Disclosure of Invention
The invention mainly aims to provide an intelligent monitoring method and device for maintenance behaviors and a computer readable storage medium, and aims to solve the technical problems of permission, authority and comprehensive control of the maintenance behaviors in the IT equipment maintenance process.
In order to achieve the above object, the present invention provides an intelligent monitoring method for maintenance behavior, comprising:
closing a communication channel between a maintenance tool and a terminal device so as to inhibit the maintenance tool from maintaining the terminal device;
acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition;
when the identity information accords with the maintenance permission condition, placing the maintenance permission state of the maintenance tool into a permission state;
when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range;
when the maintenance tool is in a permission state, the permission state of the maintenance tool is maintained in real time, and the record state and the maintenance authority state of the maintenance behavior of the maintenance tool are monitored in real time;
judging whether the maintenance tool meets a control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state;
when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment;
the step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps:
when maintaining the permit state of the maintenance tool fails; or alternatively;
when the maintenance authority state is an override state; or alternatively;
and when the recording state is the unavailable state.
Preferably, the step of closing a communication channel between the maintenance tool and the terminal device specifically includes:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
Preferably, the step of closing a communication channel between the maintenance tool and the terminal device specifically includes:
and removing the addresses of the maintenance tools which do not meet the control requirements from the white list addresses.
Preferably, the step of maintaining the permission status of the maintenance tool in real time when the maintenance permission status of the maintenance tool is in the permission status specifically includes:
when the maintenance permission state of the maintenance tool is in the permission state, recording data of a maintenance data packet which is mutually transmitted with the maintenance tool in the permission state is acquired in real time so as to maintain the maintenance tool in the permission state.
Preferably, the step of determining whether the maintenance tool meets the control requirement in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state specifically includes:
generating a permission access list and an actual access list according to the permission data and the maintenance behavior respectively;
judging whether the number of times that the permission access list is an empty set is larger than M1 or not in the preset period; or;
in the preset period, judging whether the number of times that the actual access list is an empty set is larger than M2; or;
judging whether a difference set between the authority access list and the actual access list is an empty set or not;
the step when the maintenance authority state is an override state specifically includes:
when the number of times that the authority access list is an empty set is greater than M1; or;
when the number of times that the actual access list is an empty set is greater than M2; or;
when the difference set between the authority access list and the actual access list is an empty set.
Preferably, the step of determining whether the maintenance tool meets the control requirement in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state specifically includes:
recording the maintenance behavior as stored data;
judging whether the stored data is an empty set or not; or;
judging whether the number of times that the stored data are empty sets is larger than M3 or not in a preset period;
the step of when the recording state is the unavailable state specifically includes:
the stored data is an empty set; or;
and in a preset period, the number of times that the stored data is an empty set is larger than M3.
Preferably, before the step of closing the communication channel between the maintenance tool and the terminal device, the method further comprises:
initializing application data of a maintenance tool to provide a stable network address to the maintenance tool;
alternatively, after the step of closing the communication channel between the maintenance tool and the terminal device, the method further includes:
and acquiring the application initialization data of the maintenance tool through a link layer.
Preferably, before the acquiring the identity information of the maintenance tool and determining whether the identity information meets the authentication condition, the method further includes:
the maintenance tool periodically receives application data from the link layer.
In order to solve the technical problems, the invention also provides an intelligent monitoring device for maintenance actions, which comprises a tool interface connected with a maintenance tool, a network interface connected with a terminal device, a memory, a processor and a computer program stored in the memory, wherein the computer program is executed by the processor to realize the steps of the intelligent monitoring method for maintenance actions.
In order to solve the technical problem, the present invention further provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the steps of the intelligent monitoring method of maintenance behavior when being executed by a processor.
According to the intelligent monitoring method for the maintenance behavior, a communication channel between a maintenance tool and terminal equipment is closed, so that the maintenance tool is forbidden to maintain the terminal equipment; acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition; when the identity information accords with the maintenance permission condition, placing the maintenance permission state of the maintenance tool into a permission state; when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range; when the maintenance tool is in a permission state, the permission state of the maintenance tool is maintained in real time, and the record state and the maintenance authority state of the maintenance behavior of the maintenance tool are monitored in real time; judging whether the maintenance tool meets a control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state; when the maintenance tool is in a state of not meeting the control condition, closing a communication channel between the maintenance tool and the terminal equipment; the step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps: when maintaining the permit state of the maintenance tool fails; or alternatively; when the maintenance authority state is an override state; or alternatively; and when the recording state is the unavailable state. Therefore, potential safety hazards such as illegal invasion, misoperation, unauthorized maintenance, malicious damage to equipment and systems and the like in the process of maintaining the IT equipment are eliminated, and the technical problem of safe and intelligent management and control of maintenance behaviors in the process of maintaining the IT equipment is solved.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
The invention provides an intelligent monitoring method for maintenance behaviors.
First embodiment
In this embodiment, the terminal devices are communicatively connected to each other to form a core network.
The application scenario of this embodiment is that the reserved interface of the core network is a non-managed switch interface and all terminal devices in the core network are in the same subnet.
Alternatively, the reserved interface of the core network is a managed switch interface and the core network reserved interface is in the same virtual local area network (Virtual Local Area Network) as all terminal devices in the core network.
Referring to fig. 1, the intelligent monitoring method for maintenance behavior includes:
s10, closing a communication channel between a maintenance tool and terminal equipment so as to inhibit the maintenance tool from maintaining the terminal equipment;
specifically, the data exchange module is powered on; in a default state, a data exchange function between an interface connected to the core network reservation interface and an interface connected to the maintenance tool is in a closed state;
loading a direction-out mac white list only containing management mac addresses of the management control service, and starting a direction-out white list filtering function;
a data exchange function between an interface connected to the core network reservation interface and an interface connected to the maintenance tool is opened.
The method has the following effects: a runaway time window is prevented from occurring before power up to service initiation, resulting in unauthorized intrusion of the maintenance tool into the core network using the runaway time window.
S20, acquiring the identity information of the maintenance tool, and judging whether the identity information accords with a maintenance permission condition;
s30, when the identity information accords with a maintenance permission condition, placing a maintenance permission state of the maintenance tool into a permission state;
when the maintenance tool is in a permission state, address data of the maintenance tool is added into an address white list, and the communication channel is opened according to the address white list and preset authority data so as to allow the maintenance equipment to maintain the terminal equipment within the authority range;
specifically, if the TCP server is not created or the listening service is not started, the TCP server is created with the network address of the management and control service, and the listening service is started.
Establishing a TCP connection with the maintenance tool; receiving identity authentication data from the maintenance tool and preset authority data of the maintenance tool through the TCP connection;
obtaining a public key of the maintenance tool end; generating a random number; encrypting the random number by using the public key of the maintenance tool end to form a random number ciphertext; sending the random number ciphertext to the maintenance tool; receiving a random number digital signature sent by the maintenance tool; signing the random number digital signature by using the public key of the maintenance tool end;
if the signature verification result is successful, the identity authentication data is successfully authenticated, and a safe TCP connection between the management and control service and the maintenance tool is successfully constructed;
otherwise, the feedback result is failure; feeding back authentication maintenance permission results;
if the identity authentication data is authenticated, the result of authentication maintenance permission is permission maintenance, otherwise, the result of authentication maintenance permission is prohibition of maintenance.
Obtaining a mac address of the maintenance tool at which maintenance is permitted;
temporarily adding the mac address to a white list of outgoing directions mac of the data exchange service,
communication channels are opened between all maintenance tools currently obtaining maintenance permissions and all terminal devices that are available and only authorized to access.
S40, when the maintenance tool is in a permission state, maintaining the permission state of the maintenance tool in real time, and monitoring the record state and the maintenance authority state of the maintenance behavior of the maintenance tool in real time;
specifically, the real-time maintenance of the permission status of the maintenance tool may be that the maintenance tool sends a permission status maintenance data packet to the maintenance tool in real time. And sending a permission state maintenance data packet to the maintenance tool for continuously maintaining the safe TCP connection, and continuously detecting whether the safe TCP connection is disconnected.
Correspondingly, when the maintenance permission state of the maintenance tool is in the permission state, the step of maintaining the permission state of the maintenance tool in real time specifically includes:
when the maintenance permission state of the maintenance tool is in the permission state, recording data of a maintenance data packet which is mutually transmitted with the maintenance tool in the permission state is acquired in real time so as to maintain the maintenance tool in the permission state.
S50, judging whether the maintenance tool meets the control condition in real time according to the maintenance permission state, the recording state of the maintenance behavior and the maintenance authority state;
when the maintenance tool does not meet the control condition, closing a communication channel between the maintenance tool and the terminal equipment; i.e. the step S10 is entered again.
The step when the maintenance tool is in a condition that the maintenance tool does not meet the control condition specifically comprises the following steps:
when maintaining the permit state of the maintenance tool fails; or alternatively;
when the maintenance authority state is an override state; or alternatively;
and when the recording state is the unavailable state.
Correspondingly, the step S50 specifically includes:
s501, judging whether the maintenance tool is successfully maintained in a permission state according to the maintenance permission state;
s502, judging whether the maintenance authority state of the maintenance tool is an override state according to the maintenance behavior and the authority data;
s503, judging whether the record state of the maintenance behavior of the maintenance tool is an unobtainable state according to the storage condition of the maintenance behavior.
In this embodiment, the step S501, the step S502, and the step S503 may occur simultaneously or may occur sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S501, the step S502, and the step S503.
In this embodiment, the step S501 may specifically include:
s5011, in the period, acquiring record data of a mutual transmission permission state maintenance data packet with the maintenance tool to determine the state of the mutual transmission permission state maintenance data packet;
s5012, judging whether interrupt records of the maintenance data packet mutually transmitting the permission state maintenance data packet with the maintenance tool exist in the record data.
In this embodiment, the maintenance tool mutually sends record data of the permission status maintenance data packet to indicate a result of the secure TCP connection; the presence of an interrupt record for the maintenance tool mutually-issued permission state maintenance data packet indicates that the result of detecting the secure TCP connection is a disconnection, at which time the feedback continuously-maintained permission maintenance state result is a failure. And when the interrupt record of the maintenance data packet with the mutual permission state of the maintenance tool does not exist, the feedback result is successful.
In this embodiment, the step S502 specifically includes:
s5021, respectively generating a right access list and an actual access list according to the right data and the maintenance behavior;
in this embodiment, the actual access list may be an IP address list of a terminal device actually accessed by the maintenance tool end, and the permission access list may be an IP address list of a terminal device that the maintenance tool end has permission to access.
S5022, judging whether the number of times that the permission access list is an empty set is larger than M1 or not in the preset period; or alternatively;
the permission list is an empty set, which means that the permission access list is not acquired.
S5023, judging whether the number of times that the actual access list is an empty set is larger than M2 or not in the preset period; or alternatively;
the fact that the actual access list is an empty set means that the actual access list is not acquired.
S5024, judging whether the difference set between the authority access list and the actual access list is an empty set.
The fact that the difference set between the authority access list and the actual access list is not an empty set means that the actual access list contains a group of IP addresses of access terminals, and the group of IP addresses do not exist in the authority access list.
Specifically, M1 and M2 may be equal to 2.
Correspondingly, the step when the maintenance authority state is an override state specifically comprises the following steps:
when the number of times that the authority access list is an empty set is greater than M1; or;
when the number of times that the actual access list is an empty set is greater than M2; or;
when the difference set between the authority access list and the actual access list is an empty set.
In this embodiment, the step S5022, the step S5023 and the step S5024 may occur simultaneously or may occur sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S5022, the step S5023 and the step S5024.
In this embodiment, the step S503 specifically includes: the method specifically comprises the following steps:
s5031, recording the maintenance action as storage data;
in this embodiment, the stored data may be a value of the maintenance behavior grabbing state;
in other implementations, the stored data may also be video data of the maintenance action;
s5032, judging whether the stored data is an empty set or not; or;
whether the stored data is empty or not means that the value of the maintenance behavior grabbing state indicates that the stored maintenance behavior data is not acquired and recorded currently.
Or, whether the stored data is empty or not means that the video data of the maintenance action does not exist.
S5033, judging whether the number of times that the stored data is empty is larger than M3 in a preset period.
In this embodiment, M3 may be equal to 2.
Correspondingly, the step of when the recording state is the unavailable state specifically includes:
the stored data is an empty set; or;
and in a preset period, the number of times that the stored data is an empty set is larger than M3.
In this embodiment, the step S5032 and the step S5033 may occur simultaneously or sequentially.
When and only one step condition is not satisfied, the process proceeds to the step S10 again.
In other embodiments, only one item may exist in the step S5032 and the step S5033.
In an embodiment, the step S10 may specifically include:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
In another embodiment, the step S10 may specifically include:
and removing the address data of the maintenance tool which does not meet the control requirement from the white list address.
In yet another embodiment, the step S10 may specifically include:
and respectively connecting the maintenance tool and the terminal equipment to different and mutually isolated virtual local area networks.
And removing the address data of the maintenance tool which does not meet the control requirement from the white list address.
Second embodiment
Based on the intelligent monitoring method 100 for maintenance activities provided in the first embodiment of the present invention, the second embodiment of the present invention proposes another intelligent monitoring method 200 for maintenance activities, wherein steps S10 to S50 are the same as those in the first embodiment, and are not described in detail herein, and the difference is that:
prior to the step S10, the method 200 further includes:
s11, initializing application data of a maintenance tool to provide a stable network address for the maintenance tool;
specifically, the data exchange function is turned off;
acquiring subnet mask data, an authentication service IP address and an authentication service port number from a local storage medium;
judging whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the IP address and the subnet mask of the authentication service in a local storage medium;
if the network addresses are different, setting the network addresses of the network adapters executing the authentication service, wherein the network addresses comprise the authentication service IP addresses and the subnet masks.
In the step of this embodiment, whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the authentication service IP address and the subnet mask in the local storage medium is determined;
if the authentication service is different, setting a network address of a network adapter executing the authentication service, including the authentication service IP address, the authentication service port number and the subnet mask, so as to ensure that a stable authentication service network address is provided for a maintenance tool.
Between the step S10 and the step S20, the method further includes:
s21, the maintenance tool periodically receives application data from the link layer.
Specifically, continuously and periodically transmitting a link layer application data message to the maintenance tool;
digitally signing the application data using the private key;
packaging the application data with the digital signature;
encapsulating the application data with the digital signature into a custom Optional TLV conforming to the IEEE 802.3 organization, wherein TLV type is 127;
writing the tlv to an LLDP link layer data broadcast frame of the interface connected to the maintenance tool;
starting the interface connected to the maintenance tool to periodically and continuously send the LLDP link layer data broadcasting message;
the application data includes at least: an authentication service IP address, an authentication service port number, an IP address which the maintenance tool network adapter should configure, a subnet mask;
in the step of this embodiment, the maintenance tool may check the digital signature after receiving the data by encapsulating the application data into the data with the digital signature, so as to ensure that the interface accessed by the maintenance tool is correct;
the LLDP message connected to the interface of the maintenance tool is continuously sent to the maintenance tool, so that the maintenance tool can be ensured to quickly obtain relevant application data, repeated authentication work can not be caused by incorrect application data, and the maintenance efficiency and the user experience are effectively improved.
Third embodiment
Based on the intelligent monitoring method 100 for maintenance activities provided in the first embodiment of the present invention, another intelligent monitoring method 300 for maintenance activities is provided in the third embodiment of the present invention, and the steps S10 to S50 are the same as those in the first embodiment, and are not described in detail herein, and the difference is that:
between the step S10 and the step S20, the method 300 further includes:
s22, acquiring application initialization data of the maintenance tool through a connection layer.
Specifically, detecting and judging whether the maintenance tool exists, and if an interface connected to the maintenance tool is converted from a non-powered-on unavailable state to a powered-on available state, existence of the maintenance tool;
acquiring a link layer LLDP message sent by the maintenance tool;
extracting an Optional TLV with the TLV type of 127;
extracting application initialization data, wherein the application initialization data at least comprises: authentication server IP address, subnet mask;
judging whether the IP address and the subnet mask of the network adapter executing the authentication service are respectively the same as the acquired authentication service IP address and the subnet mask in the current LLDP message;
if the network addresses of the network adapters executing the authentication service are different, setting the network addresses of the network adapters executing the authentication service as the IP addresses of the authentication servers and the subnet masks;
in this embodiment, by controlling the maintenance permission, the maintenance authority and the maintenance behavior of the maintenance tool, the security and intelligent control strength of the maintenance behavior is improved, so that the purpose of overall control of the terminal equipment in the core network in the authority range can only be achieved by the maintenance tool which successfully passes identity authentication and successfully acquires the maintenance permission and successfully and continuously maintains the maintenance permission and only accesses the terminal equipment in the authority range and can normally acquire the maintenance behavior of the maintenance tool is achieved, the maintenance management cost is effectively reduced, and the security of the core network is improved.
Referring to fig. 5, the present invention also provides an intelligent monitoring device for maintenance behavior, where the intelligent monitoring device includes a tool interface connected to a maintenance tool, a network interface connected to a terminal device, a memory, a processor, and a computer program stored in the memory, where the computer program implements the steps of the intelligent monitoring method for maintenance behavior when executed by the processor.
It can be understood that in this embodiment, the tool interface is a reserved interface connected to the maintenance tool, and the network interface is a reserved interface connected to the core network.
The invention also provides a computer readable storage medium, on which a computer program is stored, which computer program, when being executed by a processor, implements the steps of the intelligent monitoring method of maintenance behavior.
The foregoing description is only of the preferred embodiments of the present invention, and is not intended to limit the scope of the invention, but rather is intended to cover any equivalents of the structures or equivalent processes disclosed herein or in the alternative, which may be employed directly or indirectly in other related arts.