the account information verification overtime, and prompting the user to input the account information again for verification.
In this embodiment, for example, if the account information of the system administrator account root in the database is bbbb and the account information to be authenticated is aaaa, it is determined that the first login authentication result is that the account information to be authenticated is inconsistent with the account information of the system administrator account root in the database. For another example, if the account information of the system administrator account root in the database is bbbb and the account information to be verified is null characters, it is determined that the first login verification result is that the account information to be verified is inconsistent with the account information of the system administrator account root in the database.
And step S20, if the first login verification result is successful, performing login verification on password information to be verified of the three-right account to obtain a second login verification result.
If the first login verification result is that the account information to be verified is inconsistent with the account information of the system administrator account root in the database, the firewall logs in the verification system to determine that the account verification fails, that is, the account information of the system administrator account root input by the user is incorrect, and returns prompt information of account information error, if the prompt information is: bad Username.
It should be noted that, in the process of login verification of account information, no matter how many times the account information is incorrect, the root of the system administrator account is not locked.
If the first login verification result is that the account information to be verified is consistent with the account information of the system administrator account root in the database, the firewall logs in the verification system to determine that the account verification is successful, namely the account information of the system administrator account root input by the user is correct. The firewall login verification system further performs login verification on account information of a system administrator account root input by a user, which is specifically as follows:
the firewall login verification system determines password information to be verified of a system administrator account root input by a user, login verification is carried out on the password information to be verified through the password information of the system administrator account root in the database, namely whether the account information to be verified is consistent with the password information of the system administrator account root in the database or not is verified, and a second login verification result is obtained. The second login verification result may be that the password information to be verified is consistent with the password information of the system administrator account root in the database, and the second login verification result may also be that the password information to be verified is inconsistent with the password information of the system administrator account root in the database. The process of verifying the password information to be verified is as described in steps S201 to S204.
Further, the description of step S201 to step S204 is as follows:
step S201, if the password information to be verified is inconsistent with the preset password information of the three-right account, outputting a second login verification result of password verification failure;
step S202, if the login authentication time of the password information to be authenticated reaches the preset authentication time, outputting a second login authentication result of the overtime authentication failure.
Step S203, determining the password error times of the password information to be verified in the login verification process, and determining whether the password error times reach the preset error times;
and step S204, if the password error frequency reaches the preset error frequency, outputting a second login verification result of the verification failure of the three-right account.
Specifically, the firewall login verification system needs to verify whether the password information to be verified is consistent with the preset password information of the system administrator account root, wherein the preset password information of the system administrator account root is the password information of the system administrator account root in the database. And if the password information to be verified is determined to be inconsistent with the preset password information of the system administrator account root, the firewall logs in the verification system to determine that the password information is verified wrongly, and a second login verification result of password verification failure is output.
If the password information to be verified is consistent with the preset password information of the system administrator account root, the firewall logs in the verification system to determine that the password information is verified correctly, at the moment, the login verification time of the password information to be verified needs to be determined, the login verification time of the password information to be verified is compared with the preset verification time, and whether the login verification time of the password information to be verified reaches the preset verification time is determined, wherein the preset verification time is set according to the actual situation, and the preset verification time is generally defaulted to 10 minutes. If the login authentication time of the password information to be authenticated reaches the preset authentication time, the firewall login authentication system determines that the password information to be authenticated is authenticated and exceeds, and outputs a second login authentication result of the overtime authentication failure.
It should be noted that, in this embodiment, the authentication interface of the firewall login authentication system is linked with the Web interface, so that there are two possibilities for the authentication timeout, where the first possibility is that the authentication of the password information to be authenticated by the authentication interface of the firewall login authentication system exceeds the set authentication duration. The second possibility is that the response of the Web interface exceeds the set verification duration, which in any case may cause the password information to be verified of the root account of the system administrator to be verified overtime. Therefore, in this case, the firewall Login authentication system will return prompt information indicating that the password information is authenticated overtime, and prompt the user to re-input the password information for authentication, such as "Login timeout, lease Login again".
Further, when the timeout verification duration of the password information to be verified of the root of the system administrator account does not reach the set verification duration, the firewall logs in the verification system to start the background detection thread, and if an operation is performed within the timeout verification duration, the timeout time is cleared. If the overtime verification duration reaches the set verification duration and no operation is performed, returning prompt information of password information verification overtime and prompting the user to input the password information again for verification.
Further, when the second login authentication result is that the password authentication fails, the firewall login authentication system pops up a prompt box for re-inputting the password information. Therefore, in this case, the firewall login verification system needs to determine the password error times of the password information to be verified in the login verification process, compare the password error times with the preset error times, and determine whether the password error times reaches the preset error times, where the preset error times are set according to actual conditions. And if the password error times reach the preset error times, the firewall logs in the verification system, the password information to be verified of the system administrator account root is incorrect, and a second login verification result locked by the system administrator account root is output.
Further, if the password error times reach the preset error times, the firewall logs in the verification system, the locking duration of the system administrator account root is set, and the locked system administrator account root and the locking time are written into the database. When the locked system administrator account root is determined to be input by the user, the remaining locking time of the locked system administrator account root is prompted. It should be noted that, the restart device is invalid under the locking condition, it is ensured that the started locked account is still locked by checking the database locking information, and the remaining locking time is calculated and prompted. Because the verification interface of the firewall login verification system is linked with the Web interface, the Web interface is also locked in the locking time of the root of the system administrator account.
Further, if it is determined that the password information to be verified of the system administrator account root is consistent with the preset password information of the system administrator account root and a response is made within the preset verification duration, the firewall logs in the verification system, and then the verification of the password information to be verified of the system administrator account root is determined to be successful, and a second login verification result of the verification success is output.
According to the embodiment of the application, the password information to be verified is verified differently, and the second login verification result of the password information to be verified is guaranteed to have high accuracy.
Step S30, if the second login authentication result is successful and it is determined that the three-right account is not the first login authentication, entering a firewall command view.
For the first case that the second login authentication result is successful: if the second login authentication result is determined to be successful, and the system administrator account root is determined not to be the first login authentication, the firewall login authentication system enters a firewall command view, specifically, as described in steps S301 to S304. Furthermore, a command editing box is further provided on a verification interface of the firewall login verification system, and a user can enter 'exit' into the command editing box to exit from a firewall view and reenter the root login verification of a system administrator account.
Further, the description of steps S301 to S304 is as follows:
step S301, if the second login verification result is successful and the three-right account is determined to be not the first login verification, determining a period distance between a user password period of the password information to be verified and a preset modification period;
step S302, if the period distance reaches a preset distance threshold, outputting a password modification frame, and determining first new input password information in the password modification frame;
step S303, if the first new input password information meets the preset requirement, determining whether the first new input password information is the same as the password information to be verified;
step S304, if the first new input password information is different from the password information to be verified, entering the firewall command view.
Specifically, if it is determined that the second login authentication result is successful, and it is determined that the system administrator account root is not the first login authentication, it is not necessary to forcibly modify the password information to be authenticated of the system administrator account root at this time, and the firewall login authentication system determines a period distance between a user password period of the password information to be authenticated of the system administrator account root and a preset modification period, where the user password period is a use duration of the password information of the user, and the preset modification period is set according to an actual situation, in this embodiment, for example, the preset modification period is 7 days, and the user password period is 5 days, so that the obtained period distance is 7-5-2 days.
And then, the firewall login verification system compares the periodic distance with a preset distance threshold value to determine whether the periodic distance reaches the preset distance threshold value, wherein the preset distance threshold value is set according to the actual situation. If the period distance is determined to reach the preset distance threshold, the firewall logs in the verification system and outputs the password modification frame and prompts the user to modify the password information, and the password modification at the moment is mandatory, so that the user cannot close the password modification frame.
Further, if it is determined that the period distance does not reach the preset distance threshold but is close to the period distance threshold, the firewall logs in the verification system and outputs prompt information indicating that the period distance is soon due, wherein the period distance threshold is set according to actual conditions. For example, the cycle distance threshold may be set to 1 day or 0.5 days.
Then, the firewall login verification system determines first new input password information input by the user in the password modification box, and determines whether the first new input password information meets a preset requirement, wherein the preset requirement is set according to an actual situation, for example, the preset requirement is a combination of letters and numbers, the byte length is 16, and the like.
It should be noted that, since the password information before and after modification cannot be the same, if it is determined that the first new input password information meets the preset requirement, the firewall logs in the authentication system to determine whether the first new input password information is the same as the password information to be authenticated before modification. And if the first new input password information is determined to be different from the password information to be verified, the firewall logs in the verification system and enters a firewall command view. If the first new input password information is the same as the password information to be verified, the firewall logs in the verification system, the prompt information that the password information is not beyond the specification is input, and the user is prompted to modify the password information again until the input password information is verified to be different from the password information to be verified.
According to the method and the device, before entering the firewall command view, the user password period of the password information to be verified is required to be verified, the first newly input password information is verified, and the security of the firewall is improved.
Further, for the second login authentication result being authentication failure: specifically, the steps S31 to S33 are described.
Further, the description of steps S31 to S33 is as follows:
step S31, if the second login verification result is password verification failure, outputting prompt information of password error and remaining locking times;
step S32, if the second login verification result is the overtime verification failure, the prompt information of password verification overtime and re-login verification is output;
and step S33, if the second login verification result is that the verification of the three-right account fails, outputting prompt information of locking of the three-right account and locking duration.
Specifically, if it is determined that the second login authentication result is a password authentication failure, the firewall login authentication system outputs prompt information of a password error and the remaining number of times of locking, in this embodiment, the prompt information is "password is based secrets, User 'root' thread locked after the remaining time of the remaining time".
If the second Login verification result is determined to be overtime verification failure, the firewall Login verification system outputs prompt information of password verification overtime and Login verification again, wherein the prompt information is ' Login timeout ' and Please logic again '.
If the second login verification result is determined to be that the verification of the three-right account fails, the firewall login verification system outputs prompt information of root locking and locking duration of the system administrator account, and the prompt information is 'User' root 'is locked, 1700seconds left'.
According to the embodiment of the application, different prompt messages are output according to different second login verification results which are failed in verification, a user can obtain failure reasons conveniently, and user experience is improved.
For a second case that the second login authentication result is successful: specifically, the steps S40 to S60 are described.
Further, the description of the steps S40 to S60 is as follows:
step S40, if the second login verification result is successful and the third-right account is determined to be the first login verification, outputting a password modification frame and determining second newly-input password information in the password modification frame;
step S50, if the second new input password information meets the preset requirement, determining whether the second new input password information is the same as the password information to be verified;
step S60, if the second new input password information is not the same as the password information to be verified, entering the firewall command view.
Specifically, if the second login authentication result is determined to be successful, and the system administrator account root is determined to be the first login authentication, the password information to be authenticated of the system administrator account root needs to be forcibly modified, the firewall logs in the authentication system, and outputs the password modification frame and prompts the user to modify the password information, and the password modification is mandatory, so that the user cannot close the password modification frame. Then, the firewall login verification system determines second newly input password information input by the user in the password modification box, and determines whether the second newly input password information meets preset requirements, wherein the preset requirements are set according to actual conditions, for example, the preset requirements are letter and number combinations, the byte length is 16, and the like.
It should be noted that, because the password information before and after modification cannot be the same, if it is determined that the second newly input password information meets the preset requirement, the firewall logs in the authentication system to determine whether the second newly input password information is the same as the password information to be authenticated before modification. And if the second newly input password information is determined to be different from the password information to be verified, the firewall logs in the verification system and enters a firewall command view. If the second newly input password information is the same as the password information to be verified, the firewall logs in the verification system, the prompt information that the password information is not beyond the specification is input, and the user is prompted to modify the password information again until the input password information is verified to be different from the password information to be verified.
It should be noted that after logging in and modifying the password information for the first time to be the second newly input password information, the system administrator account root, the second newly input password information and the password modification time are written into the database to be used as the password information for the next login verification of the system administrator account root.
It should be noted that, in this embodiment, the verification interface of the firewall login verification system is linked with the Web interface, and if the Web interface has previously logged in and modified the password, the CLI does not need to log in for the first time, and meanwhile, the CLI does not prompt to modify the password. Similarly, if the CLI logs in for the first time and modifies the password, the Web interface does not prompt to modify the password.
According to the embodiment of the application, the verification result is successful when the second login verification is performed, the three-right account is determined to be the first login verification, the password information needs to be forcibly modified, meanwhile, the second newly input password information needs to be verified, and the safety of the firewall is improved.
The embodiment provides a firewall login method, in the firewall login process, account information verification, password information verification and first login verification need to be performed on a logged-in three-right account, so that the security of the firewall is improved.
Further, referring to fig. 2, fig. 2 is a second schematic flowchart of the firewall login method provided in the present application, including:
step S70, after the login verification of the three-right account is determined to be successful, the account information, the password information, the grade information, the operable command and the service content of the system administrator account, the security secretor account and the security auditor account are shielded mutually;
step S80, if the current login-verified three-right account is the system administrator account, and the operation instruction is to modify the account information and the level information of the security auditor account, or/and the account information and the level information of the security auditor account, returning the prompt information of the failure modification;
step S90, if the current login-verified three-right account is the security secretor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security auditor account, returning the prompt information of failed modification;
and S100, if the currently logged-in and verified three-right account is the security auditor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security secrecy auditor account, returning a prompt message of failed modification.
In this embodiment, after the login verification of the system administrator account, the security secretor account and the security auditor account is determined to be successful, the firewall login verification system shields the system administrator account, the security secretor account and the security auditor account from each other. The isolation shielding of the system administrator account, the security secretor account and the security auditor account not only isolates the account information, the password information and the grade information of the system administrator account, the security secretor account and the security auditor account, but also shields the command lines operable under different authorities of the system administrator account, the security secretor account and the security auditor account, corresponding WEB page contents and available service contents, and is complete three-right account isolation shielding. The isolation shielding of the three-right account is set when the login verification is successful, and the isolation information can be reset for other new three-right accounts if the login is overtime or the active login is carried out and then the other new three-right accounts can be switched to.
Therefore, after the login verification of the system administrator account, the security secretor account and the security auditor account is determined to be successful, the firewall login verification system uses the account information, the password information, the grade information, the operable command and the service content of the system administrator account; account information, password information, grade information, operable commands and business contents of the security secretor account; and the account information, the password information, the grade information, the operable command and the service content of the account of the safety auditor are isolated and shielded from each other. It can be understood that after the system administrator account, the security secretor account, and the security auditor account are shielded, the system administrator account does not see the security secretor account and the security auditor account, nor does the system administrator account allow access to the view of the security secretor account and the security auditor account. The security auditor account does not see the system administrator account and the security auditor account, nor does it allow access to the view of the system administrator account and the security auditor account. The security auditor account does not see the system administrator account and the security secretor account, nor does it allow access to the view of the system administrator account and the security secretor account.
Of course, accounts other than the system administrator account, the security clerk account, and the security auditor account are not allowed to be newly created.
It should be further noted that the condition of modifying the account information and the password information of others does not occur in the login verification process, and only the password information of others is modified in the login verification process. After logging in the firewall system, only the password information of the firewall system is allowed to be modified, and the level information is not allowed to be modified, so that the level information of the firewall system is not allowed to be modified. Of course, the modification of the password information of others will pop up prompt information, which is as follows:
therefore, if the currently successfully logged-in and verified three-right account is determined to be the system administrator account, and the operation instruction is to modify the account information and the level information of the security auditor account, or/and the account information and the level information of the security auditor account, the firewall logs in and verifies the system and returns the prompt information of the modification failure.
And if the current three-right account which is successfully logged in and verified is determined to be the security secrecy operator account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and when the account information and the level information of the security auditor account are determined to be modified, the firewall logs in and verifies the system and returns prompt information of modification failure.
And if the current three-right account which is successfully logged in and verified is determined to be the safety auditor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and when the account information and the level information of the safety secretor account are determined, the firewall logs in and verifies the system and returns prompt information of failed modification.
It should be noted that, because the authentication interface of the firewall login authentication system is linked with the Web interface, the three-right division of the Web interface is interface shielding according to the login account name, and the CLI command line interface performs command division and shielding according to the account name and the account level. When logging in through the three-right account under the serial port, synchronously recording the current login user name and the user level to carry out related user isolation and command division shielding, and only one three-right account is logged in under the serial port at the same time. The authentication of the input account password is different from that of SSH connection, the SSH connection can log in a plurality of three-right accounts in parallel, and the SSH obtains the corresponding login user name and the corresponding user level according to the user ID to carry out user isolation and command division shielding because the user IDs allocated by the SSH connection are different.
The embodiment provides a firewall login method, which shields the three-right account numbers, and the account information and the level information cannot be modified mutually between the three-right account numbers, so that the three-right account numbers are isolated from each other and cannot be seen, and the confidentiality of a firewall is improved.
Further, the following describes the firewall login apparatus provided in the present application, and the firewall login apparatus described below and the firewall login method described above are referred to in correspondence with each other.
As shown in fig. 3, fig. 3 is a schematic structural diagram of a firewall login apparatus provided in the present application, where the firewall login apparatus includes:
the first login verification module 301 is configured to perform login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
the second login verification module 302 is configured to perform login verification on password information to be verified of the three-right account if the first login verification result is that verification is successful, so as to obtain a second login verification result;
the login module 303 is configured to enter a firewall command view if the second login authentication result is that the authentication is successful and it is determined that the three-right account is not the first login authentication.
Further, the firewall login device further comprises a setting module and a returning module:
the setting module is used for shielding the account information, the password information, the grade information, the operable command and the service content of the system administrator account, the safety secretor account and the safety auditor account after the login verification of the three-right account is determined to be successful;
a return module to:
if the current login-verified three-right account is the system administrator account, and the operation instruction is to modify the account information and the level information of the security auditor account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
if the currently logged-in and verified three-right account is the security secretor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
and if the currently logged-in and verified three-right account is the security auditor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security secretor account, returning prompt information of failed modification.
Further, the login module 303 is further configured to:
if the second login verification result is successful verification and the three-right account is determined to be non-first login verification, determining the period distance between the user password period of the password information to be verified and a preset modification period;
if the period distance reaches a preset distance threshold, outputting a password modification frame, and determining first new input password information in the password modification frame;
if the first new input password information meets the preset requirement, determining whether the first new input password information is the same as the password information to be verified;
and if the first new input password information is not the same as the password information to be verified, entering the firewall command view.
Further, the login module 303 is further configured to:
if the second login verification result is successful and the third-right account is determined to be the first login verification, outputting a password modification frame and determining second newly-input password information in the password modification frame;
if the second newly input password information meets the preset requirement, determining whether the second newly input password information is the same as the password information to be verified;
and if the second newly input password information is different from the password information to be verified, entering the firewall command view.
Further, the second login authentication module 302 is further configured to:
if the password information to be verified is inconsistent with the preset password information of the three-right account, outputting a second login verification result of password verification failure;
and if the login authentication time of the password information to be authenticated reaches the preset authentication time, outputting a second login authentication result of the overtime authentication failure.
Further, the second login authentication module 302 is further configured to:
determining the password error times of the password information to be verified in the login verification process, and determining whether the password error times reach the preset error times;
and if the password error frequency reaches the preset error frequency, outputting a second login verification result of the verification failure of the three-right account.
Further, the firewall login device further comprises an output module, configured to:
if the second login verification result is that password verification fails, outputting prompt information of password error and remaining locking times;
if the second login verification result is overtime verification failure, outputting prompt information of password verification overtime and re-login verification;
and if the second login verification result is that the verification of the three-right account fails, outputting prompt information of locking and locking duration of the three-right account.
The specific embodiment of the firewall login apparatus provided in the present application is substantially the same as the embodiments of the firewall login method described above, and details are not described here.
Fig. 4 illustrates a physical structure diagram of an electronic device, which may include, as shown in fig. 4: a processor (processor)410, a communication Interface 420, a memory (memory)430 and a communication bus 440, wherein the processor 410, the communication Interface 420 and the memory 430 are communicated with each other via the communication bus 440. Processor 410 may invoke logic instructions in memory 430 to perform a firewall login method comprising:
performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained;
and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view.
In addition, the logic instructions in the memory 430 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present application also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions, which when executed by a computer, enable the computer to perform the firewall login method provided by the above methods, the method comprising:
performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained;
and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view.
In yet another aspect, the present application further provides a non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, is implemented to perform the firewall login method provided above, the method comprising:
performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained;
and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view.
The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims (10)

1. A firewall login method is characterized by comprising the following steps:
performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
if the first login verification result is successful, login verification is carried out on password information to be verified of the three-right account, and a second login verification result is obtained;
and if the second login verification result is successful verification and the three-right account number is determined to be not the first login verification, entering a firewall command view.
2. The firewall login method according to claim 1, wherein the three-authority account includes a system administrator account, a security secretor account, and a security auditor account, and comprises:
after the login verification of the three-right account is determined to be successful, shielding the account information, the password information, the grade information, the operable command and the service content of the system administrator account, the safety secretor account and the safety auditor account from each other;
if the current login-verified three-right account is the system administrator account, and the operation instruction is to modify the account information and the level information of the security auditor account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
if the currently logged-in and verified three-right account is the security secretor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security auditor account, returning prompt information of failed modification;
and if the currently logged-in and verified three-right account is the security auditor account, and the operation instruction is to modify the account information and the level information of the system administrator account, or/and the account information and the level information of the security secretor account, returning prompt information of failed modification.
3. The firewall login method of claim 1, wherein if the second login authentication result is successful and the third-authorized account is determined to be a non-first login authentication, entering a firewall command view, comprising:
if the second login verification result is successful verification and the three-right account is determined to be non-first login verification, determining the period distance between the user password period of the password information to be verified and a preset modification period;
if the period distance reaches a preset distance threshold, outputting a password modification frame, and determining first new input password information in the password modification frame;
if the first new input password information meets the preset requirement, determining whether the first new input password information is the same as the password information to be verified;
and if the first new input password information is not the same as the password information to be verified, entering the firewall command view.
4. The firewall login method according to claim 1, wherein if the first login authentication result is successful, performing login authentication on password information to be authenticated of the three-authority account, and after obtaining a second login authentication result, further comprising:
if the second login verification result is successful and the third-right account is determined to be the first login verification, outputting a password modification frame and determining second newly-input password information in the password modification frame;
if the second newly input password information meets the preset requirement, determining whether the second newly input password information is the same as the password information to be verified;
and if the second newly input password information is different from the password information to be verified, entering the firewall command view.
5. The firewall login method according to claim 1, wherein the login verification of the password information to be verified of the three-authority account to obtain a second login verification result includes:
if the password information to be verified is inconsistent with the preset password information of the three-right account, outputting a second login verification result of password verification failure;
and if the login authentication time of the password information to be authenticated reaches the preset authentication time, outputting a second login authentication result of the overtime authentication failure.
6. The firewall login method according to claim 1, wherein the login verification of the password information to be verified of the three-authority account to obtain a second login verification result includes:
determining the password error times of the password information to be verified in the login verification process, and determining whether the password error times reach the preset error times;
and if the password error frequency reaches the preset error frequency, outputting a second login verification result of the verification failure of the three-right account.
7. The firewall login method according to any one of claims 5 to 6, wherein if the first login authentication result is successful, performing login authentication on password information to be authenticated of the three-authority account, and after obtaining a second login authentication result, further comprising:
if the second login verification result is that password verification fails, outputting prompt information of password error and remaining locking times;
if the second login verification result is overtime verification failure, outputting prompt information of password verification overtime and re-login verification;
and if the second login verification result is that the verification of the three-right account fails, outputting prompt information of locking and locking duration of the three-right account.
8. A firewall login apparatus, comprising:
the first login verification module is used for performing login verification on account information to be verified of the three-right account according to a login verification instruction of the firewall to obtain a first login verification result;
the second login verification module is used for performing login verification on password information to be verified of the three-right account if the first login verification result is successful to obtain a second login verification result;
and the login module is used for entering a firewall command view if the second login verification result is successful and the three-right account number is determined to be not the first login verification.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the firewall login method according to any one of claims 1 to 7 are implemented when the computer program is executed by the processor.
10. A computer program product comprising a computer program, characterized in that the computer program, when being executed by a processor, carries out the steps of the firewall login method of any one of claims 1 to 7.
CN202111638800.2A 2021-12-29 2021-12-29 Firewall login method and device, electronic equipment and computer storage medium Active CN114401124B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111638800.2A CN114401124B (en) 2021-12-29 2021-12-29 Firewall login method and device, electronic equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111638800.2A CN114401124B (en) 2021-12-29 2021-12-29 Firewall login method and device, electronic equipment and computer storage medium

Publications (2)

Publication Number Publication Date
CN114401124A true CN114401124A (en) 2022-04-26
CN114401124B CN114401124B (en) 2022-10-28

Family

ID=81228030

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111638800.2A Active CN114401124B (en) 2021-12-29 2021-12-29 Firewall login method and device, electronic equipment and computer storage medium

Country Status (1)

Country Link
CN (1) CN114401124B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022341A (en) * 2006-03-21 2007-08-22 飞塔信息科技(北京)有限公司 System and method for managing network equipment in network
US20140029039A1 (en) * 2012-07-30 2014-01-30 Matthew Lee Deter Office machine security policy
CN105447390A (en) * 2015-11-16 2016-03-30 国网智能电网研究院 Digital certificate system based software version trusted management method
CN109741123A (en) * 2018-11-23 2019-05-10 上海豆为教育科技有限公司 Family's account management method and system
CN110225117A (en) * 2019-06-12 2019-09-10 武汉通威电子有限公司 A kind of method of long-range control firewall terminal
WO2021159669A1 (en) * 2020-02-14 2021-08-19 深圳壹账通智能科技有限公司 Secure system login method and apparatus, computer device, and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101022341A (en) * 2006-03-21 2007-08-22 飞塔信息科技(北京)有限公司 System and method for managing network equipment in network
US20140029039A1 (en) * 2012-07-30 2014-01-30 Matthew Lee Deter Office machine security policy
CN105447390A (en) * 2015-11-16 2016-03-30 国网智能电网研究院 Digital certificate system based software version trusted management method
CN109741123A (en) * 2018-11-23 2019-05-10 上海豆为教育科技有限公司 Family's account management method and system
CN110225117A (en) * 2019-06-12 2019-09-10 武汉通威电子有限公司 A kind of method of long-range control firewall terminal
WO2021159669A1 (en) * 2020-02-14 2021-08-19 深圳壹账通智能科技有限公司 Secure system login method and apparatus, computer device, and storage medium

Also Published As

Publication number Publication date
CN114401124B (en) 2022-10-28

Similar Documents

Publication Publication Date Title
CN106708489B (en) Debugging method and system of equipment
CN111182547B (en) Login protection method, device and system
CN108881243B (en) Linux operating system login authentication method, equipment, terminal and server based on CPK
CN111581616B (en) Multi-terminal login control method and device
CN114116170A (en) Timed task execution method and device, computer equipment and storage medium
CN114404998A (en) Account abnormity verification method, account abnormity verification device, client and computer readable storage medium
CN112138404A (en) Game APP login verification method and system
CN114401124B (en) Firewall login method and device, electronic equipment and computer storage medium
CN112202727B (en) Server-side verification user management method, system, terminal and storage medium
CN111104655B (en) BMC login method and related device
CN106610822A (en) Auxiliary unlocking method and device
CN110502380B (en) Self-checking method of Hash algorithm coprocessor
CN110717160A (en) Method and device for periodically checking and correcting privileged account
CN109862035A (en) Game APP account verification method and equipment
CN112367339B (en) System security login management method and device
CN109582454A (en) Permission releasing control method, device and equipment in a kind of distributed storage cluster
CN114329444A (en) System safety improving method and device
CN110909344B (en) Control method and device
CN116707844A (en) Behavior tracking method and device based on public account number, electronic equipment and medium
CN113297628A (en) Modification behavior auditing method, device, equipment and readable storage medium
CN108574657A (en) Method, apparatus, system and the computing device and server of access server
CN112395574A (en) Safety login management method
CN106371772A (en) Management method and system for multiple sets of storage equipment
CN106997430B (en) Method and device for preventing linux service equipment from being copied
CN112422533B (en) Verification method and device for user to access network and electronic equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant