技术领域technical field
本发明涉及通信技术领域,特别涉及一种数据保护方法及堡垒机。The invention relates to the field of communication technology, in particular to a data protection method and a bastion machine.
背景技术Background technique
随着通信技术的飞速发展,服务器的数据安全尤其重要。传统的数据保护方法可以利用堡垒机保证服务器的数据安全。其中,堡垒机是一种面向数据中心的运维审计类产品,可以提供单点登录、账号管理、授权管理和安全审计等功能。With the rapid development of communication technology, server data security is particularly important. The traditional data protection method can use the bastion machine to ensure the data security of the server. Among them, the bastion host is an operation and maintenance audit product for data centers, which can provide functions such as single sign-on, account management, authorization management, and security audit.
现有技术中采用堡垒机保证服务器的数据安全,通过将堡垒机串联连接在客户端和服务器之间,由客户端侧的系统管理员获取服务器中的数据,并将服务器中的数据存储到堡垒机中,在接收到客户端发送的访问指令时,需要根据该访问指令判断客户端所访问目标数据的权限,只有对目标数据具有权限的客户端才能够访问。其中,系统管理员具有最高权限,具有访问、修改等操作功能。In the prior art, the bastion machine is used to ensure the data security of the server. By connecting the bastion machine in series between the client and the server, the system administrator on the client side obtains the data in the server and stores the data in the server in the bastion In the machine, when receiving the access instruction sent by the client, it is necessary to judge the authority of the target data accessed by the client according to the access instruction, and only the client with authority to the target data can access it. Among them, the system administrator has the highest authority and has operation functions such as access and modification.
然而,若堡垒机遭到黑客攻击,黑客获取系统管理员的权限,利用系统管理员在堡垒机中的最高权限访问、修改服务器的数据,从而无法保证服务器数据的安全性。However, if the bastion machine is attacked by hackers, the hacker obtains the authority of the system administrator, and uses the highest authority of the system administrator in the bastion machine to access and modify the data of the server, so the security of the server data cannot be guaranteed.
发明内容Contents of the invention
有鉴于此,本发明提供一种数据保护方法及堡垒机,以保证服务器数据的安全性。In view of this, the present invention provides a data protection method and a bastion machine to ensure the security of server data.
本发明提供了一种数据保护方法,将堡垒机串联在客户端和服务器之间的路径上,还包括:The invention provides a data protection method, which connects the bastion machine in series on the path between the client and the server, and further includes:
获取服务器的多个数据;Get multiple data from the server;
确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限;Determine the importance level of each data, and set the system administrator to have no operation authority on the data whose importance level is higher than the set threshold;
在接收到系统管理员发送的第一操作指令时,确定所述第一操作指令所操作数据的重要级别;When receiving the first operation instruction sent by the system administrator, determine the importance level of the data operated by the first operation instruction;
在确定所述第一操作指令所操作数据的重要级别高于所述设定阈值时,阻止所述第一操作指令对其所操作数据的访问。When it is determined that the importance level of the data operated by the first operation instruction is higher than the set threshold, the first operation instruction is prevented from accessing the data operated by it.
优选地,Preferably,
进一步包括:根据重要级别高于所述设定阈值的各个数据,建立访问控制列表,并设置对所述访问控制列表具有操作权限的应用程序;It further includes: establishing an access control list according to each data whose importance level is higher than the set threshold, and setting an application program with operation authority on the access control list;
进一步包括:在接收到目标应用程序发送的第二操作指令时,确定所述第二操作指令所操作数据的重要级别,在确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,判断所述目标应用程序是否对所述访问控制列表具有操作权限,在判断结果为所述目标应用程序对所述访问控制列表具有操作权限时,允许所述目标应用程序对所述访问控制列表进行操作,否则,阻止所述目标应用程序对所述访问控制列表进行操作。The method further includes: when receiving the second operation instruction sent by the target application program, determining the importance level of the data operated by the second operation instruction, and determining that the importance level of the data operated by the second operation instruction is higher than the set When the threshold is set, it is judged whether the target application program has the operation authority to the access control list, and when the judgment result is that the target application program has the operation authority to the access control list, the target application program is allowed to operate the access control list. access control list; otherwise, prevent the target application program from operating on the access control list.
优选地,Preferably,
进一步包括:设置应用程序在请求操作重要级别高于所述设定阈值数据时重定向操作;在所述确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,对所述第二操作指令进行重定向操作,以执行所述判断所述目标应用程序是否对所述访问控制列表具有操作权限。It further includes: setting the application program to redirect the operation when requesting data whose operation importance level is higher than the set threshold value; when it is determined that the importance level of the data operated by the second operation instruction is higher than the set threshold value, The second operation instruction performs a redirection operation to perform the judging whether the target application program has operation authority on the access control list.
优选地,进一步包括:Preferably, further comprising:
创建独立的内核加固管理员,利用所述内核加固管理员执行所述确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限操作。Create an independent kernel hardening administrator, use the kernel hardening administrator to perform the determination of the importance level of each data, and set the system administrator to have no operation authority to operate the data whose importance level is higher than the set threshold.
优选地,进一步包括:Preferably, further comprising:
利用浏览器方式接收所述目标应用程序发送的第二操作指令。A browser is used to receive the second operation instruction sent by the target application program.
本发明还提供了一种堡垒机,所述堡垒机串联在客户端和服务器之间的路径上,包括:The present invention also provides a bastion machine, the bastion machine is connected in series on the path between the client and the server, including:
获取单元,用于获取服务器的多个数据;An acquisition unit, configured to acquire multiple data of the server;
处理单元,用于确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限;The processing unit is used to determine the importance level of each data, and set the system administrator to have no operation authority on the data whose importance level is higher than the set threshold;
确定单元,用于在接收到系统管理员发送的第一操作指令时,确定所述第一操作指令所操作数据的重要级别;A determining unit, configured to determine the importance level of the data operated by the first operation instruction when receiving the first operation instruction sent by the system administrator;
阻止单元,用于在确定所述第一操作指令所操作数据的重要级别高于所述设定阈值时,阻止所述第一操作指令对其所操作数据的访问。The preventing unit is configured to prevent the first operation instruction from accessing the data operated by the first operation instruction when it is determined that the importance level of the data operated by the first operation instruction is higher than the set threshold.
优选地,进一步包括:Preferably, further comprising:
建立单元,用于根据重要级别高于所述设定阈值的各个数据,建立访问控制列表,并设置对所述访问控制列表具有操作权限的应用程序;An establishment unit, configured to establish an access control list according to each data whose importance level is higher than the set threshold, and set an application program having operation authority on the access control list;
所述确定单元,用于在接收到目标应用程序发送的第二操作指令时,确定所述第二操作指令所操作数据的重要级别,在确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,判断所述目标应用程序是否对所述访问控制列表具有操作权限,在判断结果为所述目标应用程序对所述访问控制列表具有操作权限时,允许所述目标应用程序对所述访问控制列表进行操作,否则,阻止所述目标应用程序对所述访问控制列表进行操作。The determining unit is configured to, when receiving the second operation instruction sent by the target application program, determine the importance level of the data operated by the second operation instruction, and determine that the importance level of the data operated by the second operation instruction is higher When the threshold is set, it is judged whether the target application program has operation authority on the access control list, and when the judgment result is that the target application program has operation authority on the access control list, the target application program is allowed to The program operates on the access control list, otherwise, the target application program is prevented from operating on the access control list.
优选地,所述处理单元,用于设置应用程序在请求操作重要级别高于所述设定阈值数据时重定向操作;在所述确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,对所述第二操作指令进行重定向操作,以执行所述判断所述目标应用程序是否对所述访问控制列表具有操作权限。Preferably, the processing unit is configured to set the application program to redirect the operation when the application program requests data whose operation importance level is higher than the set threshold value; When the threshold is set, a redirection operation is performed on the second operation instruction, so as to perform the judging whether the target application program has operation authority on the access control list.
优选地,进一步包括:Preferably, further comprising:
创建单元,用于创建独立的内核加固管理员,利用所述内核加固管理员执行所述确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限操作。The creation unit is used to create an independent kernel hardening administrator, using the kernel hardening administrator to perform the determination of the importance level of each data, and setting the system administrator to have no operation authority to operate on data whose importance level is higher than the set threshold .
优选地,进一步包括:Preferably, further comprising:
接收单元,用于利用浏览器方式接收所述目标应用程序发送的第二操作指令。The receiving unit is configured to use a browser to receive the second operation instruction sent by the target application program.
本发明实施例提供了一种数据保护方法及堡垒机,通过设置系统管理员对重要级别高于设定阈值的数据无操作权限,以使系统管理员在对重要级别高于设定阈值的数据时,阻止系统管理员对操作数据的操作,从而避免了黑客通过获取系统管理员的权限来攻击服务器数据,提高了服务器数据的安全性能。The embodiment of the present invention provides a data protection method and a bastion machine. By setting the system administrator to have no operation authority for data whose importance level is higher than the set threshold, the system administrator can control the data whose importance level is higher than the set threshold. At the same time, the system administrator is prevented from operating the operation data, thereby preventing hackers from attacking the server data by obtaining the authority of the system administrator, and improving the security performance of the server data.
附图说明Description of drawings
图1是本发明实施例提供的方法流程图;Fig. 1 is the flow chart of the method provided by the embodiment of the present invention;
图2是本发明另一实施例提供的方法流程图;Fig. 2 is a flow chart of a method provided by another embodiment of the present invention;
图3是本发明实施例提供的堡垒机串联在客户端与服务器之间的示意图;FIG. 3 is a schematic diagram of a bastion host connected in series between a client and a server according to an embodiment of the present invention;
图4是本发明实施例提供的堡垒机结构示意图;Fig. 4 is a schematic structural diagram of a bastion machine provided by an embodiment of the present invention;
图5是本发明另一实施例提供的堡垒机结构示意图。Fig. 5 is a schematic structural diagram of a bastion machine provided by another embodiment of the present invention.
具体实施方式Detailed ways
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述。显然,所描述的实施例仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。The following will clearly and completely describe the technical solutions in the embodiments of the present invention with reference to the drawings in the embodiments of the present invention. Apparently, the described embodiments are only some of the embodiments of the present invention, but not all of them. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts belong to the protection scope of the present invention.
如图1所示,本发明实施例提供了一种数据保护方法,将堡垒机串联在客户端和服务器之间的路径上,该方法可以包括以下步骤:As shown in Figure 1, the embodiment of the present invention provides a data protection method, which connects the bastion machine in series on the path between the client and the server, and the method may include the following steps:
步骤101:获取服务器的多个数据。Step 101: Obtain multiple pieces of data from the server.
步骤102:确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限。Step 102: Determine the importance level of each data, and set the system administrator to have no operation authority on the data whose importance level is higher than the set threshold.
步骤103:在接收到系统管理员发送的第一操作指令时,确定第一操作指令所操作数据的重要级别。Step 103: When receiving the first operation instruction sent by the system administrator, determine the importance level of the data operated by the first operation instruction.
步骤104:在确定第一操作指令所操作数据的重要级别高于设定阈值时,阻止第一操作指令对其所操作数据的访问。Step 104: When it is determined that the importance level of the data operated by the first operation instruction is higher than the set threshold, prevent the first operation instruction from accessing the data operated by it.
根据上述方案,通过设置系统管理员对重要级别高于设定阈值的数据无操作权限,以使系统管理员在对重要级别高于设定阈值的数据时,阻止系统管理员对操作数据的操作,从而避免了黑客通过获取系统管理员的权限来攻击服务器数据,提高了服务器数据的安全性能。According to the above scheme, by setting the system administrator to have no operation authority on data whose importance level is higher than the set threshold, the system administrator can prevent the system administrator from operating the data when the importance level is higher than the set threshold , thereby preventing hackers from attacking server data by obtaining the authority of the system administrator, and improving the security performance of server data.
为了进一步提高服务器数据的安全性能,还需要根据重要级别高于设定阈值的各个数据,建立访问控制列表,并设置对访问控制列表具有操作权限的应用程序;在接收到目标应用程序发送的第二操作指令时,确定第二操作指令所操作数据的重要级别,在确定第二操作指令所操作数据的重要级别高于设定阈值时,判断目标应用程序是否对访问控制列表具有操作权限,在判断结果为目标应用程序对访问控制列表具有操作权限时,允许目标应用程序对访问控制列表进行操作,否则,阻止目标应用程序对访问控制列表进行操作。In order to further improve the security performance of server data, it is also necessary to establish an access control list based on each data whose importance level is higher than the set threshold, and set the application program with operation authority to the access control list; When the second operation instruction is used, determine the importance level of the data operated by the second operation instruction. When it is determined that the importance level of the data operated by the second operation instruction is higher than the set threshold, determine whether the target application program has the operation authority for the access control list. When the judging result is that the target application program has operation authority on the access control list, the target application program is allowed to operate on the access control list, otherwise, the target application program is prevented from operating on the access control list.
为使本发明的目的、技术方案和优点更加清楚,下面结合附图及具体实施例对本发明作进一步地详细描述。In order to make the purpose, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.
如图2所示,本发明实施例提供了一种数据保护方法,该方法可以包括以下步骤:As shown in Figure 2, an embodiment of the present invention provides a data protection method, which may include the following steps:
步骤201:配置堡垒机系统网络,将堡垒机串联在客户端和服务器之间的路径上。Step 201: configure the bastion host system network, and connect the bastion host in series on the path between the client and the server.
如图3所示,通过将堡垒机串联在客户端和服务器之间的路径上,当客户端需要访问服务器时,必须通过堡垒机,堡垒机通过协议代理、自动代填等关键技术,可以实现运维用户对远程服务器的单点登录,能够有效防止客户端在恶意访问服务器数据时进行及时阻止,以保证服务器数据的安全性能。As shown in Figure 3, by connecting the bastion machine in series on the path between the client and the server, when the client needs to access the server, it must go through the bastion machine, and the bastion machine can implement key technologies such as protocol proxy and automatic filling. The single sign-on of the operation and maintenance users to the remote server can effectively prevent the client from timely blocking when maliciously accessing the server data, so as to ensure the security performance of the server data.
步骤202:在客户端侧,内核加固管理员通过浏览器登录堡垒机的管理系统,获取服务器多个数据。Step 202: On the client side, the kernel hardening administrator logs in to the management system of the bastion host through a browser to obtain multiple data of the server.
在本实施例中,为了与系统管理员的权限区分开来,可以创建一个与系统管理员相互独立的内核加固管理员来登录堡垒机系统以实现数据存储。堡垒机操作系统内核经过定制开发、重新编译,从内核层存储服务器账号密码的系统目录、文件进行保护,提高堡垒机系统安全等级。In this embodiment, in order to distinguish it from the authority of the system administrator, a kernel hardening administrator independent from the system administrator can be created to log in to the bastion host system to implement data storage. The core of the bastion host operating system is customized, developed and recompiled, and the system directory and files that store the server account password are protected from the kernel layer to improve the security level of the bastion host system.
在本实施例中,使用浏览器登录堡垒机的方式能够进一步防止黑客的攻击。其中,获取服务器的多个数据可以包括:IP地址、端口、系统账号、密码等信息。In this embodiment, using a browser to log in to the bastion host can further prevent attacks by hackers. Wherein, obtaining multiple data of the server may include: IP address, port, system account number, password and other information.
在本实施例中,堡垒机可以通过协议代理转发的方式连接服务器,以获取服务器的多个数据。其中,服务器的运维短裤(3389、22)只对堡垒机开放,并且支持所有Windows类服务器、RedHat、Solaris、HP-UNIX、AIX等类Unix服务器的访问管理。In this embodiment, the bastion host can connect to the server through protocol proxy forwarding, so as to obtain multiple data of the server. Among them, the operation and maintenance shorts (3389, 22) of the server are only open to the bastion host, and support the access management of all Windows-like servers, RedHat, Solaris, HP-UNIX, AIX and other Unix-like servers.
步骤203:内核加固管理员根据获取的服务器的多个数据,设定每个数据的重要级别,并根据重要级别大于设定阈值的数据建立访问控制列表。Step 203: The kernel hardening administrator sets the importance level of each data according to the obtained multiple data of the server, and establishes an access control list according to the data whose importance level is greater than the set threshold.
由于在现有技术中系统管理员具有对堡垒机中的内核层所存储的服务器数据进行最高的操作权限,因此容易使得黑客以某种方式获取到系统管理的最高操作权限,从而对堡垒机中的内核层进行攻击,为了保证堡垒机中内核层所保存的重要数据不被攻击,可以设定每个数据的重要级别,例如,设定IP地址的重要级别为1、端口的重要级别为3、系统账号的重要级别为2、密码的重要级别为3。其中,重要级别所对应的数字越大,其重要程度就越高。Since the system administrator has the highest operating authority to the server data stored in the kernel layer of the bastion machine in the prior art, it is easy for hackers to obtain the highest operating authority of the system management in a certain way, so that the bastion machine In order to ensure that the important data stored in the kernel layer of the bastion host will not be attacked, the importance level of each data can be set, for example, the importance level of the IP address is set to 1, and the importance level of the port is set to 3 , The importance level of the system account is 2, and the importance level of the password is 3. Wherein, the larger the number corresponding to the importance level is, the higher its importance is.
因此,在本实施例中,可以设定一个阈值,例如2,将重要级别大于该阈值的数据作为重要数据,保证不被黑客攻击,可以根据重要级别大于2的数据建立访问控制列表。其中,访问控制列表包括重要级别大于2的数据信息。Therefore, in this embodiment, a threshold can be set, such as 2, and data with an importance level greater than the threshold is regarded as important data to ensure that it will not be attacked by hackers. An access control list can be established based on data with an importance level greater than 2. Wherein, the access control list includes data information whose importance level is greater than 2.
步骤204:内核加固管理员设置对访问控制列表具有操作权限的应用程序,并设置系统管理员对访问控制列表无操作权限,并将设置的操作权限存储到堡垒机的加固层。Step 204: The kernel hardening administrator sets the application program with operation authority to the access control list, and sets the system administrator to have no operation authority to the access control list, and stores the set operation authority in the hardening layer of the bastion machine.
在本实施例中,为了防止黑客获取系统管理员的权限而对堡垒机进行攻击,可以适当削弱系统管理的权限,例如,设置系统管理员对访问控制列表无操作权限,即系统管理员无法实现对访问控制列表中所包括的重要级别较高的数据进行操作,相应地,系统管理员对重要级别小于设定阈值的数据具有操作权限。In this embodiment, in order to prevent hackers from obtaining the authority of the system administrator to attack the bastion host, the authority of the system management can be appropriately weakened. For example, the system administrator is set to have no operation authority on the access control list, that is, the system administrator cannot Operate the data with a higher importance included in the access control list, and correspondingly, the system administrator has the operation authority for the data whose importance is lower than the set threshold.
在本实施例中,还需要设置对访问控制列表具有操作权限的应用程序,可以通过签名的方式设置对访问控制列表具有操作权限的应用程序/etc/ssc/sscservice,例如,设定应用程序A、应用程序B和应用程序C对访问控制列表具有操作权限,那么就在应用程序A、应用程序B和应用程序C进行签名,例如,利用128位Hash签名算法,对可信的堡垒机的应用程序A、应用程序B和应用程序C进行签名,允许其对访问控制列表中的对象进行操作。其中,还可以设置可信的堡垒机的应用程序对访问控制列表中的对象的哪一种操作,例如,允许应用程序A对访问控制列表中的对象进行读操作,允许应用程序B和应用程序C对访问控制列表中的对象进行读和修改的操作权限。In this embodiment, it is also necessary to set an application program with operation authority on the access control list, and the application program /etc/ssc/sscservice with operation authority on the access control list can be set by signing, for example, setting application A , application B, and application C have the operation authority on the access control list, then sign in application A, application B, and application C, for example, using the 128-bit Hash signature algorithm, the application of the trusted bastion host Program A, application B, and application C are signed to allow them to operate on objects in the access control list. Among them, it is also possible to set which kind of operation the application of the trusted bastion machine can perform on the objects in the access control list, for example, allow application A to read the objects in the access control list, and allow application B and application C has the operation authority to read and modify objects in the access control list.
为了保证堡垒机内核层所存储数据的安全性,如图3所示,可以利用HOOK技术在堡垒机中用户层和内核层之间增加加固层,从而在堡垒机中构建了一个访问控制层,将上述操作权限的设置添加到该加固层中,并设定重定向函数,以使每一个操作指令均需重定向到加固层进行判断,从而限制系统管理员的权限。另外,通过在堡垒机中增加加固层,并提供用户层接口和单独的内核加固管理员,自定义对关键系统目录文件的强制访问控制列表。In order to ensure the security of the data stored in the kernel layer of the bastion machine, as shown in Figure 3, the HOOK technology can be used to add a reinforcement layer between the user layer and the kernel layer in the bastion machine, thereby constructing an access control layer in the bastion machine. Add the setting of the above operation authority to the reinforcement layer, and set the redirection function, so that each operation command needs to be redirected to the reinforcement layer for judgment, thereby limiting the authority of the system administrator. In addition, by adding a reinforcement layer to the bastion host, and providing a user layer interface and a separate kernel reinforcement administrator, the mandatory access control list for key system directory files can be customized.
步骤205:退出内核加固管理员的登录,启动内核加固程序的守护进程启动脚本Dprotect.sh,以对内核层进行保护。Step 205: Exit the login of the kernel hardening administrator, start the daemon process startup script Dprotect.sh of the kernel hardening program, so as to protect the kernel layer.
步骤206:接收客户端侧发送的操作指令,根据该操作指令,确定该操作指令所请求操作的数据的重要级别,若所请求操作的数据的重要级别小于等于设定阈值,则允许其对所请求操作的数据进行操作;否则,继续执行步骤207。Step 206: Receive the operation instruction sent by the client side, determine the importance level of the data requested by the operation instruction according to the operation instruction, and if the importance level of the requested operation data is less than or equal to the set threshold, allow it to Operate the data requested for operation; otherwise, proceed to step 207 .
其中,可以利用浏览器方式接收客户端侧发生的操作指令。Wherein, the browser may be used to receive the operation instruction generated on the client side.
步骤207:判断该操作指令是否具有对所请求操作的数据的操作权限,若该操作指令是由系统管理员发送的,则执行步骤208,若该操作指令是由具有访问控制列表的操作权限的应用程序所发送的,则执行步骤209,若该操作指令是由不具有访问控制列表的操作权限的应用程序锁发送的,则执行步骤208。Step 207: Determine whether the operation instruction has the operation authority to the data requested for operation, if the operation instruction is sent by the system administrator, then perform step 208, if the operation instruction is sent by the operator with the operation authority of the access control list If it is sent by an application program, then step 209 is executed, and if the operation instruction is sent by an application lock that does not have the operation authority of the access control list, then step 208 is executed.
步骤208:提示客户端,该操作指令没有权限。Step 208: Prompt the client that the operation instruction has no authority.
例如,该提示内容可以是:操作被阻止,请联系内核加固管理员。For example, the content of the prompt may be: the operation is blocked, please contact the kernel hardening administrator.
步骤209:允许该操作指令对所请求操作的数据进行操作。Step 209: Allow the operation instruction to operate on the requested data.
由以上结果可知,经过内核加固的安全堡垒机系统,可以对操作系统关键目录、文件进行内核级防护,限制系统管理员的操作权限,提高操作系统安全等级,最小化黑客攻击造成的后果。From the above results, it can be seen that the security bastion machine system with kernel reinforcement can protect the key directories and files of the operating system at the kernel level, limit the operating authority of the system administrator, improve the security level of the operating system, and minimize the consequences of hacker attacks.
在本实施例中,该内核加固技术对用户不可见,且不影响正常应用,但是,可以防止黑客攻击堡垒机后,利用系统管理员查看、修改、删除储存的服务器账号密码,提高堡垒操作系统的安全等级。In this embodiment, the kernel hardening technology is invisible to users and does not affect normal applications. However, it can prevent hackers from using the system administrator to view, modify, and delete stored server account passwords after attacking the bastion machine, so as to improve the performance of the bastion operating system. security level.
根据上述方案,该堡垒机开源采用开源Linux操作系统,可以通过内核加固技术直接与Linux内核接口进行通信,并在内核层与用户层之间建立一种强制访问控制层,使应用层请求访问内核时都必须与强制访问控制层进行交互,获得强制访问控制层的许可后才能访问内核接口和数据。According to the above scheme, the bastion machine adopts the open source Linux operating system as an open source, which can directly communicate with the Linux kernel interface through kernel hardening technology, and establish a mandatory access control layer between the kernel layer and the user layer, so that the application layer requests access to the kernel It must interact with the mandatory access control layer at all times, and only after obtaining the permission of the mandatory access control layer can it access the kernel interface and data.
如图4所示,本发明实施例还提供了一种堡垒机,堡垒机串联在客户端和服务器之间的路径上,包括:As shown in Figure 4, the embodiment of the present invention also provides a bastion machine, the bastion machine is connected in series on the path between the client and the server, including:
获取单元401,用于获取服务器的多个数据;An acquisition unit 401, configured to acquire multiple data of the server;
处理单元402,用于确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限;The processing unit 402 is configured to determine the importance level of each data, and set the system administrator to have no operation authority for data whose importance level is higher than the set threshold;
确定单元403,用于在接收到系统管理员发送的第一操作指令时,确定所述第一操作指令所操作数据的重要级别;A determination unit 403, configured to determine the importance level of the data operated by the first operation instruction when receiving the first operation instruction sent by the system administrator;
阻止单元404,用于在确定所述第一操作指令所操作数据的重要级别高于所述设定阈值时,阻止所述第一操作指令对其所操作数据的访问。The preventing unit 404 is configured to prevent the first operation instruction from accessing the data operated by the first operation instruction when it is determined that the importance level of the data operated by the first operation instruction is higher than the set threshold.
在本发明一个实施例中,如图5所示,该堡垒机可以进一步包括:In one embodiment of the present invention, as shown in Figure 5, the bastion host may further include:
建立单元501,用于根据重要级别高于所述设定阈值的各个数据,建立访问控制列表,并设置对所述访问控制列表具有操作权限的应用程序;The establishment unit 501 is configured to establish an access control list according to each data whose importance level is higher than the set threshold, and set an application program with operation authority on the access control list;
所述确定单元403,用于在接收到目标应用程序发送的第二操作指令时,确定所述第二操作指令所操作数据的重要级别,在确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,判断所述目标应用程序是否对所述访问控制列表具有操作权限,在判断结果为所述目标应用程序对所述访问控制列表具有操作权限时,允许所述目标应用程序对所述访问控制列表进行操作,否则,阻止所述目标应用程序对所述访问控制列表进行操作。The determining unit 403 is configured to determine the importance level of the data operated by the second operation instruction when receiving the second operation instruction sent by the target application program, and determine the importance level of the data operated by the second operation instruction When it is higher than the set threshold, judge whether the target application program has operation permission on the access control list, and when the judgment result is that the target application program has operation permission on the access control list, allow the target The application program operates on the access control list; otherwise, the target application program is prevented from operating on the access control list.
进一步地,所述处理单元402,用于设置应用程序在请求操作重要级别高于所述设定阈值数据时重定向操作;在所述确定所述第二操作指令所操作数据的重要级别高于所述设定阈值时,对所述第二操作指令进行重定向操作,以执行所述判断所述目标应用程序是否对所述访问控制列表具有操作权限。Further, the processing unit 402 is configured to set the application program to redirect the operation when the requesting operation is higher than the set threshold data; When the threshold is set, a redirection operation is performed on the second operation instruction to perform the judging whether the target application program has operation authority on the access control list.
进一步包括:Further includes:
创建单元502,用于创建独立的内核加固管理员,利用所述内核加固管理员执行所述确定每个数据的重要级别,并设置系统管理员对重要级别高于设定阈值的数据无操作权限操作。The creation unit 502 is used to create an independent kernel hardening administrator, and use the kernel hardening administrator to perform the determination of the importance level of each data, and set the system administrator to have no operation authority for data whose importance level is higher than the set threshold operate.
接收单元503,用于利用浏览器方式接收所述目标应用程序发送的第二操作指令。The receiving unit 503 is configured to use a browser to receive the second operation instruction sent by the target application program.
综上,本发明实施例至少可以实现如下有益效果:In summary, the embodiments of the present invention can at least achieve the following beneficial effects:
1、通过设置系统管理员对重要级别高于设定阈值的数据无操作权限,以使系统管理员在对重要级别高于设定阈值的数据时,阻止系统管理员对操作数据的操作,从而避免了黑客通过获取系统管理员的权限来攻击服务器数据,提高了服务器数据的安全性能。1. By setting the system administrator to have no operation authority for data whose importance level is higher than the set threshold, the system administrator can prevent the system administrator from operating the data when the importance level is higher than the set threshold, so that It prevents hackers from attacking the server data by obtaining the authority of the system administrator, and improves the security performance of the server data.
2、通过设置对访问控制列表具有操作权限的应用程序,只有具有操作权限的应用程序才能够访问该访问控制列表,从而进一步提高了服务器数据的安全性能。2. By setting the application program with the operation authority to the access control list, only the application program with the operation authority can access the access control list, thereby further improving the security performance of the server data.
上述设备内的各单元之间的信息交互、执行过程等内容,由于与本发明方法实施例基于同一构思,具体内容可参见本发明方法实施例中的叙述,此处不再赘述。The information exchange and execution process among the units in the above-mentioned equipment are based on the same concept as the method embodiment of the present invention, and the specific content can refer to the description in the method embodiment of the present invention, and will not be repeated here.
需要说明的是,在本文中,诸如第一和第二之类的关系术语仅仅用来将一个实体或者操作与另一个实体或操作区分开来,而不一定要求或者暗这些实体或操作之间存在任何这种实际的关系或者顺序。而且,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者设备不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者设备所固有的要素。在没有更多限制的情况下,由语句“包括一个······”限定的要素,并不排除在包括所述要素的过程、方法、物品或者设备中还存在另外的相同因素。It should be noted that in this article, relational terms such as first and second are only used to distinguish one entity or operation from another entity or operation, and do not necessarily require or imply that there is a relationship between these entities or operations. There is no such actual relationship or sequence. Furthermore, the term "comprises", "comprises" or any other variation thereof is intended to cover a non-exclusive inclusion such that a process, method, article, or apparatus comprising a set of elements includes not only those elements, but also includes elements not expressly listed. other elements of or also include elements inherent in such a process, method, article, or device. Without further limitations, an element defined by the phrase "comprising a ..." does not exclude the presence of additional same elements in the process, method, article or apparatus comprising said element.
本领域普通技术人员可以理解:实现上述方法实施例的全部或部分步骤可以通过程序指令相关的硬件来完成,前述的程序可以存储在计算机可读取的存储介质中,该程序在执行时,执行包括上述方法实施例的步骤;而前述的存储介质包括:ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质中。Those of ordinary skill in the art can understand that all or part of the steps to realize the above method embodiments can be completed by program instructions related hardware, and the aforementioned programs can be stored in a computer-readable storage medium. When the program is executed, the It includes the steps of the above method embodiments; and the aforementioned storage medium includes: ROM, RAM, magnetic disk or optical disk and other various media that can store program codes.
最后需要说明的是:以上所述仅为本发明的较佳实施例,仅用于说明本发明的技术方案,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所做的任何修改、等同替换、改进等,均包含在本发明的保护范围内。Finally, it should be noted that the above descriptions are only preferred embodiments of the present invention, and are only used to illustrate the technical solution of the present invention, and are not used to limit the protection scope of the present invention. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present invention are included in the protection scope of the present invention.
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510229746.4ACN104796432A (en) | 2015-05-07 | 2015-05-07 | Data protection method and safety bastion host |
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510229746.4ACN104796432A (en) | 2015-05-07 | 2015-05-07 | Data protection method and safety bastion host |
| Publication Number | Publication Date |
|---|---|
| CN104796432Atrue CN104796432A (en) | 2015-07-22 |
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510229746.4APendingCN104796432A (en) | 2015-05-07 | 2015-05-07 | Data protection method and safety bastion host |
| Country | Link |
|---|---|
| CN (1) | CN104796432A (en) |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667802A (en)* | 2018-03-30 | 2018-10-16 | 全球能源互联网研究院有限公司 | A monitoring method and system for power application network security |
| CN110099060A (en)* | 2019-05-07 | 2019-08-06 | 瑞森网安(福建)信息科技有限公司 | A kind of network information security guard method and system |
| CN110351228A (en)* | 2018-04-04 | 2019-10-18 | 阿里巴巴集团控股有限公司 | Remote entry method, device and system |
| CN110557282A (en)* | 2019-08-23 | 2019-12-10 | 北京浪潮数据技术有限公司 | Server operation and maintenance management method, device and equipment |
| CN111125039A (en)* | 2018-10-30 | 2020-05-08 | 华为技术有限公司 | A method and device for generating an operation log |
| CN111984508A (en)* | 2020-08-25 | 2020-11-24 | 成都安恒信息技术有限公司 | Remote log acquisition method based on bastion machine |
| CN114254384A (en)* | 2021-12-10 | 2022-03-29 | 卫宁健康科技集团股份有限公司 | Medical data calling method and device and computer equipment |
| CN115396202A (en)* | 2022-08-25 | 2022-11-25 | 济南浪潮数据技术有限公司 | An identification method for brute force cracking and related components |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051937A (en)* | 2006-05-10 | 2007-10-10 | 华为技术有限公司 | User's power managing method and system based on XML |
| CN102799645A (en)* | 2012-06-28 | 2012-11-28 | 用友软件股份有限公司 | Security search device and method |
| CN102891840A (en)* | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
| CN103441986A (en)* | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
| CN103581001A (en)* | 2012-07-24 | 2014-02-12 | 深圳市中兴移动通信有限公司 | Gateway system with cloud storage and data interaction method applied to system |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101051937A (en)* | 2006-05-10 | 2007-10-10 | 华为技术有限公司 | User's power managing method and system based on XML |
| CN102891840A (en)* | 2012-06-12 | 2013-01-23 | 北京可信华泰信息技术有限公司 | Three power separation-based information security management system and information security management method |
| CN102799645A (en)* | 2012-06-28 | 2012-11-28 | 用友软件股份有限公司 | Security search device and method |
| CN103581001A (en)* | 2012-07-24 | 2014-02-12 | 深圳市中兴移动通信有限公司 | Gateway system with cloud storage and data interaction method applied to system |
| CN103441986A (en)* | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108667802A (en)* | 2018-03-30 | 2018-10-16 | 全球能源互联网研究院有限公司 | A monitoring method and system for power application network security |
| CN110351228A (en)* | 2018-04-04 | 2019-10-18 | 阿里巴巴集团控股有限公司 | Remote entry method, device and system |
| CN111125039A (en)* | 2018-10-30 | 2020-05-08 | 华为技术有限公司 | A method and device for generating an operation log |
| CN111125039B (en)* | 2018-10-30 | 2022-06-10 | 华为技术有限公司 | Method and device for generating operation log |
| CN110099060A (en)* | 2019-05-07 | 2019-08-06 | 瑞森网安(福建)信息科技有限公司 | A kind of network information security guard method and system |
| CN110557282A (en)* | 2019-08-23 | 2019-12-10 | 北京浪潮数据技术有限公司 | Server operation and maintenance management method, device and equipment |
| CN111984508A (en)* | 2020-08-25 | 2020-11-24 | 成都安恒信息技术有限公司 | Remote log acquisition method based on bastion machine |
| CN114254384A (en)* | 2021-12-10 | 2022-03-29 | 卫宁健康科技集团股份有限公司 | Medical data calling method and device and computer equipment |
| CN114254384B (en)* | 2021-12-10 | 2023-10-20 | 卫宁健康科技集团股份有限公司 | Medical data retrieval method and device and computer equipment |
| CN115396202A (en)* | 2022-08-25 | 2022-11-25 | 济南浪潮数据技术有限公司 | An identification method for brute force cracking and related components |
| Publication | Publication Date | Title |
|---|---|---|
| CN112073400B (en) | Access control method, system, device and computing equipment | |
| US11954217B2 (en) | Securing privileged virtualized execution instances | |
| US9942274B2 (en) | Securing communication over a network using client integrity verification | |
| US9838398B2 (en) | Validating the identity of an application for application management | |
| CN104796432A (en) | Data protection method and safety bastion host | |
| US9203904B2 (en) | Secure hybrid file-sharing system | |
| US11334661B1 (en) | Security credential revocations in a cloud provider network | |
| US10348734B2 (en) | Security bypass environment for circumventing a security application in a computing environment | |
| JP2009151751A (en) | Method and system for creating and updating approved-file and trusted-domain database | |
| CN110138798B (en) | Cloud desktop management method, device and equipment and readable storage medium | |
| EP3786826B1 (en) | Secure validation pipeline in a third party cloud environment | |
| US11477183B1 (en) | Application-based management of security credential revocations | |
| CN113114464B (en) | Unified security management system and identity authentication method | |
| CN108830075A (en) | A kind of application program management-control method of SSR centralized management platform | |
| US11405379B1 (en) | Multi-factor message-based authentication for network resources | |
| US11748505B2 (en) | Secure data processing in a third-party cloud environment | |
| CN117056930A (en) | File reinforcement method, device, equipment and medium based on mimicry system environment | |
| Ayyub et al. | An analysis of security attacks on cloud wrt saas | |
| US20210192063A1 (en) | Secure data leakage control in a third party cloud computing environment | |
| CN116961967A (en) | Data processing methods, devices, computer-readable media and electronic equipment | |
| CN119544328A (en) | Content distribution network access control method, device, node, medium and product |
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| EXSB | Decision made by sipo to initiate substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication | Application publication date:20150722 |