CN115733674A - Security reinforcement method and device, electronic equipment and readable storage medium - Google Patents

Security reinforcement method and device, electronic equipment and readable storage medium Download PDF

Info

Publication number
CN115733674A
CN115733674A CN202211392209.8A CN202211392209A CN115733674A CN 115733674 A CN115733674 A CN 115733674A CN 202211392209 A CN202211392209 A CN 202211392209A CN 115733674 A CN115733674 A CN 115733674A
Authority
CN
China
Prior art keywords
client
identity information
address
information
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211392209.8A
Other languages
Chinese (zh)
Inventor
周广跃
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202211392209.8A priority Critical patent/CN115733674A/en
Publication of CN115733674A publication Critical patent/CN115733674A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention provides a security reinforcement method, a security reinforcement device, electronic equipment and a readable storage medium, and relates to the technical field of computers. The method comprises the following steps: adding the first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information comprises three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number and a mainboard serial number, which correspond to the first IP address; receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address and second identity information of the second client; and under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected. The client is identified and verified through the identity information, and the safety of the server is improved.

Description

Security reinforcement method and device, electronic equipment and readable storage medium
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a security reinforcing method, apparatus, electronic device, and readable storage medium.
Background
Various network attack behaviors seriously affect the network security of the server, and the technologies of security reinforcement and security protection are developed and applied for ensuring the network security of the server.
In the prior art, a terminal restriction technology is generally adopted for security reinforcement and protection, and the terminal restriction rejects and restricts access of an unsafe client terminal by adopting a security scheme. The mainstream technology of the terminal restriction technology is the policies of an IP blacklist and an IP whitelist.
The method is characterized in that an IP blacklist strategy is adopted, after an unsafe IP address or an unsafe IP address field is added into a blacklist, a client can access the blacklist again by modifying the IP address, the safety protection capability is weak, furthermore, a stricter blacklist strategy is adopted for better protection, an unsafe MAC address or an unsafe MAC address field is added into the blacklist, although the MAC address is difficult to modify than the IP address, the MAC address can be modified by adopting some tools, and the mode also has a vulnerability; the IP white list strategy is adopted, safe IP addresses and IP address segments are added into the white list, addresses outside the white list cannot access the terminal, although the safety protection capability is enhanced, when a large number of IP addresses are required to be added into the white list, the operation is complex.
Disclosure of Invention
The invention provides a security reinforcement method, a security reinforcement device, electronic equipment and a readable storage medium, and aims to solve the problems that in the prior art, the security protection capability of a server is weak or the operation is complex.
In a first aspect of the present invention, a security enforcement method is provided, where the method is applied to a server, and the method includes:
adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: the first IP address corresponds to three first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client;
receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the main board of the second client are three kinds of second information;
and when the second IP address does not exist in the blacklist and at least one type of second information of the second identity information is the same as the first information corresponding to the first identity information, the second client is denied access.
In the invention, a first IP address is added into a blacklist, and first identity information corresponding to the first IP address is obtained; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address; the first identity information serves as a feature identifier of the first client. Receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second IP address of the second client and the second identity information of the second client are obtained, so that the second IP address of the second client and the second identity information of the second client can be verified. And under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is refused. The characteristics of the first client are identified through the first identity information, so that when a first hypertext transfer protocol request sent by the second client is received, the second identity information of the second client can be checked, if the second IP address does not exist in a blacklist, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the second client and the first client are the same client, and the second client is the client after the first client modifies the first IP address, so that the access of the second client is denied, the server can be prevented from being accessed after the first client modifies the first IP address, and the safety of the server is improved.
Optionally, the method further includes:
receiving a second hypertext transfer protocol request sent by the second client; the second hypertext transfer protocol request does not include the second identity information of the second client;
denying access to the second client.
Optionally, before the rejecting the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the method further includes:
rejecting access of the second client under the condition that the second IP address does not exist in the blacklist and the format of the second identity information is different from the format of preset identity information;
the denying the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information includes:
and under the conditions that the second IP address does not exist in the blacklist, the format of the second identity information is the same as that of the preset identity information, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is refused.
Optionally, before the rejecting the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the method further includes:
storing first identity information corresponding to the first IP address in a data table;
the denying the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information includes:
when the second IP address does not exist in the blacklist and at least one type of second information of the second identity information is the same as the first information corresponding to the first identity information in the data table, rejecting the access of the second client;
the method further comprises the following steps: and removing the first IP address out of the blacklist, and deleting the first identity information corresponding to the first IP address from the data table.
In a second aspect of the present invention, a method for security enforcement is provided, where the method is applied to a second client, and the method includes:
receiving an acquisition instruction of the server for acquiring second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the main board of the second client are three kinds of second information;
acquiring the second identity information based on the acquisition instruction;
generating a first hypertext transfer protocol request based on the second identity information;
sending the first hypertext transfer protocol request to the server; the first hypertext transfer protocol request comprises a second IP address of the second client and the second identity information of the second client; the server is configured to: adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected.
In the invention, an acquisition instruction of a server for acquiring second identity information of a second client is received; the second identity information includes: three kinds of second information, namely a browser identifier of the second client, a central processing unit serial number of the second client and a mainboard serial number of the second client; the second identity information serves as a feature identifier of the second client. Acquiring second identity information based on the acquisition instruction; sending a first hypertext transfer protocol request to a server; the first hypertext transfer protocol request includes a second IP address of the second client, second identity information of the second client. The second client acquires the second identity information and sends the second identity information to the server through the first hypertext transfer protocol request, so that the server can acquire the second identity information after receiving the first hypertext transfer protocol request, and the server can conveniently check the security of the second client.
Optionally, the obtaining the second identity information based on the obtaining instruction includes at least one of the following steps:
inquiring browser attributes through a browser fingerprint library, and calculating the browser attributes through a Hash calculator to generate the browser identification;
acquiring the serial number of the central processing unit according to the management specification of an operating system;
and acquiring the serial number of the mainboard according to the management specification of the operating system.
Optionally, the second identity information further includes a random character string, the length of the random character string is greater than or equal to 6 bits and less than or equal to 16 bits, and the random character string includes at least one of a number, a capital letter and a lowercase letter.
Optionally, the generating a first hypertext transfer protocol request based on the second identity information includes:
encrypting the second identity information, wherein the encryption mode is an asymmetric key mode;
forming an encrypted first hypertext transfer protocol request based on the encrypted second identity information;
said sending said first hypertext transfer protocol request to said server comprising:
sending the encrypted first hypertext transfer protocol request to the server.
In a third aspect of the present invention, there is provided a security-enhanced apparatus applied to a server, the apparatus including:
the blacklist adding module is used for adding a first IP address into a blacklist and acquiring first identity information corresponding to the first IP address; the first identity information includes: the first IP address corresponds to three first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client;
the receiving request module is used for receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the mainboard of the second client are three kinds of second information;
and the verification module is used for refusing the access of the second client under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information.
In a fourth aspect of the invention, an electronic device is provided, comprising a processor and a memory, said memory storing a program executable on said processor, said program implementing the steps of the security enforcement method of the invention when executed by said processor.
In a fifth aspect of the present invention, a readable storage medium is provided, on which a program is stored, which program, when executed by a processor, performs the steps of the security enforcement method of the present invention.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the description of the embodiments of the present invention will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without inventive labor.
FIG. 1 is a flow chart illustrating steps of a method for security enforcement for a server in an embodiment of the present invention;
FIG. 2 is a flow chart illustrating steps of a method for security enforcement for a second client in an embodiment of the present invention;
FIG. 3 illustrates a security hardened device applied to a server in an embodiment of the present invention;
fig. 4 shows a security hardened device applied to the second client in the embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1, fig. 1 is a flow chart illustrating steps of a method for security enforcement applied to a server in an embodiment of the present invention, including:
step 101, adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: and the browser identifier of the first client, the central processing unit serial number of the first client and the mainboard serial number of the first client which correspond to the first IP address.
Step 102, receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: and the browser identifier of the second client, the central processing unit serial number of the second client and the mainboard serial number of the second client.
Step 103, in a case that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, denying access to the second client.
In the invention, a first IP address is added into a blacklist, and first identity information corresponding to the first IP address is obtained; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address; the first identity information is used as a characteristic identifier of the first client, and any one of the first identity information is difficult to modify or tamper, so that the first identity information can basically represent the identity information of the first client. Receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information is used as a feature identifier of the second client, and any one of the second identity information is difficult to modify or tamper, so that the second identity information can basically represent the identity information of the second client. The second IP address of the second client and the second identity information of the second client are obtained, so that the second IP address of the second client and the second identity information of the second client can be verified. And under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected. The characteristics of the first client are identified through the first identity information, so that when a first hypertext transfer protocol request sent by the second client is received, the second identity information of the second client can be checked, if the second IP address does not exist in a blacklist, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the second client and the first client are the same client, and the second client is the client after the first client modifies the first IP address, so that the access of the second client is denied, the server can be prevented from being accessed after the first client modifies the first IP address, and the safety of the server is improved. And, the first identity information includes: the browser identification of the first client corresponding to the first IP address, the central processing unit serial number of the first client and the mainboard serial number of the first client, and the second identity information comprises: the browser identification of the second client, the central processing unit serial number of the second client and the mainboard serial number of the second client are three pieces of second information, and when the first identity information and the second identity information both comprise the three pieces of information, the browser identification, the central processing unit serial number and the mainboard serial number in the second identity information of the second client can be verified, so that the verification is stricter, and the safety performance of the server can be further improved.
In the invention, the identity information can be named as x-client-auth, the first identity information can be named as a first x-client-auth, and the second identity information can be named as a second x-client-auth.
In step 101, adding the first IP address into a blacklist, before adding the first IP address into the blacklist, determining whether the first IP address is safe, which may be determined by checking an access log of the first IP address, for example, determining that the first IP address is unsafe according to unsafe behaviors such as modified data of the first IP address in the access log, or determining the first IP address directly, for example, determining that the first IP address belongs to a cross-domain IP according to a format of the first IP address, and then determining that the first IP address is unsafe.
Optionally, in step 102, the first hypertext transfer protocol request includes second identity information of the second client, and the second identity information is located in a request header of the first hypertext transfer protocol request. And generating second identity information at the second client, receiving the first hypertext transfer protocol request by the server, and acquiring the second identity information from a request header of the first hypertext transfer protocol request.
In step 103, when the second IP address exists in the blacklist, the access of the second client corresponding to the second IP address is denied. Optionally, it is determined whether the second IP address exists in the blacklist, and then the second information in the second identity information is compared with the first information corresponding to the first identity information one by one. For example, when the second IP address exists in the blacklist, it is first determined whether the second IP address exists in the blacklist, and at this time, it is determined that the second IP address exists in the blacklist, and the access of the second client is denied; and when the second IP address does not exist in the blacklist, judging that the second IP address does not exist in the blacklist, comparing second information in the second identity information with first information corresponding to the first identity information one by one, refusing the access of the second client under the condition that at least one second information of the second identity information is the same as the first information corresponding to the first identity information, and allowing the access of the second client under the condition that the second information of the second identity information is different from the first information corresponding to the first identity information.
Optionally, the security reinforcing method in the embodiment of the present invention is applied to a web server or other servers.
Optionally, a second hypertext transfer protocol request sent by a second client is received; the second hypertext transfer protocol request does not include second identity information of the second client; access is denied to the second client. That is, the second client does not carry the second identity information according to the specification of the server, and the probability that the second client is an unsafe client is very high, the access of the second client is denied, so that the security of the server is improved.
For example, in a case that the second identity information of the second client includes a browser identifier of the second client, when the second hypertext transfer protocol request does not include the second identity information of the second client, it indicates that the second client may be accessed by a manner other than the browser, and the second client cannot generate the browser identifier, and the access is deemed insecure, and the access of the second client is denied.
Optionally, in a case that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, before the method denies the access of the second client, the method further includes: under the conditions that the second IP address does not exist in the blacklist and the format of the second identity information is different from the preset format of the identity information, the access of the second client is refused; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, rejecting the access of the second client, comprising: and under the conditions that the second IP address does not exist in the blacklist, the format of the second identity information is the same as the preset identity information, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is refused.
The first identity information comprises: the format of the second identity information is different from the format of the preset identity information, which shows that the second identity information is tampered by the second client side, the access of the second client side is unsafe, and thus the access is denied. The format of the preset identity information includes, but is not limited to, the length, the arrangement order, and the like of the identity information. The format of the preset identity information is the correct format of the identity information. For example, the preset identity information may have a length of 40 bits, and if the second identity information has a length of 2 bits, it is considered that the second identity information is tampered by the second client, and the access of the second client is not secure, so that the access is denied.
Optionally, under the condition that the blacklist function is closed, the second identity information is not checked, and operations such as reading all first information corresponding to the first identity information and then performing information comparison are required under the condition that the second identity information is prevented from being checked, so that under the condition that the blacklist is closed, the access time is saved, the access efficiency is improved, and the performance of the server is not affected. Therefore, the second identity information may not be verified under the condition that the server is judged to be safe and the blacklist is closed.
Optionally, before the access of the second client is denied under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the method further includes: storing first identity information corresponding to the first IP address in a data table; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, rejecting the access of the second client, comprising: when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information in the data table, the access of the second client is refused; the method further comprises the following steps: and removing the first IP address from the blacklist, and deleting the first identity information corresponding to the first IP address from the data table.
Storing first identity information corresponding to the first IP address in a data table, specifically, storing the first identity information in an information item of the first IP address, where the first identity information includes: the browser identification of the first client, the central processing unit serial number of the first client and the mainboard serial number of the first client corresponding to the first IP address are three kinds of first information, so that a server administrator does not need to manually add the browser identification of the first client, the central processing unit serial number and the mainboard serial number, and operation is convenient.
And under the condition that the second IP address does not exist in the blacklist and at least one type of second information of the second identity information is the same as the first information corresponding to the first identity information in the data table, the access of the second client is rejected. And comparing the second information of the second identity information with the first information corresponding to the first identity information in the data table, so that the first information corresponding to the first identity information can be directly obtained from the data table, and the operation is simple and convenient.
When the first IP address is moved out of the blacklist, the first identity information corresponding to the first IP address is deleted from the data table, when the first IP address is moved out of the blacklist, the first client corresponding to the first IP address is considered to be safe, the first identity information corresponding to the first IP address is deleted, when the first identity information corresponding to the first IP address is verified, the browser identification of the first client corresponding to the first IP address, the central processing unit serial number of the first client and the mainboard serial number of the first client are not identical to the information in the data table, and normal access of the first client can be guaranteed.
Referring to fig. 2, fig. 2 is a flow chart illustrating steps of a method for security enforcement applied to a second client in an embodiment of the present invention, including:
step 201, receiving an obtaining instruction of a server for obtaining second identity information of a second client; the second identity information includes: and the browser identifier of the second client, the central processor serial number of the second client and the mainboard serial number of the second client.
Step 202, acquiring the second identity information based on the acquisition instruction.
Step 203, generating a first hypertext transfer protocol request based on the second identity information.
Step 204, sending the first hypertext transfer protocol request to the server; the first hypertext transfer protocol request includes a second IP address of the second client, the second identity information of the second client.
In step 204, the server is configured to: adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: the first IP address corresponds to three first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected.
In the invention, an acquisition instruction of a server for acquiring second identity information of a second client is received; the second identity information includes: three kinds of second information, namely a browser identifier of the second client, a central processing unit serial number of the second client and a mainboard serial number of the second client; the second identity information serves as a feature identifier of the second client. Acquiring second identity information based on the acquisition instruction; sending a first hypertext transfer protocol request to a server; the first hypertext transfer protocol request includes a second IP address of the second client, second identity information of the second client. The second client acquires the second identity information and sends the second identity information to the server through the first hypertext transfer protocol request, so that the server can acquire the second identity information after receiving the first hypertext transfer protocol request, and the server can conveniently check the security of the second client.
In the embodiment of the invention, the second client can be a mobile phone or a tablet computer, and in the process of accessing the server, the second client receives an acquisition instruction of the server for acquiring the second identity information of the second client, acquires the second identity information based on the acquisition instruction, and sends a first hypertext transfer protocol request to the server; the first hypertext transfer protocol request includes a second IP address of the second client, and second identity information of the second client.
Optionally, based on the obtaining instruction, obtaining the second identity information includes at least one of the following steps:
inquiring the browser attribute through a browser fingerprint library, and calculating the browser attribute through a Hash calculator to generate a browser identifier;
acquiring a serial number of a central processing unit according to a management specification of an operating system;
and acquiring the serial number of the mainboard according to the management specification of the operating system.
The browser attribute of the second client side is inquired through the browser fingerprint library, the inquiry is carried out according to the operation method of the browser fingerprint library, the operation is simple and convenient, the browser attribute is calculated through the Hash calculator, the browser identification is generated, the generated browser identification is a section of messy codes and is not easy to tamper by the second client side, and the safety of the server can be enhanced.
Specifically, the browser attributes (canvas, webgl, usergent, audioContext, and the like) can be queried through the FingerprintJS browser fingerprint library, the FingerprintJS is a fast browser fingerprint library and is realized by means of JavaScript, and the JavaScript is a lightweight, interpreted or instant-compilation programming language with function priority.
The CPU serial number is obtained according to the operating system management specification, for example, the CPU serial number is obtained according to the Windows management specification. The operation of obtaining the device attribute through the WMI (Windows Management Instrumentation, windows Management Specification) is simple and convenient, and the serial number of the central processing unit can be conveniently obtained. Specifically, the serial number of the central processing unit is named cid, and the code is as follows:
cid=”.join([cpu.ProcessorId.strip()for cpu in wmi.WMI().Win32_Processor()])。
the motherboard serial number is obtained according to the management specification of the operating system, for example, the motherboard serial number is obtained according to the Windows management specification. The operation of obtaining the device attribute through the WMI (Windows Management Instrumentation, windows Management Specification) is simple and convenient, and the serial number of the mainboard can be conveniently obtained. The mainboard serial number is named as zid, and the code is as follows: zid = ". Join ([ board _ id. Serial number for board _ id in wmi () ]. Win32_ BaseBoard () ]).
Optionally, the second identity information further includes a random character string, the length of the random character string is greater than or equal to 6 bits and less than or equal to 16 bits, and the random character string includes at least one of a number, a capital letter and a lowercase letter. The second identity information comprises the random character string, so that the complexity of the second identity information can be increased, the second identity information is not easy to be tampered by the client, and the safety of the server can be enhanced. For example, the random string may be 6 bits, 8 bits, 10 bits, 12 bits, 14 bits, 16 bits in length. For example, the second identity information has a composition structure of: the method comprises the steps of 8-bit random character strings, browser identification of a client, CPU serial number of the client, mainboard serial number of the client and 8-bit random character strings. Optionally, a random tool is called by js to generate the random number. Optionally, the random string includes numbers, capital letters, and lowercase letters, and the complexity of the random string is increased, thereby increasing the complexity of the second identity information.
Optionally, generating the first hypertext transfer protocol request based on the second identity information includes: encrypting the second identity information, wherein the encryption mode is an asymmetric key mode; forming an encrypted first hypertext transfer protocol request based on the encrypted second identity information; sending a first hypertext transfer protocol request to a server, comprising: and sending the encrypted first hypertext transfer protocol request to the server. Asymmetric key the keys used in the encryption and decryption process are different keys, and the encryption and decryption are asymmetric, so called asymmetric encryption. Compared with the symmetric key encryption, the asymmetric key encryption does not need to share a key between the second client and the server, and as long as the private key is not sent to the client, the public key cannot be decrypted even if intercepted on the network, and only the stolen public key has no use. Therefore, the second identity information is not easy to be tampered, and the safety of the server can be enhanced. For example, the second identity information has a composition structure of: the 8-bit random character string, the browser identification of the client, the CPU serial number of the client and the mainboard serial number of the client and the 8-bit random character string are encrypted to form a string of ciphertext, the encryption mode is an asymmetric key mode, the complexity of the second identity information is increased, the second client is prevented from being tampered, and the safety performance of the server is improved. The encrypted first hypertext transfer protocol request has an increased security relative to the unencrypted first hypertext transfer protocol request.
Under the condition that the client encrypts the second identity information and the encryption mode is an asymmetric key mode, the server receives a first hypertext transfer protocol request sent by the second client; the server acquires three second information, namely a browser identifier of the second client, a central processing unit serial number of the second client and a mainboard serial number of the second client from the second identity information of the second client, and the second identity information needs to be decrypted first.
In the security reinforcing method provided in the embodiment of the present invention, the execution subject may be a security reinforcing apparatus applied to a server, and referring to fig. 3, fig. 3 shows a security reinforcing apparatus applied to a server in an embodiment of the present invention, including:
the blacklist adding module S01 is used for adding a first IP address into a blacklist and acquiring first identity information corresponding to the first IP address; the first identity information comprises: and the browser identifier of the first client, the central processing unit serial number of the first client and the mainboard serial number of the first client which correspond to the first IP address.
A receiving request module S02, configured to receive a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: and the browser identifier of the second client, the central processor serial number of the second client and the mainboard serial number of the second client.
A checking module S03, configured to deny access to the second client if the second IP address does not exist in the blacklist and at least one type of second information of the second identity information is the same as the first information corresponding to the first identity information.
The blacklist adding module S01 identifies characteristics of the first client by the first identity information, so that when the request receiving module S02 receives a first hypertext transfer protocol request sent by the second client, the checking module S03 can check the second identity information of the second client, and if the second IP address does not exist in at least one second information of the blacklist and the second identity information, the first information corresponding to the first identity information is the same, which indicates that the second client and the first client are the same client, and the second client is the client after the first client modifies the first IP address, access of the second client is denied, so that the first client can access the server after modifying the first IP address, and the security of the server is improved.
Optionally, the blacklist adding module S01 further includes a security check unit, where the security check unit is configured to determine whether the first IP address is secure.
Optionally, the checking module S03 further includes a blacklist checking unit, where the blacklist checking unit is configured to reject access of the second client corresponding to the second IP address when the second IP address exists in a blacklist.
Optionally, the safety enhancing device further comprises: a second hypertext transfer protocol request receiving module, configured to receive a second hypertext transfer protocol request sent by a second client; the second hypertext transfer protocol request does not include second identity information of the second client; access is denied to the second client.
Optionally, the safety enhancing device further comprises: and the format checking module is used for refusing the access of the second client under the condition that the second IP address does not exist in the blacklist and the format of the second identity information is different from the preset format of the identity information.
Optionally, the checking module S03 includes: and the first checking unit is used for rejecting the access of the second client under the conditions that the second IP address does not exist in the blacklist, the format of the second identity information is the same as that of the preset identity information, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information.
Optionally, the safety enhancing device further comprises: and the blacklist closing module is associated with the verification module S03 and is used for closing the function of verifying the second identity information by the verification module S03 under the condition of closing the blacklist function.
Optionally, the safety enhancement device further comprises: and the storage module is used for storing the first identity information corresponding to the first IP address in a data table.
Optionally, the checking module S03 includes: and the second checking unit is used for rejecting the access of the second client under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information in the data table.
Optionally, the safety enhancing device further comprises: and the blacklist removing module is used for removing the first IP address from the blacklist and deleting the first identity information corresponding to the first IP address from the data table.
The device applied to security enforcement of the server according to the embodiment of the present application can implement each process implemented by the method embodiment of fig. 1, and is not described herein again to avoid repetition.
In the method for security enforcement provided in the embodiment of the present invention, the execution subject may be a security enforcement device applied to the second client, and referring to fig. 4, fig. 4 shows a security enforcement device applied to the second client in the embodiment of the present invention, including:
the instruction receiving module P01 is used for receiving an acquisition instruction of the server for acquiring the second identity information of the second client; the second identity information includes: and the browser identifier of the second client, the central processor serial number of the second client and the mainboard serial number of the second client.
And the obtaining module P02 obtains the second identity information based on the obtaining instruction.
And the generating request module P03 generates a first hypertext transfer protocol request based on the second identity information.
A sending request module P04, sending the first hypertext transfer protocol request to the server; the first hypertext transfer protocol request comprises a second IP address of the second client and the second identity information of the second client; the server is configured to: adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information comprises: the first IP address corresponds to three first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected.
In the invention, an instruction receiving module P01 receives an acquisition instruction of a server for acquiring second identity information of a second client; the second identity information serves as a feature identifier of the second client. The obtaining module P02 obtains second identity information based on the obtaining instruction; a generation request module P03 for generating a first hypertext transfer protocol request based on the second identity information; the sending request module P04 sends a first hypertext transfer protocol request to the server; the first hypertext transfer protocol request includes a second IP address of the second client, second identity information of the second client. The second client acquires the second identity information and sends the second identity information to the server through the first hypertext transfer protocol request, so that the server can acquire the second identity information after receiving the first hypertext transfer protocol request, and the server can conveniently check the security of the second client.
Optionally, the obtaining module P02 may include a browser identifier obtaining unit, configured to query the browser attribute through a browser fingerprint library, and calculate the browser attribute through a hash calculator to generate the browser identifier.
Optionally, the obtaining module P02 may include a central processing unit serial number obtaining unit, configured to obtain a central processing unit serial number according to a management specification of an operating system.
Optionally, the obtaining module P02 may include a motherboard serial number obtaining unit, configured to obtain a motherboard serial number according to a management specification of an operating system.
Optionally, in an embodiment of the present invention, the device for security reinforcement applied to the second client further includes a random character string generation module, where the random character string generation module is configured to generate a random character string in the second identity information, a length of the random character string is greater than or equal to 6 bits and less than or equal to 16 bits, and the random character string includes at least one of a number, an upper case letter, and a lower case letter.
Optionally, the request generation module P03 includes an encryption unit, and the encryption unit is configured to encrypt the second identity information in an asymmetric key manner. The generation request module P03 further includes a first hypertext transfer protocol request forming unit, configured to form an encrypted first hypertext transfer protocol request based on the encrypted second identity information.
Optionally, the request sending module P04 further includes a request sending unit, and the request sending unit is configured to send the encrypted first hypertext transfer protocol request to the server.
The device for security hardening applied to the second client according to the embodiment of the present application can implement each process implemented by the method embodiment of fig. 2, and is not described here again to avoid repetition.
It should be noted that the security enforcement method applied to the second client and the security enforcement method applied to the server may refer to each other, and the relevant points are omitted to avoid redundancy.
An embodiment of the present invention further provides an electronic device, which includes a processor and a memory, where the memory stores a program that can be run on the processor, and when the program is executed by the processor, the steps of the above-mentioned method for security enforcement are implemented, and the same technical effects can be achieved.
The embodiment of the present invention further provides a readable storage medium, where a program is stored on the readable storage medium, and when the program is executed by a processor, the steps of the above-mentioned method for security enforcement are implemented, and the same technical effects can be achieved, and in order to avoid repetition, details are not repeated here.
It should be noted that the apparatus, method, and related parts described above can be referred to each other, and the same or similar effects can be achieved.
It should be noted that for simplicity of description, the method embodiments are described as a series of acts, but those skilled in the art should understand that the embodiments are not limited by the described order of acts, as some steps can be performed in other orders or simultaneously according to the embodiments. Further, those of skill in the art will recognize that the embodiments described in this specification are presently preferred embodiments and that no single embodiment of the present disclosure is necessarily required for all such variations and modifications.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one of 8230, and" comprising 8230does not exclude the presence of additional like elements in a process, method, article, or apparatus comprising the element.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which is stored in a storage medium (such as ROM/RAM, magnetic disk, optical disk) and includes instructions for enabling a terminal (such as a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
While the present invention has been described with reference to the particular illustrative embodiments, it is to be understood that the invention is not limited to the disclosed embodiments, but is intended to cover various modifications, equivalent arrangements, and equivalents thereof, which may be made by those skilled in the art without departing from the spirit and scope of the invention as defined by the appended claims.

Claims (11)

1. A method of security enforcement, applied to a server, the method comprising:
adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address;
receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the main board of the second client are three kinds of second information;
and when the second IP address does not exist in the blacklist and at least one type of second information of the second identity information is the same as the first information corresponding to the first identity information, the second client is denied access.
2. The method of security reinforcement of claim 1, further comprising:
receiving a second hypertext transfer protocol request sent by the second client; the second hypertext transfer protocol request does not include the second identity information of the second client;
denying access to the second client.
3. The method of claim 1, wherein before denying access to the second client if the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the method further comprises:
rejecting access of the second client under the condition that the second IP address does not exist in the blacklist and the format of the second identity information is different from the format of preset identity information;
the denying the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information includes:
and under the conditions that the second IP address does not exist in the blacklist, the format of the second identity information is the same as that of the preset identity information, and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is refused.
4. The method of claim 1, wherein before denying access to the second client if the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the method further comprises:
storing first identity information corresponding to the first IP address in a data table;
the denying the access of the second client when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information includes:
when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information in the data table, rejecting the access of the second client;
the method further comprises the following steps: and removing the first IP address out of the blacklist, and deleting the first identity information corresponding to the first IP address from the data table.
5. A method for security enforcement, applied to a second client, the method comprising:
receiving an acquisition instruction of the server for acquiring second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the main board of the second client are three kinds of second information;
acquiring the second identity information based on the acquisition instruction;
generating a first hypertext transfer protocol request based on the second identity information;
sending the first hypertext transfer protocol request to the server; the first hypertext transfer protocol request comprises a second IP address of the second client and the second identity information of the second client; the server is configured to: adding a first IP address into a blacklist, and acquiring first identity information corresponding to the first IP address; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address; and when the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information, the access of the second client is rejected.
6. The method of security enforcement according to claim 5, wherein the obtaining the second identity information based on the obtaining instruction comprises at least one of:
inquiring browser attributes through a browser fingerprint library, and calculating the browser attributes through a Hash calculator to generate the browser identification;
acquiring the serial number of the central processing unit according to the management specification of an operating system;
and acquiring the serial number of the mainboard according to the management specification of the operating system.
7. The method of security enforcement according to claim 5, wherein the second identity information further comprises a random string, the random string having a length of 6 bits or more and 16 bits or less, and the random string comprising at least one of a number, a capital letter, and a small letter.
8. The method of security enforcement according to claim 5, wherein the generating a first hypertext transfer protocol request based on the second identity information comprises:
encrypting the second identity information, wherein the encryption mode is an asymmetric key mode;
forming an encrypted first hypertext transfer protocol request based on the encrypted second identity information;
said sending said first hypertext transfer protocol request to said server comprising:
sending the encrypted first hypertext transfer protocol request to the server.
9. A security hardened device, applied to a server, the device comprising:
the blacklist adding module is used for adding a first IP address into a blacklist and acquiring first identity information corresponding to the first IP address; the first identity information includes: three kinds of first information, namely a browser identifier of a first client, a central processing unit serial number of the first client and a mainboard serial number of the first client, which correspond to the first IP address;
the receiving request module is used for receiving a first hypertext transfer protocol request sent by a second client; the first hypertext transfer protocol request comprises a second IP address of the second client and second identity information of the second client; the second identity information includes: the browser identification of the second client, the serial number of the central processing unit of the second client and the serial number of the main board of the second client are three kinds of second information;
and the verification module is used for refusing the access of the second client under the condition that the second IP address does not exist in the blacklist and at least one second information of the second identity information is the same as the first information corresponding to the first identity information.
10. An electronic device comprising a processor and a memory, the memory storing a program executable on the processor, the program when executed by the processor implementing the steps of the method of security enforcement according to any one of claims 1 to 8.
11. A readable storage medium, characterized in that the readable storage medium has stored thereon a program which, when being executed by a processor, carries out the steps of the method of security enforcement according to any one of claims 1 to 8.
CN202211392209.8A 2022-11-08 2022-11-08 Security reinforcement method and device, electronic equipment and readable storage medium Pending CN115733674A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211392209.8A CN115733674A (en) 2022-11-08 2022-11-08 Security reinforcement method and device, electronic equipment and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211392209.8A CN115733674A (en) 2022-11-08 2022-11-08 Security reinforcement method and device, electronic equipment and readable storage medium

Publications (1)

Publication Number Publication Date
CN115733674A true CN115733674A (en) 2023-03-03

Family

ID=85294899

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211392209.8A Pending CN115733674A (en) 2022-11-08 2022-11-08 Security reinforcement method and device, electronic equipment and readable storage medium

Country Status (1)

Country Link
CN (1) CN115733674A (en)

Similar Documents

Publication Publication Date Title
US10652226B2 (en) Securing communication over a network using dynamically assigned proxy servers
CN110149328B (en) Interface authentication method, device, equipment and computer readable storage medium
US20060265446A1 (en) Dynamic executable
CN112016106A (en) Authentication calling method, device, equipment and readable storage medium of open interface
CN111800262A (en) Digital asset processing method and device and electronic equipment
CN113225324A (en) Block chain anonymous account creation method, system, device and storage medium
CN114238874A (en) Digital signature verification method and device, computer equipment and storage medium
US20170201528A1 (en) Method for providing trusted service based on secure area and apparatus using the same
CN110943840A (en) Signature verification method and system
CN115333840A (en) Resource access method, system, device and storage medium
JP4526383B2 (en) Tamper evident removable media for storing executable code
CN112804222B (en) Data transmission method, device, equipment and storage medium based on cloud deployment
CN113434882A (en) Communication protection method and device of application program, computer equipment and storage medium
CN113301028A (en) Gateway protection method and data labeling method
CN109302442B (en) Data storage proving method and related equipment
CN108965335B (en) Method for preventing malicious access to login interface, electronic device and computer medium
US11893105B2 (en) Generating and validating activation codes without data persistence
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium
CN115733674A (en) Security reinforcement method and device, electronic equipment and readable storage medium
CN113360868A (en) Application program login method and device, computer equipment and storage medium
KR102534012B1 (en) System and method for authenticating security level of content provider
US20230229752A1 (en) Attestation of application identity for inter-app communications
CN116074108A (en) Method, device, computer equipment and computer readable storage medium for protecting application program safety
CN114117385A (en) Password generation method and device and computer readable storage medium
CN111683076A (en) Authority management and control method, device, equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination