[go: up one dir, main page]

CN115473697B - A method and system for protecting security of out-of-band management server - Google Patents

A method and system for protecting security of out-of-band management server Download PDF

Info

Publication number
CN115473697B
CN115473697B CN202210999735.4A CN202210999735A CN115473697B CN 115473697 B CN115473697 B CN 115473697B CN 202210999735 A CN202210999735 A CN 202210999735A CN 115473697 B CN115473697 B CN 115473697B
Authority
CN
China
Prior art keywords
dynamic password
ipmi
ipmi command
user name
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210999735.4A
Other languages
Chinese (zh)
Other versions
CN115473697A (en
Inventor
周浩楠
张旭
靳先奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Metabrain Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202210999735.4A priority Critical patent/CN115473697B/en
Publication of CN115473697A publication Critical patent/CN115473697A/en
Application granted granted Critical
Publication of CN115473697B publication Critical patent/CN115473697B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • H04L63/0846Network architectures or network communication protocols for network security for authentication of entities using passwords using time-dependent-passwords, e.g. periodically changing passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention belongs to the technical field of server security protection, and particularly provides a method and a system for protecting an out-of-band management server security, wherein the method comprises the following steps: when the client executes the IPMI command, the IPMI command is packed by adopting an IPMI service user name and a dynamic password mode to generate an IPMI command data packet; the IPMI command data packet is encrypted and then transmitted to a server through a network; the server receives the IPMI command data packet, and analyzes the received IPMI command data packet to obtain a user name and a dynamic password; consistency verification is carried out on the analyzed user name and dynamic password and the user name and dynamic password calculated in the server; if the verification is passed, executing the IPMI command and recording a log; if the verification fails, the IPMI command is not executed and the alarm is given, and the log is recorded. The problem of safety caused by password leakage is solved.

Description

一种带外管理服务器安全防护方法、系统A method and system for protecting security of out-of-band management server

技术领域Technical Field

本发明涉及服务器安全防护技术领域,具体涉及一种带外管理服务器安全防护方法、系统。The present invention relates to the technical field of server security protection, and in particular to a security protection method and system for out-of-band management servers.

背景技术Background technique

IPMI是智能型平台管理接口(Intelligent Platform Management Interface)的缩写,是管理基于Intel结构的企业系统中所使用的外围设备采用的一种工业标准,该标准由英特尔、惠普、NEC、美国戴尔电脑和SuperMicro等公司制定。用户可以利用IPMI监视服务器的物理健康特征,如温度、电压、风扇工作状态、电源状态等。IPMI is the abbreviation of Intelligent Platform Management Interface, which is an industrial standard for managing peripheral devices used in Intel-based enterprise systems. The standard is developed by Intel, HP, NEC, Dell Computer, SuperMicro, etc. Users can use IPMI to monitor the physical health characteristics of the server, such as temperature, voltage, fan working status, power supply status, etc.

由于IPMI V2.0支持RMCP+已验证密钥交换协议(RAKP)验证。远程攻击者能够通过BMC响应的RAKP消息2中的HMAC获取有效的用户帐户密码哈希信息。这是IPMI v2.0规范的固有问题。此漏洞没有修补程序。另外,而很多用户的IPMI服务的用户名及密码与登录WEB的用户名和密码是重叠的,致使没有访问权限的用户通过暴力破解方式得到访问IPMI服务的用户名及密码,从而访问到本没有权限访问的IPMI服务。如此,使得带外访问存在一定的安全隐患。在现有的技术中,通常采用使用强密码以限制离线字典攻击的成功机会。或者采用隔离网络以限制访问IPMI管理接口。Because IPMI V2.0 supports RMCP+Authenticated Key Exchange Protocol (RAKP) authentication. A remote attacker can obtain valid user account password hash information through the HMAC in RAKP message 2 responded by the BMC. This is an inherent problem in the IPMI v2.0 specification. There is no patch for this vulnerability. In addition, the username and password of many users' IPMI services overlap with the username and password for logging into the WEB, which allows users without access rights to obtain the username and password for accessing the IPMI service through brute force cracking, thereby accessing the IPMI service that they do not have access rights to. In this way, there are certain security risks in out-of-band access. In existing technologies, strong passwords are usually used to limit the chances of success of offline dictionary attacks. Or isolated networks are used to limit access to the IPMI management interface.

通常采用使用强密码以限制离线字典攻击的成功机会。或者采用隔离网络以限制访问IPMI管理接口。但是存在如下问题:用户使用IPMI服务的用户名及密码与登录WEB的用户名和密码重叠,增加了被破解的可能性;VPN拨入可以绕过隔离网络访问IPMI管理接口;内部工作人员可通过合法授权取得用户密码而非法使用。Usually, strong passwords are used to limit the chances of offline dictionary attacks. Alternatively, isolated networks are used to limit access to the IPMI management interface. However, there are the following problems: the username and password used by users for IPMI services overlap with the username and password used to log in to the WEB, increasing the possibility of being cracked; VPN dial-in can bypass the isolated network to access the IPMI management interface; internal staff can obtain user passwords through legal authorization and use them illegally.

发明内容Summary of the invention

通常采用使用强密码以限制离线字典攻击的成功机会。或者采用隔离网络以限制访问IPMI管理接口,存在用户使用IPMI服务的用户名及密码与登录WEB的用户名和密码重叠,增加了被破解的可能性;VPN拨入可以绕过隔离网络访问IPMI管理接口;内部工作人员可通过合法授权取得用户密码而非法使用的问题,本发明提供一种带外管理服务器安全防护方法、系统。Strong passwords are usually used to limit the chances of success of offline dictionary attacks. Alternatively, an isolated network is used to limit access to the IPMI management interface. The username and password of the user using the IPMI service overlap with the username and password for logging into the WEB, increasing the possibility of being cracked; VPN dial-in can bypass the isolated network to access the IPMI management interface; internal staff can obtain user passwords through legal authorization and use them illegally. The present invention provides a security protection method and system for an out-of-band management server.

第一方面,本发明技术方案提供一种带外管理服务器安全防护方法,应用于防护系统,所述防护系统包括客户端和与客户端通信的服务器,所述客户端设置有令牌,所述方法包括如下步骤:In a first aspect, the technical solution of the present invention provides a security protection method for an out-of-band management server, which is applied to a protection system, wherein the protection system includes a client and a server communicating with the client, and the client is provided with a token. The method includes the following steps:

客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;When the client executes an IPMI command, the IPMI service user name and dynamic password are used to package the IPMI command to generate an IPMI command data packet;

将IPMI命令数据包进行加密后通过网络传输给服务器;Encrypt the IPMI command data packet and transmit it to the server through the network;

服务器接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;The server receives the IPMI command data packet and parses the received IPMI command data packet to obtain the user name and dynamic password;

将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验;The parsed user name and dynamic password are checked for consistency with the user name and dynamic password calculated inside the server;

若校验通过,执行IPMI命令并记录日志;If the verification passes, execute the IPMI command and record the log;

若校验失败,不执行IPMI命令并告警,记录日志。If the verification fails, the IPMI command will not be executed, an alarm will be given, and a log will be recorded.

通过动态密码代替静态密码的方式提高利用IPMI命令管理服务器的安全性。即解决了因密码泄露带来的安全问题,又避免了因web登录密码与IPMI服务密码重复导致的用户权限问题。The security of managing servers using IPMI commands is improved by replacing static passwords with dynamic passwords, which not only solves the security issues caused by password leakage, but also avoids user permission issues caused by duplication of web login passwords and IPMI service passwords.

进一步的,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤之前包括:Furthermore, when the client executes an IPMI command, the step of using the IPMI service user name and dynamic password to package the IPMI command to generate an IPMI command data packet includes:

令牌利用密钥和时间基数通过哈希算法计算出动态密码。The token uses the key and time base to calculate a dynamic password through a hash algorithm.

动态密码一分钟更新一次,不能重复使用,避免IPMI服务密码被黑客窃取后被用来攻击服务器。The dynamic password is updated once a minute and cannot be reused to prevent the IPMI service password from being stolen by hackers and used to attack the server.

进一步的,将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验的步骤之前包括:Furthermore, the step of performing consistency verification between the parsed user name and dynamic password and the user name and dynamic password calculated inside the server includes:

服务器利用密钥和时间基数通过哈希算法计算出动态密码;The server uses the key and time base to calculate the dynamic password through the hash algorithm;

将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列。The calculated dynamic passwords are used to generate a dynamic password sequence according to the dynamic password calculation time.

一般用户名都设置一个用户唯一标识,动态密码序列是以用户唯一标识进行序列命名,进行动态密码匹配时需要先判断用户名,根据用户名到对应的动态密码序列进行密码匹配。Generally, a unique user ID is set for a user name. The dynamic password sequence is named in sequence based on the unique user ID. When matching a dynamic password, it is necessary to first determine the user name and then match the password based on the user name to the corresponding dynamic password sequence.

进一步的,令牌利用密钥和时间基数通过哈希算法计算出动态密码的步骤包括:Furthermore, the token uses the key and the time base to calculate the dynamic password through a hash algorithm, including the following steps:

密钥和一时间基数通过哈希算法生成一组伪随机数;The key and a time base generate a set of pseudo-random numbers through a hash algorithm;

根据生成的伪随机数及设定的运算规则生成一个动态密码;Generate a dynamic password based on the generated pseudo-random number and the set operation rules;

密钥和若干时间基数生成的动态密码组成动态密码集合。The dynamic password set is composed of a key and dynamic passwords generated by several time bases.

令牌生成动态密码设置一分钟生成一次,在这里客户端和服务端对应的密钥是相同也是基于相同的时间基数的这样才能保证生成的动态密码匹配成功。The token generates a dynamic password once a minute. Here, the keys corresponding to the client and the server are the same and based on the same time base to ensure that the generated dynamic password matches successfully.

进一步的,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤包括:Furthermore, when the client executes an IPMI command, the steps of packaging the IPMI command using the IPMI service user name and dynamic password to generate an IPMI command data packet include:

客户端执行IPMI命令时,当前遍历指针在动态密码集合选择一个动态密码,采用IPMI服务用户名和选择的动态密码对IPMI命令进行组包生成IPMI命令数据包。When the client executes an IPMI command, the current traversal pointer selects a dynamic password from the dynamic password set, and uses the IPMI service user name and the selected dynamic password to package the IPMI command to generate an IPMI command data packet.

动态密码为一次性密码,使用一次即失效,保证服务器的安全性。The dynamic password is a one-time password that becomes invalid after being used once, thus ensuring the security of the server.

进一步的,将解析出的用户名和动态密码与服务器内部计算的动态密码进行一致性校验的步骤包括:Furthermore, the step of performing consistency verification on the parsed user name and dynamic password with the dynamic password calculated inside the server includes:

判断解析出的用户名与服务器内部的用户名是否一致;Determine whether the parsed user name is consistent with the user name inside the server;

当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;When the user names are the same, traverse the dynamic password sequence and match the parsed dynamic password;

若匹配成功,校验通过,执行步骤:执行IPMI命令并记录日志;If the match is successful and the verification is passed, the following steps are executed: Execute the IPMI command and record the log;

若匹配失败,校验失败,执行步骤:不执行IPMI命令并告警,记录日志。If the match fails and the verification fails, execute the following steps: Do not execute the IPMI command and issue an alarm, and record a log.

进一步的,遍历动态密码序列,匹配解析出的动态密码的步骤包括:Further, the steps of traversing the dynamic password sequence and matching the parsed dynamic password include:

将解析出的动态密码与动态密码序列里当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配;根据匹配结果调整遍历指针的位置。The parsed dynamic password is matched with the first N and last N data of the current traversal pointer position in the dynamic password sequence at the same time; the position of the traversal pointer is adjusted according to the matching result.

为了提高匹配速度,当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配的过程中,无论匹配是否成功设定时间间隔都要调整遍历指针的位置,当匹配不成功时,遍历指针的位置调整后,对调整后的遍历指针所在位置的前N个和后N个数据同时进行匹配,在设置需要说明的是,N也是可以根据匹配运行和结果进行调整。In order to improve the matching speed, during the process of matching the first N and last N data of the traversal pointer at the current moment, the position of the traversal pointer must be adjusted at the set time interval regardless of whether the match is successful. When the match is unsuccessful, the position of the traversal pointer is adjusted, and the first N and last N data of the adjusted traversal pointer are matched at the same time. It should be noted in the setting that N can also be adjusted according to the matching operation and results.

第二方面,本发明技术方案提供一种带外管理服务器安全防护系统,包括客户端和服务器,服务器设置有BMC;In a second aspect, the technical solution of the present invention provides an out-of-band management server security protection system, including a client and a server, wherein the server is provided with a BMC;

客户端,用于执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;将IPMI命令数据包进行加密后通过网络传输给BMC;The client is used to execute IPMI commands, and uses the IPMI service user name and dynamic password to package the IPMI commands to generate IPMI command data packets; the IPMI command data packets are encrypted and transmitted to the BMC through the network;

BMC,用于接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;将解析出的用户名和动态密码与BMC内部计算的用户名和动态密码进行一致性校验;若校验通过,执行IPMI命令并记录日志;若校验失败,不执行IPMI命令并告警,记录日志。BMC is used to receive IPMI command data packets, parse the received IPMI command data packets to obtain the user name and dynamic password; perform consistency check on the parsed user name and dynamic password with the user name and dynamic password calculated inside the BMC; if the check passes, execute the IPMI command and record the log; if the check fails, do not execute the IPMI command, issue an alarm, and record the log.

一般用户名都设置一个用户唯一标识,动态密码序列是以用户唯一标识进行序列命名,进行动态密码匹配时需要先判断用户名,根据用户名到对应的动态密码序列进行密码匹配。Generally, a unique user ID is set for a user name. The dynamic password sequence is named in sequence based on the unique user ID. When matching a dynamic password, it is necessary to first determine the user name and then match the password based on the user name to the corresponding dynamic password sequence.

通过动态密码代替静态密码的方式提高利用IPMI命令管理服务器的安全性。即解决了因密码泄露带来的安全问题,又避免了因web登录密码与IPMI服务密码重复导致的用户权限问题。The security of managing servers using IPMI commands is improved by replacing static passwords with dynamic passwords, which not only solves the security issues caused by password leakage, but also avoids user permission issues caused by duplication of web login passwords and IPMI service passwords.

进一步的,客户端设置有令牌,所述令牌利用密钥和时间基数通过哈希算法计算出动态密码;Furthermore, the client is provided with a token, and the token uses a key and a time base to calculate a dynamic password through a hash algorithm;

BMC,还用于利用密钥和时间基数通过哈希算法计算出动态密码;将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列。The BMC is also used to calculate a dynamic password using a hash algorithm using a key and a time base; and to generate a dynamic password sequence using a number of calculated dynamic passwords according to the time of calculating the dynamic passwords.

进一步的,令牌,利用密钥和一时间基数通过哈希算法生成一组伪随机数;根据生成的伪随机数及设定的运算规则生成一个动态密码;密钥和若干时间基数生成的动态密码组成动态密码集合。令牌生成动态密码设置一分钟生成一次,在这里客户端和服务端对应的密钥是相同也是基于相同的时间基数的这样才能保证生成的动态密码匹配成功。Furthermore, the token uses a key and a time base to generate a set of pseudo-random numbers through a hash algorithm; a dynamic password is generated based on the generated pseudo-random number and the set operation rules; the dynamic passwords generated by the key and several time bases constitute a dynamic password set. The token generates a dynamic password once a minute. Here, the keys corresponding to the client and the server are the same and based on the same time base, so as to ensure that the generated dynamic passwords match successfully.

进一步的,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤包括:Furthermore, when the client executes an IPMI command, the steps of packaging the IPMI command using the IPMI service user name and dynamic password to generate an IPMI command data packet include:

客户端,用于执行IPMI命令时,当前遍历指针在动态密码集合选择一个动态密码,采用IPMI服务用户名和选择的动态密码对IPMI命令进行组包生成IPMI命令数据包。The client is used to execute an IPMI command. The current traversal pointer selects a dynamic password from the dynamic password set, and uses the IPMI service user name and the selected dynamic password to package the IPMI command to generate an IPMI command data packet.

进一步的,BMC,具体用于判断解析出的用户名与服务器内部的用户名是否一致;当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;若匹配成功,校验通过,执行IPMI命令并记录日志;若匹配失败,校验失败,不执行IPMI命令并告警,记录日志。Furthermore, BMC is specifically used to determine whether the parsed user name is consistent with the user name inside the server; when the user names are consistent, the dynamic password sequence is traversed to match the parsed dynamic password; if the match is successful, the verification passes, the IPMI command is executed and the log is recorded; if the match fails, the verification fails, the IPMI command is not executed, an alarm is issued, and the log is recorded.

进一步的,BMC还用于将解析出的动态密码与动态密码序列里当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配,根据匹配结果调整遍历指针的位置。为了提高匹配速度,当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配的过程中,无论匹配是否成功设定时间间隔都要调整遍历指针的位置,当匹配不成功时,遍历指针的位置调整后,对调整后的遍历指针所在位置的前N个和后N个数据同时进行匹配,在设置需要说明的是,N也是可以根据匹配运行和结果进行调整。Furthermore, the BMC is also used to simultaneously match the parsed dynamic password with the first N and last N data at the current moment of the traversal pointer position in the dynamic password sequence, and adjust the position of the traversal pointer according to the matching result. In order to improve the matching speed, during the process of simultaneously matching the first N and last N data at the current moment of the traversal pointer position, the position of the traversal pointer must be adjusted regardless of whether the match is successful or not. When the match is unsuccessful, after the position of the traversal pointer is adjusted, the first N and last N data at the adjusted traversal pointer position are matched simultaneously. It should be noted in the setting that N can also be adjusted according to the matching operation and results.

从以上技术方案可以看出,本发明具有以下优点:通过动态密码代替静态密码的方式提高利用IPMI命令管理服务器的安全性。即解决了因密码泄露带来的安全问题,又避免了因web登录密码与IPMI服务密码重复导致的用户权限问题。It can be seen from the above technical solutions that the present invention has the following advantages: the security of managing the server using IPMI commands is improved by replacing static passwords with dynamic passwords, which solves the security problem caused by password leakage and avoids the user authority problem caused by the duplication of web login password and IPMI service password.

此外,本发明设计原理可靠,结构简单,具有非常广泛的应用前景。In addition, the invention has a reliable design principle, a simple structure and a very broad application prospect.

由此可见,本发明与现有技术相比,具有突出的实质性特点和显著地进步,其实施的有益效果也是显而易见的。It can be seen that compared with the prior art, the present invention has outstanding substantive features and significant progress, and the beneficial effects of its implementation are also obvious.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例或现有技术描述中所需要使用的附图作简单地介绍,显而易见地,对于本领域普通技术人员而言,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, for ordinary technicians in this field, other drawings can be obtained based on these drawings without paying any creative work.

图1是本发明一个实施例的方法的示意性流程图。FIG1 is a schematic flow chart of a method according to an embodiment of the present invention.

图2是本发明另一个实施例的方法的示意性流程图。FIG. 2 is a schematic flow chart of a method according to another embodiment of the present invention.

具体实施方式Detailed ways

由于IPMI V2.0支持RMCP+已验证密钥交换协议(RAKP)验证。远程攻击者能够通过BMC响应的RAKP消息2中的HMAC获取有效的用户帐户密码哈希信息。这是IPMI v2.0规范的固有问题。此漏洞没有修补程序。另外,而很多用户的IPMI服务的用户名及密码与登录WEB的用户名和密码是重叠的,致使没有访问权限的用户通过暴力破解方式得到访问IPMI服务的用户名及密码,从而访问到本没有权限访问的IPMI服务。如此,使得带外访问存在一定的安全隐患。在现有的技术中,通常采用使用强密码以限制离线字典攻击的成功机会。或者采用隔离网络以限制访问IPMI管理接口。Because IPMI V2.0 supports RMCP+Authenticated Key Exchange Protocol (RAKP) authentication. A remote attacker can obtain valid user account password hash information through the HMAC in RAKP message 2 responded by the BMC. This is an inherent problem in the IPMI v2.0 specification. There is no patch for this vulnerability. In addition, the username and password of many users' IPMI services overlap with the username and password for logging into the WEB, causing users without access rights to obtain the username and password for accessing the IPMI service through brute force cracking, thereby accessing the IPMI service that they do not have access rights to. In this way, there are certain security risks in out-of-band access. In existing technologies, strong passwords are usually used to limit the chances of success of offline dictionary attacks. Or isolated networks are used to limit access to the IPMI management interface.

通常采用使用强密码以限制离线字典攻击的成功机会。或者采用隔离网络以限制访问IPMI管理接口。但是存在如下问题:用户使用IPMI服务的用户名及密码与登录WEB的用户名和密码重叠,增加了被破解的可能性;VPN拨入可以绕过隔离网络访问IPMI管理接口;内部工作人员可通过合法授权取得用户密码而非法使用。Usually, strong passwords are used to limit the chances of offline dictionary attacks. Alternatively, isolated networks are used to limit access to the IPMI management interface. However, there are the following problems: the username and password used by users for IPMI services overlap with the username and password used to log in to the WEB, increasing the possibility of being cracked; VPN dial-in can bypass the isolated network to access the IPMI management interface; internal staff can obtain user passwords through legal authorization and use them illegally.

为了使本技术领域的人员更好地理解本发明中的技术方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the technical solutions in the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only part of the embodiments of the present invention, not all of the embodiments. Based on the embodiments of the present invention, all other embodiments obtained by ordinary technicians in this field without creative work should fall within the scope of protection of the present invention.

如图1所示,本发明实施例提供一种带外管理服务器安全防护方法,应用于防护系统,所述防护系统包括客户端和服务器,所述方法包括如下步骤:As shown in FIG1 , an embodiment of the present invention provides a security protection method for an out-of-band management server, which is applied to a protection system. The protection system includes a client and a server. The method includes the following steps:

步骤1:客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;Step 1: When the client executes an IPMI command, the IPMI command is packaged using the IPMI service user name and dynamic password to generate an IPMI command data packet;

步骤2:将IPMI命令数据包进行加密后通过网络传输给服务器;Step 2: Encrypt the IPMI command data packet and transmit it to the server through the network;

步骤3:服务器接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;Step 3: The server receives the IPMI command data packet and parses the received IPMI command data packet to obtain the user name and dynamic password;

步骤4:将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验;Step 4: Check the parsed user name and dynamic password against the user name and dynamic password calculated inside the server;

若校验通过,执行IPMI命令并记录日志;If the verification passes, execute the IPMI command and record the log;

若校验失败,不执行IPMI命令并告警,记录日志。If the verification fails, the IPMI command will not be executed, an alarm will be given, and a log will be recorded.

首先客户端和服务器持有相同的密钥并基于时间基数,服务端和客户端采用相同的Hash算法,计算出长度为六位的校验码。此验证码作为动态密码。通过动态密码代替静态密码的方式提高利用IPMI命令管理服务器的安全性。即解决了因密码泄露带来的安全问题,又避免了因web登录密码与IPMI服务密码重复导致的用户权限问题。First, the client and the server hold the same key and based on the time base, the server and the client use the same Hash algorithm to calculate a six-digit verification code. This verification code is used as a dynamic password. The security of using IPMI commands to manage the server is improved by replacing static passwords with dynamic passwords. This not only solves the security problems caused by password leakage, but also avoids user permission problems caused by duplication of web login passwords and IPMI service passwords.

如图2所示,本发明实施例提供一种带外管理服务器安全防护方法,应用于防护系统,所述防护系统包括客户端和服务器,所述方法包括如下步骤:As shown in FIG. 2 , an embodiment of the present invention provides a security protection method for an out-of-band management server, which is applied to a protection system. The protection system includes a client and a server. The method includes the following steps:

S01:令牌利用密钥和时间基数通过哈希算法计算出动态密码;具体步骤包括:步骤包括:S01: The token uses the key and time base to calculate the dynamic password through a hash algorithm; the specific steps include:

密钥和一时间基数通过哈希算法生成一组伪随机数;The key and a time base generate a set of pseudo-random numbers through a hash algorithm;

根据生成的伪随机数及设定的运算规则生成一个动态密码;Generate a dynamic password based on the generated pseudo-random number and the set operation rules;

密钥和若干时间基数生成的动态密码组成动态密码集合。The dynamic password set is composed of a key and dynamic passwords generated by several time bases.

S02:服务器利用密钥和时间基数通过哈希算法计算出动态密码;S02: The server uses the key and time base to calculate the dynamic password through a hash algorithm;

本步骤中,将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列;In this step, the calculated dynamic passwords are used to generate a dynamic password sequence according to the dynamic password calculation time;

S1:客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;具体的,客户端执行IPMI命令时,当前遍历指针在动态密码集合选择一个动态密码,采用IPMI服务用户名和选择的动态密码对IPMI命令进行组包生成IPMI命令数据包;S1: When the client executes an IPMI command, the IPMI command is packaged using the IPMI service user name and the dynamic password to generate an IPMI command data packet; specifically, when the client executes the IPMI command, the current traversal pointer selects a dynamic password in the dynamic password set, and the IPMI command is packaged using the IPMI service user name and the selected dynamic password to generate an IPMI command data packet;

S2:将IPMI命令数据包进行加密后通过网络传输给服务器;S2: Encrypt the IPMI command data packet and transmit it to the server through the network;

S3:服务器接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;S3: The server receives the IPMI command data packet and parses the received IPMI command data packet to obtain the user name and dynamic password;

S4:将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验;S4: Check the parsed user name and dynamic password for consistency with the user name and dynamic password calculated inside the server;

若校验通过,执行IPMI命令并记录日志;If the verification passes, execute the IPMI command and record the log;

若校验失败,不执行IPMI命令并告警,记录日志。If the verification fails, the IPMI command will not be executed, an alarm will be given, and a log will be recorded.

需要说明的是,本步骤中的校验过程,首先判断解析出的用户名与服务器内部的用户名是否一致;当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;若匹配成功,校验通过,执行步骤:执行IPMI命令并记录日志;若匹配失败,校验失败,执行步骤:不执行IPMI命令并告警,记录日志。It should be noted that the verification process in this step first determines whether the parsed user name is consistent with the user name inside the server; when the user names are consistent, traverse the dynamic password sequence to match the parsed dynamic password; if the match is successful, the verification passes, and the steps are executed: execute the IPMI command and record the log; if the match fails, the verification fails, and the steps are executed: do not execute the IPMI command and issue an alarm, and record the log.

动态密码一分钟更新一次,不能重复使用,避免IPMI服务密码被黑客窃取后被用来攻击服务器。The dynamic password is updated once a minute and cannot be reused to prevent the IPMI service password from being stolen by hackers and used to attack the server.

一般用户名都设置一个用户唯一标识,动态密码序列是以用户唯一标识进行序列命名,进行动态密码匹配时需要先判断用户名,根据用户名到对应的动态密码序列进行密码匹配。Generally, a unique user ID is set for a user name. The dynamic password sequence is named in sequence based on the unique user ID. When matching a dynamic password, it is necessary to first determine the user name and then match the password based on the user name to the corresponding dynamic password sequence.

令牌生成动态密码设置一分钟生成一次,在这里客户端和服务端对应的密钥是相同也是基于相同的时间基数的这样才能保证生成的动态密码匹配成功。The token generates a dynamic password once a minute. Here, the keys corresponding to the client and the server are the same and based on the same time base to ensure that the generated dynamic password matches successfully.

进一步需要说明的是,遍历动态密码序列,匹配解析出的动态密码的步骤包括:It should be further explained that the steps of traversing the dynamic password sequence and matching the parsed dynamic password include:

将解析出的动态密码与动态密码序列里当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配;根据匹配结果调整遍历指针的位置。The parsed dynamic password is matched with the first N and last N data of the current traversal pointer position in the dynamic password sequence at the same time; the position of the traversal pointer is adjusted according to the matching result.

为了提高匹配速度,当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配的过程中,无论匹配是否成功设定时间间隔都要调整遍历指针的位置,当匹配不成功时,遍历指针的位置调整后,对调整后的遍历指针所在位置的前N个和后N个数据同时进行匹配,在设置需要说明的是,N也是可以根据匹配运行和结果进行调整。In order to improve the matching speed, during the process of matching the first N and last N data of the traversal pointer at the current moment, the position of the traversal pointer must be adjusted at the set time interval regardless of whether the match is successful. When the match is unsuccessful, the position of the traversal pointer is adjusted, and the first N and last N data of the adjusted traversal pointer are matched at the same time. It should be noted in the setting that N can also be adjusted according to the matching operation and results.

本发明实施例提供一种带外管理服务器安全防护系统,包括客户端和服务器,服务器设置有BMC;The embodiment of the present invention provides an out-of-band management server security protection system, including a client and a server, wherein the server is provided with a BMC;

客户端,用于执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;将IPMI命令数据包进行加密后通过网络传输给BMC;The client is used to execute IPMI commands, and uses the IPMI service user name and dynamic password to package the IPMI commands to generate IPMI command data packets; the IPMI command data packets are encrypted and transmitted to the BMC through the network;

BMC,用于接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;将解析出的用户名和动态密码与BMC内部计算的用户名和动态密码进行一致性校验;若校验通过,执行IPMI命令并记录日志;若校验失败,不执行IPMI命令并告警,记录日志。BMC is used to receive IPMI command data packets, parse the received IPMI command data packets to obtain the user name and dynamic password; perform consistency check on the parsed user name and dynamic password with the user name and dynamic password calculated inside the BMC; if the check passes, execute the IPMI command and record the log; if the check fails, do not execute the IPMI command, issue an alarm, and record the log.

一般用户名都设置一个用户唯一标识,动态密码序列是以用户唯一标识进行序列命名,进行动态密码匹配时需要先判断用户名,根据用户名到对应的动态密码序列进行密码匹配。Generally, a unique user ID is set for a user name. The dynamic password sequence is named in sequence based on the unique user ID. When matching a dynamic password, it is necessary to first determine the user name and then match the password based on the user name to the corresponding dynamic password sequence.

通过动态密码代替静态密码的方式提高利用IPMI命令管理服务器的安全性。即解决了因密码泄露带来的安全问题,又避免了因web登录密码与IPMI服务密码重复导致的用户权限问题。The security of managing servers using IPMI commands is improved by replacing static passwords with dynamic passwords, which not only solves the security issues caused by password leakage, but also avoids user permission issues caused by duplication of web login passwords and IPMI service passwords.

在有些实施例中,客户端设置有令牌,所述令牌利用密钥和时间基数通过哈希算法计算出动态密码;In some embodiments, the client is provided with a token, and the token uses a key and a time base to calculate a dynamic password through a hash algorithm;

BMC,还用于利用密钥和时间基数通过哈希算法计算出动态密码;将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列。The BMC is also used to calculate a dynamic password using a hash algorithm using a key and a time base; and to generate a dynamic password sequence using a number of calculated dynamic passwords according to the time of calculating the dynamic passwords.

在有些实施例中,令牌,利用密钥和一时间基数通过哈希算法生成一组伪随机数;根据生成的伪随机数及设定的运算规则生成一个动态密码;密钥和若干时间基数生成的动态密码组成动态密码集合。令牌生成动态密码设置一分钟生成一次,在这里客户端和服务端对应的密钥是相同也是基于相同的时间基数的这样才能保证生成的动态密码匹配成功。In some embodiments, the token generates a set of pseudo-random numbers using a key and a time base through a hash algorithm; generates a dynamic password based on the generated pseudo-random number and the set operation rules; the dynamic passwords generated by the key and several time bases constitute a dynamic password set. The token generates a dynamic password once a minute, where the keys corresponding to the client and the server are the same and based on the same time base, so as to ensure that the generated dynamic passwords match successfully.

在有些实施例中,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤包括:In some embodiments, when the client executes an IPMI command, the steps of packaging the IPMI command using the IPMI service user name and dynamic password to generate an IPMI command data packet include:

客户端,用于执行IPMI命令时,当前遍历指针在动态密码集合选择一个动态密码,采用IPMI服务用户名和选择的动态密码对IPMI命令进行组包生成IPMI命令数据包。The client is used to execute an IPMI command. The current traversal pointer selects a dynamic password from the dynamic password set, and uses the IPMI service user name and the selected dynamic password to package the IPMI command to generate an IPMI command data packet.

BMC,具体用于判断解析出的用户名与服务器内部的用户名是否一致;当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;若匹配成功,校验通过,执行IPMI命令并记录日志;若匹配失败,校验失败,不执行IPMI命令并告警,记录日志。BMC is specifically used to determine whether the parsed user name is consistent with the user name inside the server; when the user names are consistent, the dynamic password sequence is traversed to match the parsed dynamic password; if the match is successful, the verification passes, the IPMI command is executed and the log is recorded; if the match fails, the verification fails, the IPMI command is not executed, an alarm is issued, and the log is recorded.

在有些实施例中,BMC还用于将解析出的动态密码与动态密码序列里当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配,根据匹配结果调整遍历指针的位置。为了提高匹配速度,当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配的过程中,无论匹配是否成功设定时间间隔都要调整遍历指针的位置,当匹配不成功时,遍历指针的位置调整后,对调整后的遍历指针所在位置的前N个和后N个数据同时进行匹配,在设置需要说明的是,N也是可以根据匹配运行和结果进行调整。In some embodiments, the BMC is also used to simultaneously match the parsed dynamic password with the first N and last N data of the current position of the traversal pointer in the dynamic password sequence, and adjust the position of the traversal pointer according to the matching result. In order to improve the matching speed, during the process of simultaneously matching the first N and last N data of the current position of the traversal pointer, the position of the traversal pointer must be adjusted regardless of whether the match is successful or not. When the match is unsuccessful, after the position of the traversal pointer is adjusted, the first N and last N data of the adjusted position of the traversal pointer are matched simultaneously. It should be noted in the setting that N can also be adjusted according to the matching operation and results.

尽管通过参考附图并结合优选实施例的方式对本发明进行了详细描述,但本发明并不限于此。在不脱离本发明的精神和实质的前提下,本领域普通技术人员可以对本发明的实施例进行各种等效的修改或替换,而这些修改或替换都应在本发明的涵盖范围内/任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应以所述权利要求的保护范围为准。Although the present invention has been described in detail by referring to the accompanying drawings and in combination with the preferred embodiments, the present invention is not limited thereto. Without departing from the spirit and essence of the present invention, a person of ordinary skill in the art may make various equivalent modifications or substitutions to the embodiments of the present invention, and these modifications or substitutions shall be within the scope of the present invention. Any person of ordinary skill in the art may easily think of changes or substitutions within the technical scope disclosed by the present invention, and these shall be within the scope of protection of the present invention. Therefore, the scope of protection of the present invention shall be subject to the scope of protection of the claims.

Claims (10)

1.一种带外管理服务器安全防护方法,其特征在于,应用于防护系统,所述防护系统包括客户端和与客户端通信的服务器,所述方法包括如下步骤:1. A security protection method for an out-of-band management server, characterized in that it is applied to a protection system, wherein the protection system includes a client and a server communicating with the client, and the method includes the following steps: 客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;When the client executes an IPMI command, the IPMI service user name and dynamic password are used to package the IPMI command to generate an IPMI command data packet; 将IPMI命令数据包进行加密后通过网络传输给服务器;Encrypt the IPMI command data packet and transmit it to the server through the network; 服务器接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;The server receives the IPMI command data packet and parses the received IPMI command data packet to obtain the user name and dynamic password; 将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验;The parsed user name and dynamic password are checked for consistency with the user name and dynamic password calculated inside the server; 若校验通过,执行IPMI命令并记录日志;If the verification passes, execute the IPMI command and record the log; 若校验失败,不执行IPMI命令并告警,记录日志。If the verification fails, the IPMI command will not be executed, an alarm will be given, and a log will be recorded. 2.根据权利要求1所述的带外管理服务器安全防护方法,其特征在于,所述客户端设置有令牌,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤之前包括:2. The out-of-band management server security protection method according to claim 1 is characterized in that the client is provided with a token, and when the client executes an IPMI command, the step of using an IPMI service user name and a dynamic password to group the IPMI command into a package to generate an IPMI command data packet includes: 令牌利用密钥和时间基数通过哈希算法计算出动态密码。The token uses the key and time base to calculate a dynamic password through a hash algorithm. 3.根据权利要求2所述的带外管理服务器安全防护方法,其特征在于,将解析出的用户名和动态密码与服务器内部计算的用户名和动态密码进行一致性校验的步骤之前包括:3. The out-of-band management server security protection method according to claim 2 is characterized in that before the step of performing consistency verification between the parsed user name and dynamic password and the user name and dynamic password calculated inside the server, the step comprises: 服务器利用密钥和时间基数通过哈希算法计算出动态密码;The server uses the key and time base to calculate the dynamic password through the hash algorithm; 将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列。The calculated dynamic passwords are used to generate a dynamic password sequence according to the dynamic password calculation time. 4.根据权利要求3所述的带外管理服务器安全防护方法,其特征在于,令牌利用密钥和时间基数通过哈希算法计算出动态密码的步骤包括:4. The out-of-band management server security protection method according to claim 3 is characterized in that the step of using the token to calculate the dynamic password through a hash algorithm using the key and the time base includes: 密钥和一时间基数通过哈希算法生成一组伪随机数;The key and a time base generate a set of pseudo-random numbers through a hash algorithm; 根据生成的伪随机数及设定的运算规则生成一个动态密码;Generate a dynamic password based on the generated pseudo-random number and the set operation rules; 密钥和若干时间基数生成的动态密码组成动态密码集合。The dynamic password set is composed of a key and dynamic passwords generated by several time bases. 5.根据权利要求4所述的带外管理服务器安全防护方法,其特征在于,客户端执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包的步骤包括:5. The out-of-band management server security protection method according to claim 4, characterized in that when the client executes the IPMI command, the step of packaging the IPMI command using the IPMI service user name and dynamic password to generate an IPMI command data packet comprises: 客户端执行IPMI命令时,当前遍历指针在动态密码集合选择一个动态密码,采用IPMI服务用户名和选择的动态密码对IPMI命令进行组包生成IPMI命令数据包。When the client executes an IPMI command, the current traversal pointer selects a dynamic password from the dynamic password set, and uses the IPMI service user name and the selected dynamic password to package the IPMI command to generate an IPMI command data packet. 6.根据权利要求5所述的带外管理服务器安全防护方法,其特征在于,将解析出的用户名和动态密码与服务器内部计算的动态密码进行一致性校验的步骤包括:6. The out-of-band management server security protection method according to claim 5, characterized in that the step of performing consistency verification on the parsed user name and dynamic password with the dynamic password calculated inside the server comprises: 判断解析出的用户名与服务器内部的用户名是否一致;Determine whether the parsed user name is consistent with the user name inside the server; 当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;When the user names are the same, traverse the dynamic password sequence and match the parsed dynamic password; 若匹配成功,校验通过,执行步骤:执行IPMI命令并记录日志;If the match is successful and the verification is passed, the following steps are executed: Execute the IPMI command and record the log; 若匹配失败,校验失败,执行步骤:不执行IPMI命令并告警,记录日志。If the match fails and the verification fails, execute the following steps: Do not execute the IPMI command and issue an alarm, and record a log. 7.根据权利要求6所述的带外管理服务器安全防护方法,其特征在于,遍历动态密码序列,匹配解析出的动态密码的步骤包括:7. The out-of-band management server security protection method according to claim 6, wherein the step of traversing the dynamic password sequence and matching the parsed dynamic password comprises: 将解析出的动态密码与动态密码序列里当前时刻遍历指针所在位置的前N个和后N个数据同时进行匹配,根据匹配结果调整遍历指针的位置。The parsed dynamic password is matched with the first N and last N data of the current traversal pointer position in the dynamic password sequence at the same time, and the position of the traversal pointer is adjusted according to the matching result. 8.一种带外管理服务器安全防护系统,其特征在于,包括客户端和与客户端通信的服务器,服务器设置有BMC;8. An out-of-band management server security protection system, characterized in that it includes a client and a server communicating with the client, and the server is provided with a BMC; 客户端,用于执行IPMI命令时,采用IPMI服务用户名和动态密码的方式对IPMI命令进行组包生成IPMI命令数据包;将IPMI命令数据包进行加密后通过网络传输给BMC;The client is used to execute IPMI commands, and uses the IPMI service user name and dynamic password to package the IPMI commands to generate IPMI command data packets; the IPMI command data packets are encrypted and transmitted to the BMC through the network; BMC,用于接收IPMI命令数据包,并对接收到的IPMI命令数据包进行解析获得用户名和动态密码;将解析出的用户名和动态密码与BMC内部计算的用户名和动态密码进行一致性校验;若校验通过,执行IPMI命令并记录日志;若校验失败,不执行IPMI命令并告警,记录日志。BMC is used to receive IPMI command data packets, parse the received IPMI command data packets to obtain the user name and dynamic password; perform consistency check on the parsed user name and dynamic password with the user name and dynamic password calculated inside the BMC; if the check passes, execute the IPMI command and record the log; if the check fails, do not execute the IPMI command, issue an alarm, and record the log. 9.根据权利要求8所述的带外管理服务器安全防护系统,其特征在于,客户端设置有令牌,所述令牌利用密钥和时间基数通过哈希算法计算出动态密码;9. The out-of-band management server security protection system according to claim 8, characterized in that the client is provided with a token, and the token uses a key and a time base to calculate a dynamic password through a hash algorithm; BMC,还用于利用密钥和时间基数通过哈希算法计算出动态密码;将计算出的若干动态密码按照动态密码计算的时间生成动态密码序列。The BMC is also used to calculate a dynamic password using a hash algorithm using a key and a time base; and to generate a dynamic password sequence using a number of calculated dynamic passwords according to the time of calculating the dynamic passwords. 10.根据权利要求9所述的带外管理服务器安全防护系统,其特征在于,BMC,具体用于判断解析出的用户名与服务器内部的用户名是否一致;当用户名一致时,遍历动态密码序列,匹配解析出的动态密码;若匹配成功,校验通过,执行IPMI命令并记录日志;若匹配失败,校验失败,不执行IPMI命令并告警,记录日志。10. The out-of-band management server security protection system according to claim 9 is characterized in that the BMC is specifically used to determine whether the parsed user name is consistent with the user name inside the server; when the user names are consistent, the dynamic password sequence is traversed to match the parsed dynamic password; if the match is successful, the verification passes, the IPMI command is executed and the log is recorded; if the match fails, the verification fails, the IPMI command is not executed, an alarm is issued, and a log is recorded.
CN202210999735.4A 2022-08-19 2022-08-19 A method and system for protecting security of out-of-band management server Active CN115473697B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210999735.4A CN115473697B (en) 2022-08-19 2022-08-19 A method and system for protecting security of out-of-band management server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210999735.4A CN115473697B (en) 2022-08-19 2022-08-19 A method and system for protecting security of out-of-band management server

Publications (2)

Publication Number Publication Date
CN115473697A CN115473697A (en) 2022-12-13
CN115473697B true CN115473697B (en) 2024-05-17

Family

ID=84367797

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210999735.4A Active CN115473697B (en) 2022-08-19 2022-08-19 A method and system for protecting security of out-of-band management server

Country Status (1)

Country Link
CN (1) CN115473697B (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410606A (en) * 2014-10-31 2015-03-11 国云科技股份有限公司 A server access method using IPMI protocol
CN105721502A (en) * 2016-04-11 2016-06-29 上海上实龙创智慧能源科技股份有限公司 Authorized access method for browser client and server

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7299354B2 (en) * 2003-09-30 2007-11-20 Intel Corporation Method to authenticate clients and hosts to provide secure network boot

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104410606A (en) * 2014-10-31 2015-03-11 国云科技股份有限公司 A server access method using IPMI protocol
CN105721502A (en) * 2016-04-11 2016-06-29 上海上实龙创智慧能源科技股份有限公司 Authorized access method for browser client and server

Also Published As

Publication number Publication date
CN115473697A (en) 2022-12-13

Similar Documents

Publication Publication Date Title
JP3466025B2 (en) Method and apparatus for protecting masquerade attack in computer network
CN109361668A (en) A method of reliable data transmission
RU2713604C1 (en) Registration and authentication of users without passwords
CN109257209A (en) A kind of data center server centralized management system and method
US20110170696A1 (en) System and method for secure access
Alqubaisi et al. Should we rush to implement password-less single factor FIDO2 based authentication?
CN113872992B (en) Method for realizing remote Web access strong security authentication in BMC system
CN111695152A (en) MySQL database protection method based on security agent
CN108616504A (en) A kind of sensor node identity authorization system and method based on Internet of Things
US9954853B2 (en) Network security
US20150328119A1 (en) Method of treating hair
CN114301705A (en) Industrial control defense method and system based on trusted computing
CN112733129B (en) Trusted access method for server out-of-band management
CN119249401B (en) Internet of Things data processing method and system based on blockchain
CN114584343A (en) Data protection method, system and readable storage medium for cloud computing center
CN110493177A (en) Based on unsymmetrical key pond to and sequence number quantum communications service station AKA cryptographic key negotiation method and system
CN114338052A (en) Method and device for realizing identity authentication
CN101764788B (en) Safe access method based on extended 802.1x authentication system
US11177958B2 (en) Protection of authentication tokens
CN115473697B (en) A method and system for protecting security of out-of-band management server
JPH10257047A (en) Authentication system and public key management system
CN117349881A (en) Privacy data protection method, device, equipment and readable storage medium
CN118487749B (en) Key distribution method, device and system applied in quantum key management scenario
CN114650175B (en) A verification method and device
CN117411733B (en) Intranet access protection system based on user identity

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP03 Change of name, title or address

Address after: 215100 Building 9, No.1 guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Suzhou City, Jiangsu Province

Patentee after: Suzhou Yuannao Intelligent Technology Co.,Ltd.

Country or region after: China

Address before: 215100 Building 9, No.1 guanpu Road, Guoxiang street, Wuzhong Economic Development Zone, Suzhou City, Jiangsu Province

Patentee before: SUZHOU LANGCHAO INTELLIGENT TECHNOLOGY Co.,Ltd.

Country or region before: China