CN109101811B - Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel - Google Patents
Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel Download PDFInfo
- Publication number
- CN109101811B CN109101811B CN201810908751.1A CN201810908751A CN109101811B CN 109101811 B CN109101811 B CN 109101811B CN 201810908751 A CN201810908751 A CN 201810908751A CN 109101811 B CN109101811 B CN 109101811B
- Authority
- CN
- China
- Prior art keywords
- maintenance
- oracle
- ssh
- agent module
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/42—User authentication using separate channels for security data
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q40/00—Finance; Insurance; Tax strategies; Processing of corporate or income taxes
- G06Q40/12—Accounting
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Accounting & Taxation (AREA)
- General Physics & Mathematics (AREA)
- Finance (AREA)
- Development Economics (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Economics (AREA)
- Marketing (AREA)
- Strategic Management (AREA)
- Technology Law (AREA)
- General Business, Economics & Management (AREA)
- Computer And Data Communications (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an operation, maintenance and auditing method of a controllable Oracle session based on an SSH tunnel, wherein a user initiates an authentication connection request to an operation, maintenance and auditing system through a client supporting an SSH tunnel mode, an SSH protocol proxy module takes head data in an SSH data packet to perform user authentication and sends the rest data to the Oracle protocol proxy module to be processed, the Oracle proxy module is connected with target assets and users to complete the bidirectional authentication between the users and the operation, maintenance and auditing system as well as between the operation, maintenance and auditing system and the target assets, and the operation, maintenance and auditing system starts to work. The invention solves the problem that the traditional operation and maintenance and audit system does not support the operation and maintenance and audit of the Oracle database in SSH tunnel mode, and simultaneously provides a system session controllable experience for users; when data flows through the operation and maintenance and auditing system, the system can be directly inserted into an Oracle session, and an administrator can perform certain control on the session, such as session blocking, command approval, authority control and the like.
Description
Technical Field
The invention relates to the technical field of databases, in particular to an operation, maintenance and auditing method of a controllable Oracle session based on an SSH tunnel.
Background
With the continuous development of operation and maintenance auditing technology, the operation, maintenance and auditing of the database are concerned more and more. Database information is used as sensitive data, and the access security of the database is particularly important. The operation, maintenance and audit system stores user information, Oracle database information and authorization information of the Oracle database to the user. Thus, three authentications are required for each access to the Oracle database: user authentication for restricting access to the database to a particular user; authorization authentication, restricting a particular user from accessing a particular database; and the Oracle database account is authenticated, and the access is ensured to be carried out by using the correct Oracle database account. However, each time the user accesses the Oracle database, the user needs to log in the operation and maintenance and audit system first, which increases the complexity of operation and maintenance.
The patent with the application number of CN201710236691.9 provides an Oracle database access method applied to an operation and maintenance auditing system, which adopts a mode of downloading configuration files generated in the operation and maintenance auditing system to a client configuration directory and selecting login from a client, and is used for solving the problem that the operation and maintenance auditing system needs to be logged in when the Oracle database is accessed in the prior art. But the operation and maintenance and auditing system is not supported to take the data of the SSH tunnel for operation and maintenance auditing.
The patent with application number CN201710373310.1 proposes a method for automatically discovering cluster resources, which can automatically discover database cluster resources by filling in information such as server IP address, and the problem to be solved is to authenticate the Oracle database, which is unrelated to the authentication of the operation and maintenance auditing system.
The existing Oracle database operation and maintenance mode of the traditional operation and maintenance and audit system does not support an SSH tunnel mode, the traditional database operation and maintenance mode is audited in a bypass packet capturing mode, no method is available for capturing Oracle data in an SSH tunnel, and meanwhile, a session cannot be controlled, and only data can be captured passively. The traditional bypass packet-capturing audit is to snoop the data packets transmitted on the network when the user connects with the Oracle server, and use the snooped data to perform audit work, so that the user authentication work cannot be performed, that is, the current user cannot connect with the target asset, but does not perform user authentication, and cannot intervene in the connection of the user to perform session control.
Disclosure of Invention
The invention aims to provide an operation, maintenance and auditing method of a controllable Oracle session based on an SSH tunnel, which receives and authenticates a connection request of a user and a system through an SSH protocol proxy module by integrating a module of the SSH tunnel in an operation, maintenance and auditing system; and the Oracle data of the SSH tunnel is butted with an Oracle protocol agent module, after the Oracle protocol agent module is authenticated, the Oracle protocol agent module serves as an operation and maintenance and audit system and a client, and an intermediary of the operation and maintenance and audit system and the target asset, and the operation and maintenance and audit system audits and controls the session content of the client and the target asset.
The invention is realized by the following technical scheme: a user initiates an authentication connection request to an operation and maintenance and auditing system through a client supporting an SSH tunnel mode, an SSH protocol agent module takes head data in an SSH data packet to perform user authentication and delivers the remaining data to the Oracle protocol agent module to be processed, the Oracle agent module is connected with a target asset and the user to complete bidirectional authentication between the user, the operation and maintenance and auditing system and between the operation and maintenance and auditing system and the target asset, and the operation and maintenance and auditing system starts to work.
Further, in order to better implement the invention, the method specifically comprises the following steps:
step F1: a user initiates a connection request to an operation and maintenance auditing system by using a client supporting an SSH tunnel mode;
step F2: the SSH protocol agent module receives an SSH data packet from a client, and then takes the head data content in the SSH data packet to perform authentication of a user and an operation, maintenance and auditing system;
step F3: after the user authentication is successful, the SSH protocol agent module sends the residual data content in the SSH data packet to the Oracle protocol agent module for processing;
step F4: a user initiates an authentication request to a target asset through an Oracle protocol agent module;
step F5: after the authentication is successful, the Oracle protocol agent module is connected with the target asset;
step F6: the Oracle protocol agent module is connected with the Client, so that the connection between the Client and the operation and maintenance and auditing system is completed, the connection between the operation and maintenance and auditing system and the target asset is completed, and the operation and maintenance and auditing system starts to work.
Further, in order to better implement the present invention, the step F1 specifically includes the following steps:
step F11: a user forms a client supporting an SSH tunnel mode;
step F12: filling connection information under the direct connection environment in a connection tab of a client by a user;
step F13: and the user fills account login information of the operation, maintenance and audit system and a monitoring port of the operation, maintenance and audit system in an SSH tunnel tab of the client.
Further, in order to better implement the present invention, the step F2 specifically includes the following steps:
step F21: the SSH protocol proxy module receives an SSH data packet which is sent by a user through a client and encapsulated in an SSH tunnel;
step F22: the SSH protocol agent module analyzes information about the login account and the password of the operation, maintenance and auditing system in the SSH data packet and takes the login information;
step F23: the SSH protocol agent module sends the login information to a service layer of the operation and maintenance and audit system for authentication, and judges whether the user can access the operation and maintenance and audit system according to a returned result;
step F24: if the authentication is successful, executing step F31; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
Further, in order to better implement the present invention, the step F3 specifically includes the following steps:
step F31: after the user authentication is successful, the SSH protocol agent module analyzes the data information left in the SSH data packet;
step F32: and the SSH protocol agent module sends the data information left in the SSH data packet to the Oracle protocol agent module.
Further, in order to better implement the present invention, the step F4 specifically includes the following steps:
step F41: the Oracle protocol agent module receives data information from the SSH protocol agent module;
step F42: the Oracle protocol agent module analyzes the data information content again according to the rule of the Oracle protocol agent module;
step F43: the Oracle protocol agent module analyzes and then takes the user name and the related connection information of the connection target asset and the login information of the operation, maintenance and auditing system sent by the SSH protocol agent module, and initiates an authentication request for connecting the target asset to a service layer of the operation, maintenance and auditing system;
step F44: the service layer verifies whether the user is authorized to connect the target asset through the asset table recorded by the administrator;
step F45: if the authentication is successful, executing step F51; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
Further, in order to better implement the present invention, the step F5 specifically includes the following steps:
step F51: and after the Oracle protocol agent module successfully authenticates, the service layer sends an account, a password and a control information field to the Oracle protocol agent module to command the Oracle protocol agent module to connect the target asset.
Step F52: the Oracle protocol agent module initiates a connection request to the target asset according to the command of the service layer and carrying the residual Oracle data information in the analyzed SSH data packet;
step F53: the target asset authenticates the connection request of the Oracle protocol proxy module, and if the authentication is successful, the step F61 is executed; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
Further, in order to better implement the present invention, the step F6 specifically includes the following steps:
step F61: after the Oracle protocol agent module successfully authenticates, the Oracle protocol agent module initiates an authentication request to the user; if the authentication is successful, go to step F62; if the authentication fails, disconnecting the connection operation of the Client, and ending the session task;
step F62: after the Oracle protocol agent module successfully authenticates the user, the operation, maintenance and audit system confirms the connection between the user and the target asset, and starts working;
step F63: the operation, maintenance and audit system audits and judges according to the data sent by the user, and if the data do not meet the safety strategy and authority requirements formulated by the administrator, the operation, maintenance and audit system prevents the data from being sent to the target asset;
step F64: the administrator can intervene in the operation, maintenance and auditing system at any time, check the connection between the user and the target asset through the Oracle protocol agent module, block the session or control the session, and cut off the connection between the user and the target asset when necessary.
The working principle is as follows:
and 1, the Client initiates a connection request to the operation and maintenance auditing system through an Oracle Client supporting the SSH tunnel mode.
And 2, the SSH protocol proxy module authenticates and receives the data packet from the Oracle client, and then takes the data content in the data packet and authenticates.
And 3, the SSH protocol agent module sends the data packet to the Oracle protocol agent module for processing.
And 4, connecting the asset information by the Client through an Oracle protocol agent module.
And 5, the Oracle protocol agent module requests the operation and maintenance and auditing system to connect the target asset.
And 6, the Oracle protocol agent module completes the connection of the Client, the operation and maintenance system and the auditing system, the connection of the operation and maintenance system and the auditing system and the target asset, and the operation and maintenance and auditing system starts to work.
Compared with the prior art, the invention has the following advantages and beneficial effects:
(1) the invention solves the problem that the traditional operation and maintenance and audit system does not support the operation and maintenance and audit of the Oracle database in SSH tunnel mode, and simultaneously provides a system session controllable operation and maintenance and audit experience for users;
(2) the data of the user is transmitted to an Oracle server after operation, maintenance and audit, so that the problem that audit data can only be obtained through a bypass snooping mode in the prior art is solved;
(3) when data flows through the operation and maintenance and auditing system, the system can be directly inserted into an Oracle session, and an administrator can perform certain control on the session, such as session blocking, command approval, authority control and the like.
Drawings
FIG. 1 is a flowchart of the operation of embodiment 1 of the present invention;
FIG. 2 is a flow chart of the operation and maintenance and auditing system of the present invention;
fig. 3 is a flow chart of the present invention.
Detailed Description
The present invention will be described in further detail with reference to examples, but the embodiments of the present invention are not limited thereto.
Example 1:
the invention is realized by the following technical scheme, as shown in figures 1-3, the user initiates an authentication connection request to an operation and maintenance and auditing system through a client supporting an SSH tunnel mode, an SSH protocol agent module takes head data in an SSH data packet to perform user authentication, and sends the rest data to an Oracle protocol agent module to process, the Oracle agent module is connected with a target asset and the user to complete the mutual authentication between the user and the operation and maintenance and auditing system as well as between the operation and maintenance and auditing system and the target asset, and the operation and maintenance and auditing system starts to work.
It should be noted that, through the above improvement, the SSH tunnel mode is established in a security protocol based on an application layer and a transport layer, and is a protocol dedicated to providing security for a telnet session and other network services, and the SSH protocol can effectively prevent the problem of information leakage in the remote management process. Conventional web services programs, such as: ftp, pop, and telnet are inherently insecure because they convey passwords and data in the clear over a network that are easily intercepted. Moreover, the way these services are securely verified is vulnerable to "bystanders". The attack mode of the bystander is that the bystander impersonates the real server to receive the data transmitted to the server by the client, and then the bystander impersonates the client to transmit the data to the real server. A serious problem arises after data transfer between the server and the client is handed over by the "onlooker". By using SSH tunnels, all transmitted data can be encapsulated and encrypted, so that "bystanders" attacks are impossible and DNS spoofing and IP spoofing can be prevented. The use of the SSH protocol has the additional benefit that the transmitted data is encapsulated and compressed, thereby increasing the speed of transmission.
The SSH protocol consists essentially of three parts:
1) transport layer protocol
2) User authentication protocol
3) Connection protocol
The invention provides an operation, maintenance and auditing method of a controllable Oracle session based on an SSH tunnel. The traditional database operation and maintenance method is that auditing is carried out in a bypass packet capturing mode, and no method is available for capturing Oracle data in an SSH tunnel, so that auditing cannot be realized. And by the bypass packet capturing mode, the Oracle session cannot be controlled, and only data can be captured passively. The invention mainly solves the problem that the traditional operation and maintenance and audit system does not support the operation and maintenance and audit of the Oracle database in SSH tunnel mode, and simultaneously provides the operation and maintenance and audit experience with controllable Oracle session for users.
The invention firstly integrates a SSH tunnel module in the operation, maintenance and audit system, an SSH protocol agent module receives an SSH data packet from a client, the SSH data packet comprises Oracle data and login information of the client logging in the operation, maintenance and audit system, and the login information comprises an account, a password, a monitoring port of the operation, maintenance and audit system and the like. And the SSH protocol agent module analyzes the login information about logging in the operation, maintenance and audit system in the SSH data packet and authenticates the user and the system.
And after the user authentication is successful, the SSH protocol agent module analyzes the remaining data content in the SSH data packet, wherein the remaining data content is Oracle data. And after the SSH protocol agent module analyzes the data, the Oracle data is sent to the Oracle protocol agent module for processing. And the Oracle protocol agent module analyzes the Oracle data sent by the SSH protocol agent module again according to the protocol rule of the Oracle protocol agent module.
The Oracle protocol agent module takes the user name and the related connection information of the connection target asset in Oracle data and the login information of the operation and maintenance and auditing system sent by the SSH protocol agent module, and initiates an authentication request to the target asset. And the service layer of the operation and maintenance and auditing system authenticates and authenticates the Oracle protocol agent module according to Oracle data.
And after the authentication of the Oracle protocol agent module is successful, the Oracle protocol agent module carries Oracle data to initiate a connection request to the target asset. And if the Oracle protocol agent module is successfully connected with the target asset, the operation, maintenance and auditing system is also successfully connected with the target asset.
And the Oracle protocol agent module authenticates the user, and after the user authentication is successful, the Oracle protocol agent module is successfully connected with the user, so that the target asset is successfully connected with the user.
The Oracle protocol agent module is used as a 'middle man' to finish the authentication connection between the user, the operation and maintenance system and the auditing system and the authentication connection between the operation and maintenance system and the target asset.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 2:
the present embodiment is further optimized based on the above embodiments, as shown in fig. 1 to fig. 3, and specifically includes the following steps:
step F1: a user initiates a connection request to an operation and maintenance auditing system by using a client supporting an SSH tunnel mode;
step F2: the SSH protocol agent module receives an SSH data packet from a client, and then takes the head data content in the SSH data packet to perform authentication of a user and an operation, maintenance and auditing system;
step F3: after the user authentication is successful, the SSH protocol agent module sends the residual data content in the SSH data packet to the Oracle protocol agent module for processing;
step F4: a user initiates an authentication request to a target asset through an Oracle protocol agent module;
step F5: after the authentication is successful, the Oracle protocol agent module is connected with the target asset;
step F6: the Oracle protocol agent module is connected with the Client, so that the connection between the Client and the operation and maintenance and auditing system is completed, the connection between the operation and maintenance and auditing system and the target asset is completed, and the operation and maintenance and auditing system starts to work.
It should be noted that, through the above improvement, the invention applies the operation and maintenance and audit system login mode in the SSH tunnel mode, fills in the login user name and login password, the SSH protocol proxy module performs user authentication, and the data sent by the client is the SSH data packet encapsulated in the SSH tunnel, which includes login information and Oracle data of logging in the operation and maintenance and audit system. The SSH protocol agent module receives the SSH data packet from the client, analyzes the information about the login system in the SSH data packet, and performs connection authentication on the user and the system.
After the user authentication is successful, the SSH protocol agent module analyzes the Oracle data in the SSH data packet and sends the Oracle data to the Oracle protocol agent module for further processing. And the Oracle protocol agent module analyzes the Oracle data again according to own protocol rules. And sending the information about the connection target asset in the analyzed Oracle data to a service layer, and initiating an authentication request to the target asset.
And the service layer authenticates the Oracle protocol agent module according to the Oracle data, and if the authentication is successful, the Oracle protocol agent module initiates a connection request to the target asset. After the target asset is successfully connected with the Oracle protocol agent module, the operation, maintenance and auditing system is also successfully connected with the target asset. And returning the Oracle protocol agent module to authenticate the user, wherein the target asset is successfully connected with the user if the authentication is successful.
The Oracle protocol agent module is respectively used as a client and an operation, maintenance and audit system, and an 'intermediate person' between the operation, maintenance and audit system and the target asset for bidirectional authentication. And after the client, the operation and maintenance and audit system and the target asset are successfully connected with each other, the operation and maintenance and audit system starts to work, receives and judges the data packet transmitted by the client, and if the transmitted data packet does not accord with the system protocol, the system refuses the transmission of the data packet. Meanwhile, data can flow through the operation and maintenance and auditing system, and the system can be directly involved in an Oracle session, so that an administrator can perform certain control on the session through the system, such as session blocking, command approval, authority control and the like.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 3:
in this embodiment, further optimization is performed on the basis of the above embodiment, as shown in fig. 1 to fig. 3, the step F1 specifically includes the following steps:
step F11: a user forms a client supporting an SSH tunnel mode;
step F12: filling connection information under the direct connection environment in a connection tab of a client by a user;
step F13: and the user fills account login information of the operation, maintenance and audit system and a monitoring port of the operation, maintenance and audit system in an SSH tunnel tab of the client.
It should be noted that, with the above improvement, the user initiates a connection request to the operation and maintenance and auditing system through the client supporting the SSH tunnel mode. As shown in fig. 2, the connection tab is filled with connection information in the direct connection environment, including a service name, a user name, a password, and the like, without changing the login habit of the traditional user. And then filling account login information of the operation and maintenance and auditing system (i.e. the bastion machine) and a monitoring port of the operation and maintenance and auditing system in the tab of the SSH tunnel.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 4:
in this embodiment, further optimization is performed on the basis of the above embodiment, as shown in fig. 1 to fig. 3, the step F2 specifically includes the following steps:
step F21: the SSH protocol proxy module receives an SSH data packet which is sent by a user through a client and encapsulated in an SSH tunnel;
step F22: the SSH protocol agent module analyzes information about the login account and the password of the operation, maintenance and auditing system in the SSH data packet and takes the login information;
step F23: the SSH protocol agent module sends the login information to a service layer of the operation and maintenance and audit system for authentication, and judges whether the user can access the operation and maintenance and audit system according to a returned result;
step F24: if the authentication is successful, executing step F31; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
It should be noted that, through the above improvement, the user fills in the account login information of the operation and maintenance and audit system and the monitoring port of the operation and maintenance and audit system in the SSH tunnel tab of the client, that is, the user sends an SSH data packet to the SSH protocol proxy module through the client. The SSH data packet received by the SSH protocol proxy module is encapsulated in the SSH tunnel, and the SSH data packet comprises Oracle data and login information about the system. The SSH protocol agent module firstly analyzes information about the login account number, the password and the like of the operation, maintenance and audit system in an SSH data packet from the client, takes the information and sends the information to a service layer of the operation, maintenance and audit system for authentication, and judges whether a user can access the operation, maintenance and audit system according to a result returned by the service layer. If the authentication is successful, the step F31 is executed, and if the authentication is unsuccessful, the connection operation of the client is disconnected, and the session task is ended.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 5:
in this embodiment, further optimization is performed on the basis of the above embodiment, as shown in fig. 1 to fig. 3, the step F3 specifically includes the following steps:
step F31: after the user authentication is successful, the SSH protocol agent module analyzes the data information left in the SSH data packet;
step F32: and the SSH protocol agent module sends the data information left in the SSH data packet to the Oracle protocol agent module.
The step F4 specifically includes the following steps:
step F41: the Oracle protocol agent module receives data information from the SSH protocol agent module;
step F42: the Oracle protocol agent module analyzes the data information content again according to the rule of the Oracle protocol agent module;
step F43: the Oracle protocol agent module analyzes and then takes the user name and the related connection information of the connection target asset and the login information of the operation, maintenance and auditing system sent by the SSH protocol agent module, and initiates an authentication request for connecting the target asset to a service layer of the operation, maintenance and auditing system;
step F44: the service layer verifies whether the user is authorized to connect the target asset through the asset table recorded by the administrator;
step F45: if the authentication is successful, executing step F51; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
It should be noted that, through the above improvement, after the user authentication is successful, the SSH protocol proxy module parses the remaining Oracle data in the SSH data packet, and sends the Oracle data to the Oracle protocol proxy module after parsing, and the Oracle protocol proxy module parses the content of the Oracle data again according to its own protocol rule.
After the Oracle protocol agent module analyzes Oracle data, a user name of the operation, maintenance and auditing system connected with the target asset, other related connection information and login information used by the SSH protocol agent module connected with the operation, maintenance and auditing system are taken, and an authentication request with the target asset is initiated to a service layer of the operation, maintenance and auditing system.
The service layer verifies whether the user has the right to access the target asset according to the information taken by the Oracle protocol agent module and the asset information which is input into the service layer by the administrator in advance, and if the authentication is successful, the step F51 is executed; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 6:
in this embodiment, further optimization is performed on the basis of the above embodiment, as shown in fig. 1 to fig. 3, the step F5 specifically includes the following steps:
step F51: and after the Oracle protocol agent module successfully authenticates, the service layer sends an account, a password and a control information field to the Oracle protocol agent module to command the Oracle protocol agent module to connect the target asset.
Step F52: the Oracle protocol agent module initiates a connection request to the target asset according to the command of the service layer and carrying the residual Oracle data information in the analyzed SSH data packet;
step F53: the target asset authenticates the connection request of the Oracle protocol proxy module, and if the authentication is successful, the step F61 is executed; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
It should be noted that, through the above improvement, after the authentication is successful, the Oracle protocol agent module receives asset information from the service layer, where the asset information includes information about a connection account, a password, and a control information field of the target asset, and the service layer controls a connection mode between the Oracle protocol agent module and the target asset through the information. The Oracle protocol agent module carries Oracle data information left in the analyzed SSH data packet to initiate a connection request to the target asset, if the connection is successful, the operation and maintenance and the audit are also successfully connected with the target asset, and at the moment, the Oracle protocol agent module serves as a 'middle man' to authenticate the connection between the operation and maintenance and the audit system and the target asset; if the connection fails, the connection operation of the client is disconnected, and the session is ended.
The Oracle protocol agent module chooses to connect the target asset in some way, such as: TCP direct, SSL encrypted channel, etc.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
Example 7:
in this embodiment, further optimization is performed on the basis of the above embodiment, as shown in fig. 1 to fig. 3, the step F6 specifically includes the following steps:
step F61: after the Oracle protocol agent module successfully authenticates, the Oracle protocol agent module initiates an authentication request to the user; if the authentication is successful, go to step F62; if the authentication fails, disconnecting the connection operation of the Client, and ending the session task;
step F62: after the Oracle protocol agent module successfully authenticates the user, the operation, maintenance and audit system confirms the connection between the user and the target asset, and starts working;
step F63: the operation, maintenance and audit system audits and judges according to the data sent by the user, and if the data do not meet the safety strategy and authority requirements formulated by the administrator, the operation, maintenance and audit system prevents the data from being sent to the target asset;
step F64: the administrator can intervene in the operation, maintenance and auditing system at any time, check the connection between the user and the target asset through the Oracle protocol agent module, block the session or control the session, and cut off the connection between the user and the target asset when necessary.
It should be noted that, through the above improvement, after the target asset and the operation and maintenance are successfully connected with the auditing system, the Oracle protocol agent module re-authenticates the user according to the information about the connection account, the password, the control information field and the like of the target asset in the asset information, so as to establish a data path between the trusted client and the target asset after passing the authentication. Because the data of the current Oracle protocol agent module is not the open-source data protocol content, the data of the authentication information sent to the target asset takes the data packet sent by the Client initially as the female parent, and the authentication information is sent to the target asset after being replaced and calculated, so the target asset needs the Oracle protocol agent module to authenticate the user again. If the authentication is successful, the operation and maintenance and auditing system confirms the connection relationship between the client and the target asset, then operation and maintenance and auditing work are started, if the authentication is failed, the connection operation of the client is disconnected, and the session task is ended.
In the operation and audit work, the operation and audit system audits and judges the data sent to the target asset by the client, and if the data do not meet the safety strategy and permission requirements specified by the administrator, the system prevents the data from being sent to the target asset. Meanwhile, an administrator can intervene in the operation, maintenance and auditing system, and the oracle protocol agent module and the connection between the operation, maintenance and auditing system are cut off when necessary.
The operation and maintenance and auditing system serving as a 'middle man' of the client and the target asset can simultaneously acquire data packets of the client and the target asset and preferably audit and judge the data packets of the client. And can prevent some data packets from being sent to the target assets, can control the whole connection content according to the self protocol of the system, and the administrator can intervene in the operation and maintenance and auditing system to check the connection between the user and the assets through the Oracle protocol agent module so as to block the session or control the session, and cut off the connection between the user and the target assets when necessary.
The Oracle protocol agent module serves as a client, a 'middle man' of the operation, maintenance and auditing system, the middle man of the operation, maintenance and auditing system and the target asset, and performs mutual authentication. By the method, the operation and maintenance and auditing system can effectively monitor and control the client while working.
Other parts of this embodiment are the same as those of the above embodiment, and thus are not described again.
The above description is only a preferred embodiment of the present invention, and is not intended to limit the present invention in any way, and all simple modifications and equivalent variations of the above embodiments according to the technical spirit of the present invention are included in the scope of the present invention.
Claims (8)
1. A method for operation, maintenance and audit of a controllable Oracle session based on an SSH tunnel is characterized in that:
a user initiates an authentication connection request to an operation and maintenance and auditing system through a client supporting an SSH tunnel mode;
the SSH protocol agent module takes head data in an SSH data packet to perform user authentication, receives the SSH data packet from a client, then takes the head data content in the SSH data packet to perform authentication and authentication of a user and an operation, maintenance and auditing system, receives the SSH data packet which is sent by the user through the client and is packaged in an SSH tunnel, analyzes information about login account numbers and passwords of the operation, maintenance and auditing system in the SSH data packet, takes the login information, sends the login information to a service layer of the operation, maintenance and auditing system to perform authentication, and judges whether the user can access the operation, maintenance and auditing system according to a returned result;
and the residual data is delivered to an Oracle protocol agent module for processing, the Oracle agent module is connected with the target asset and the user to complete the mutual authentication between the user and the operation, maintenance and auditing system and between the operation, maintenance and auditing system and the target asset, and the operation, maintenance and auditing system starts to work.
2. The operation, maintenance and auditing method of the controllable Oracle session based on the SSH tunnel according to claim 1, characterized in that: the method specifically comprises the following steps:
step F1: a user initiates a connection request to an operation and maintenance auditing system by using a client supporting an SSH tunnel mode;
step F2: the SSH protocol agent module receives an SSH data packet from a client, and then takes the head data content in the SSH data packet to perform authentication of a user and an operation, maintenance and auditing system;
step F3: after the user authentication is successful, the SSH protocol agent module sends the residual data content in the SSH data packet to the Oracle protocol agent module for processing;
step F4: a user initiates an authentication request to a target asset through an Oracle protocol agent module;
step F5: after the authentication is successful, the Oracle protocol agent module is connected with the target asset;
step F6: the Oracle protocol agent module is connected with the Client, so that the connection between the Client and the operation and maintenance and auditing system is completed, the connection between the operation and maintenance and auditing system and the target asset is completed, and the operation and maintenance and auditing system starts to work.
3. The operation, maintenance and auditing method of the controllable Oracle session based on the SSH tunnel according to claim 2, characterized in that: the step F1 specifically includes the following steps:
step F11: a user forms a client supporting an SSH tunnel mode;
step F12: filling connection information under the direct connection environment in a connection tab of a client by a user;
step F13: and the user fills account login information of the operation, maintenance and audit system and a monitoring port of the operation, maintenance and audit system in an SSH tunnel tab of the client.
4. The operation, maintenance and auditing method of the controllable Oracle session based on SSH tunnel according to claim 3, characterized in that: the step F2 further includes:
if the authentication is successful, executing step F31; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
5. The operation, maintenance and auditing method of the controllable Oracle session based on the SSH tunnel according to claim 4, characterized in that: the step F3 specifically includes the following steps:
step F31: after the user authentication is successful, the SSH protocol agent module analyzes the data information left in the SSH data packet;
step F32: and the SSH protocol agent module sends the data information left in the SSH data packet to the Oracle protocol agent module.
6. The operation, maintenance and auditing method of the controlled Oracle session based on SSH tunnel according to claim 5, characterized in that: the step F4 specifically includes the following steps:
step F41: the Oracle protocol agent module receives data information from the SSH protocol agent module;
step F42: the Oracle protocol agent module analyzes the data information content again according to the rule of the Oracle protocol agent module;
step F43: the Oracle protocol agent module analyzes and then takes the user name and the related connection information of the connection target asset and the login information of the operation, maintenance and auditing system sent by the SSH protocol agent module, and initiates an authentication request for connecting the target asset to a service layer of the operation, maintenance and auditing system;
step F44: the service layer verifies whether the user is authorized to connect the target asset through the asset table recorded by the administrator;
step F45: if the authentication is successful, executing step F51; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
7. The operation, maintenance and auditing method of the controlled Oracle session based on SSH tunnel according to claim 6, characterized in that: the step F5 specifically includes the following steps:
step F51: after the Oracle protocol agent module successfully authenticates, the service layer sends an account, a password and a control information field to the Oracle protocol agent module to command the Oracle protocol agent module to connect the target asset;
step F52: the Oracle protocol agent module initiates a connection request to the target asset according to the command of the service layer and carrying the residual Oracle data information in the analyzed SSH data packet;
step F53: the target asset authenticates the connection request of the Oracle protocol proxy module, and if the authentication is successful, the step F61 is executed; if the authentication fails, the connection operation of the client is disconnected, and the session task is ended.
8. The operation, maintenance and auditing method of the controlled Oracle session based on the SSH tunnel according to claim 7, characterized in that: the step F6 specifically includes the following steps:
step F61: after the Oracle protocol agent module successfully authenticates, the Oracle protocol agent module initiates an authentication request to the user; if the authentication is successful, go to step F62; if the authentication fails, disconnecting the connection operation of the Client, and ending the session task;
step F62: after the Oracle protocol agent module successfully authenticates the user, the operation, maintenance and audit system confirms the connection between the user and the target asset, and starts working;
step F63: the operation, maintenance and audit system audits and judges according to the data sent by the user, and if the data do not meet the safety strategy and authority requirements formulated by the administrator, the operation, maintenance and audit system prevents the data from being sent to the target asset;
step F64: the administrator can intervene in the operation, maintenance and auditing system at any time, check the connection between the user and the target asset through the Oracle protocol agent module, block the session or control the session, and cut off the connection between the user and the target asset when necessary.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810908751.1A CN109101811B (en) | 2018-08-10 | 2018-08-10 | Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810908751.1A CN109101811B (en) | 2018-08-10 | 2018-08-10 | Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109101811A CN109101811A (en) | 2018-12-28 |
| CN109101811B true CN109101811B (en) | 2021-10-15 |
Family
ID=64849215
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810908751.1A Active CN109101811B (en) | 2018-08-10 | 2018-08-10 | Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109101811B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112749182B (en) * | 2019-10-30 | 2023-01-31 | 深圳市傲冠软件股份有限公司 | Method for accessing Oracle database by proxy, audit terminal, device and computer readable storage medium |
| CN111490971B (en) * | 2020-02-26 | 2022-06-28 | 江苏智先生信息科技有限公司 | General hospital information infrastructure safety operation and maintenance and auditing method |
| CN111405062B (en) * | 2020-04-01 | 2023-08-11 | 河南信大网御科技有限公司 | Pseudo input proxy device based on SSH protocol, communication system and method |
| CN113420007B (en) * | 2021-03-31 | 2023-09-26 | 阿里巴巴新加坡控股有限公司 | Audit processing method and device for database access and electronic equipment |
| CN113918893A (en) * | 2021-10-13 | 2022-01-11 | 成都安恒信息技术有限公司 | A container operation and maintenance file transfer method based on the operation and maintenance audit system |
| CN116204859A (en) * | 2022-12-30 | 2023-06-02 | 长园深瑞继保自动化有限公司 | Database access method, device, terminal device, and computer-readable storage medium |
| CN117792682A (en) * | 2023-11-27 | 2024-03-29 | 浙江齐安信息科技有限公司 | Operation and maintenance auditing method, proxy server and system based on SSH |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102123042A (en) * | 2010-12-30 | 2011-07-13 | 中国民航信息网络股份有限公司 | System configuration intelligent management system and management method thereof |
| US8042155B1 (en) * | 2006-09-29 | 2011-10-18 | Netapp, Inc. | System and method for generating a single use password based on a challenge/response protocol |
| CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | A monitoring method for SSH network security access protocol |
| CN107423638A (en) * | 2017-08-02 | 2017-12-01 | 成都安恒信息技术有限公司 | A kind of password management system and application method based on order detection type Modify password |
| CN107493344A (en) * | 2017-08-29 | 2017-12-19 | 郑州云海信息技术有限公司 | A kind of method and system of web access Docker containers |
| CN107682209A (en) * | 2017-11-10 | 2018-02-09 | 青岛萨纳斯智能科技股份有限公司 | A kind of SDP big datas automatically dispose monitor supervision platform |
| CN108111301A (en) * | 2017-12-13 | 2018-06-01 | 中国联合网络通信集团有限公司 | The method and its system for realizing SSH agreements are exchanged based on rear quantum key |
-
2018
- 2018-08-10 CN CN201810908751.1A patent/CN109101811B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8042155B1 (en) * | 2006-09-29 | 2011-10-18 | Netapp, Inc. | System and method for generating a single use password based on a challenge/response protocol |
| CN102123042A (en) * | 2010-12-30 | 2011-07-13 | 中国民航信息网络股份有限公司 | System configuration intelligent management system and management method thereof |
| CN104270334A (en) * | 2014-06-13 | 2015-01-07 | 国家电网公司 | A monitoring method for SSH network security access protocol |
| CN107423638A (en) * | 2017-08-02 | 2017-12-01 | 成都安恒信息技术有限公司 | A kind of password management system and application method based on order detection type Modify password |
| CN107493344A (en) * | 2017-08-29 | 2017-12-19 | 郑州云海信息技术有限公司 | A kind of method and system of web access Docker containers |
| CN107682209A (en) * | 2017-11-10 | 2018-02-09 | 青岛萨纳斯智能科技股份有限公司 | A kind of SDP big datas automatically dispose monitor supervision platform |
| CN108111301A (en) * | 2017-12-13 | 2018-06-01 | 中国联合网络通信集团有限公司 | The method and its system for realizing SSH agreements are exchanged based on rear quantum key |
Non-Patent Citations (2)
| Title |
|---|
| 基于Oracle数据库的医院随访管理系统的研究与设计;沈婧等;《电子设计工程》;20180601;第26卷(第7期);第9-13页 * |
| 基于SSH的设备运维系统的设计与实现;孙禹鹏;《中国优秀硕士学位论文全文数据库 信息科技辑》;20180415;I138-976 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109101811A (en) | 2018-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109101811B (en) | Operation, maintenance and audit method of controllable Oracle session based on SSH tunnel | |
| EP3453136B1 (en) | Methods and apparatus for device authentication and secure data exchange between a server application and a device | |
| TWI439103B (en) | Policy driven, credential delegation for single sign on and secure access to network resources | |
| US9781114B2 (en) | Computer security system | |
| US8832782B2 (en) | Single sign-on system and method | |
| CN100591003C (en) | Implementing stateless server based pre-shared secrets | |
| EP3119059B1 (en) | A system and method for secure proxy-based authentication | |
| US10356071B2 (en) | Automatic log-in and log-out of a session with session sharing | |
| US10356612B2 (en) | Method of authenticating a terminal by a gateway of an internal network protected by an access security entity providing secure access | |
| CN108769007B (en) | Gateway security authentication method, server and gateway | |
| CN105516163B (en) | A kind of login method and terminal device and communication system | |
| CN115001770B (en) | A business access control system and control method based on zero trust | |
| CN101986598B (en) | Authentication method, server and system | |
| US9092427B2 (en) | Dynamic trust session | |
| CN104270347B (en) | The methods, devices and systems of security control | |
| CN116707961A (en) | User authentication method, computer device, and computer storage medium | |
| KR20230145009A (en) | Single sign on authentication method and system based on terminal using dynamic token generation agent | |
| CN113645115B (en) | Virtual private network access method and system | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN117574345A (en) | System management method and device and electronic equipment | |
| WO2009005698A1 (en) | Computer security system | |
| CN114500074A (en) | Single-point system security access method, device and related equipment | |
| CN114844674A (en) | Dynamic authorization method, system, electronic device and storage medium | |
| KR101448711B1 (en) | security system and security method through communication encryption | |
| WO2025145977A1 (en) | Vehicle remote diagnosis and debugging method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |