[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN114329444A - System safety improving method and device - Google Patents

System safety improving method and device Download PDF

Info

Publication number
CN114329444A
CN114329444A CN202111673082.2A CN202111673082A CN114329444A CN 114329444 A CN114329444 A CN 114329444A CN 202111673082 A CN202111673082 A CN 202111673082A CN 114329444 A CN114329444 A CN 114329444A
Authority
CN
China
Prior art keywords
sandbox
environment
host system
container
secure
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111673082.2A
Other languages
Chinese (zh)
Inventor
陈军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Dt Dream Technology Co Ltd
Original Assignee
Hangzhou Dt Dream Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Dt Dream Technology Co Ltd filed Critical Hangzhou Dt Dream Technology Co Ltd
Priority to CN202111673082.2A priority Critical patent/CN114329444A/en
Publication of CN114329444A publication Critical patent/CN114329444A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Information Transfer Between Computers (AREA)

Abstract

The application provides a system safety improving method and device, and the method can comprise the following steps: obtaining a sandbox container, wherein the sandbox container is used for deploying a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resources; modifying configuration parameters of original SSH service in the host system to prohibit a remote client from logging in to access the host system; and operating the sandbox container to establish a secure sandbox environment in the host system, wherein the secure sandbox environment comprises a sandbox SSH service, and the sandbox SSH service is used for supporting a remote client to log in and access the secure sandbox environment. Through the technical scheme, the remote client can only log in the safe sandbox environment when logging in and accessing the host remotely through the SSH service, and cannot directly log in the host system, so that the probability of security holes of the host system is reduced.

Description

System safety improving method and device
Technical Field
The application relates to the technical field of computers, in particular to a method and a device for improving system safety.
Background
With the development of computer and internet technologies, a lot of vulnerabilities of operating systems are exploded and exploited, and attackers can exploit the vulnerabilities to cause serious harm to computers. In a software delivery scenario, the delivery party also needs to perform security scanning on the host system and to repair the security vulnerabilities displayed by the scanning results.
In a conventional vulnerability scanning and repairing technology, comparison and scanning are usually performed according to a vulnerability feature library of a disclosed vulnerability, and then a system version is upgraded according to a scheme provided by a security manufacturer, so that the system vulnerability is repaired. However, since new vulnerabilities are continuously popped out, the host systems to be repaired are also various and are not necessarily standard systems, and thus, in practical application, a completely standard and feasible repair scheme is not available, and the repair cost is high.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for improving system security of a host system.
Specifically, the method is realized through the following technical scheme:
according to a first aspect of the present application, a system security enhancing method is provided, which is applied to a host system, and includes:
obtaining a sandbox container, wherein the sandbox container is used for deploying a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resources;
modifying configuration parameters of original SSH service in the host system to prohibit a remote client from logging in to access the host system;
and operating the sandbox container to establish a secure sandbox environment in the host system, wherein the secure sandbox environment comprises a sandbox SSH service, and the sandbox SSH service is used for supporting a remote client to log in and access the secure sandbox environment.
According to a second aspect of the present application, a system safety lifting device is provided, which is applied to a host system, and includes:
an obtaining unit, configured to obtain a sandbox container, where the sandbox container is used to deploy a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resource;
a modification unit, configured to modify configuration parameters of an original SSH service in the host system, so as to prohibit a remote client from logging on to access the host system;
the system comprises a construction unit and a remote client, wherein the construction unit is used for operating the sandbox container to construct a safe sandbox environment in the host system, the safe sandbox environment comprises sandbox SSH service, and the sandbox SSH service is used for supporting the remote client to log in and access the safe sandbox environment.
According to a third aspect of the present application, there is provided an electronic device comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method as described in the embodiments of the first aspect above by executing the executable instructions.
According to a fourth aspect of embodiments of the present application, there is provided a computer-readable storage medium having stored thereon computer instructions which, when executed by a processor, implement the steps of the method as described in the embodiments of the first aspect above.
According to the technical scheme, the safe sandbox environment supporting the SSH service is built in the host system, so that the remote client can only log in the safe sandbox environment when remotely logging in the host through the SSH service and cannot directly log in the host system, the probability of security holes of the host system due to SSH login attack is reduced, and the safety of the host system is improved.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present application and together with the description, serve to explain the principles of the application.
FIG. 1 is a flow diagram illustrating a method for system security boosting according to an exemplary embodiment of the present application;
FIG. 2 is a schematic diagram of a network architecture of a system security enhancing system according to an embodiment of the present application;
FIG. 3 is a flow diagram illustrating a method for system security boosting according to an exemplary embodiment of the present application;
FIG. 4 is a schematic diagram of a system security lift electronics device according to an exemplary embodiment of the present application;
fig. 5 is a block diagram illustrating a system safety lift device according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Next, examples of the present application will be described in detail.
The Secure Shell (SSH) is a security protocol that is built on an application layer and a transport layer basis. SSH is currently a relatively reliable protocol that provides security for telnet sessions and other web services. The SSH protocol can effectively prevent the problem of information leakage in the remote management process. In the prior art, SSH generally provides two authentication methods: a password authentication mode and a key authentication mode. The most common method is a password authentication method, as long as an account and a password are provided, the client can log in a remote host for convenient management, and all transmitted data can be encrypted. However, when a remote user logs in a host by inputting a login account and a corresponding login password at an SSH client, the login password of the remote host is manually input, and thus the password is easily leaked. The security loophole of the host system is caused by malicious scanning of an attacker remotely logging in the host system through SSH service to a great extent, so that the mechanism of malicious scanning attack of the security attack logging in the host through SSH is solved according to the security attack and scanning principle of the existing host, the security loophole problem of the existing host system can be basically eliminated, and when the occurrence probability of the security loophole of the host is low, the repair cost aiming at the security loophole is correspondingly reduced.
Fig. 1 is a flowchart illustrating a system security enhancing method according to an exemplary embodiment of the present application. As shown in fig. 1, the method applied to the host system may include the following steps:
step 102: obtaining a sandbox container, wherein the sandbox container is used for deploying a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resources.
Sandboxing is a security event analysis technique based on the generation of virtualization technologies. As the name implies, a sandbox is a virtual system program that provides an execution environment in which program behavior is restricted by security policies. Sandboxing is used primarily to test the behavior of untrusted applications because changes made by the run may be subsequently removed.
In the present application, the secure sandbox environment is a file operating environment isolated from the host system at the memory, cpu, network, and file system level. It can be appreciated that since the secure sandbox environment is a separate virtual operating environment running on the host system, the secure sandbox environment is equivalent to a virtual machine and the host is equivalent to a host. Applications running within the secure sandbox environment are not able to permanently affect the host's file system or critical services, i.e., do not affect the host system itself, and thus the secure sandbox environment is logically isolated from the host system that hosts the sandbox.
Step 104: modifying configuration parameters of an original SSH service in the host system to prohibit a remote client from logging on to access the host system.
Step 106: and operating the sandbox container to establish a secure sandbox environment in the host system, wherein the secure sandbox environment comprises a sandbox SSH service, and the sandbox SSH service is used for supporting a remote client to log in and access the secure sandbox environment.
Because the remote client needs to be prevented from logging in the host system through the SSH, it is not only necessary that the original SSH service in the host system cannot receive the SSH service request of the remote client, but also that the sandbox SSH service is run in the established secure sandbox environment, so as to process the SSH request sent by the remote client for the host.
In one embodiment, the sandbox container may contain configuration information about the sandbox environment, which may be set by one skilled in the art as needed, but is not limited in this respect. The sandbox environment is constructed through the container technology, and the container does not need to simulate hardware and reload an operating system, so that the operation cost and the deployment time can be effectively reduced when the safe sandbox environment in the host system is constructed.
In an embodiment, based on physical resource conditions of different hosts, the secure sandbox environment may be a file operating environment constructed by a virtualization device and a virtualization kernel provided by a virtual machine to serve as the secure sandbox environment when physical resources of the host meet operating conditions of the virtual machine, or may be a file operating environment having a preset kernel access rule constructed by an actual physical device in the host system to serve as the secure sandbox environment when the physical resources of the host do not meet the operating conditions of the virtual machine, the preset kernel access rule being used to limit the call of the container application to the kernel of the host system.
In an embodiment, the host system may further include an instruction receiving tool, for example, an opsctl tool, where the instruction receiving tool may receive a management instruction issued by a sandbox manager outside the host system, so that the host system may manage the sandbox container according to the management instruction received by the instruction receiving tool. For example, in the container deployment process, the management instruction may include an installation instruction, and the sandbox container to be operated is indicated by the installation instruction, so that the host system may operate the corresponding sandbox container according to the execution of the installation instruction only when the instruction receiving tool receives the installation instruction.
Furthermore, the management instruction may also be a removal instruction, and the secure sandbox environment does not always run safely and normally after the secure sandbox environment is constructed, so that whether the secure sandbox environment runs normally can be detected according to needs, and a detection result is provided to the sandbox manager. The safe sandbox environment in the host system can be installed and removed according to the instruction by arranging the instruction receiving tool in the host system, so that the safe sandbox environment which runs abnormally can be timely processed, and the recoverability of the sandbox after abnormality is effectively ensured.
In an embodiment, since the login of the remote user is mainly realized by inputting a login account and a corresponding login password at the SSH client, the sandbox SSH service in the secure sandbox environment constructed in the present application can mount an account file of the original SSH service in the host system, so that account information corresponding to the sandbox SSH service may be consistent with account information corresponding to the original SSH service, where the account information may include the login account and the login password matched with the login account, and is used to perform the authorization verification on the remote client requesting to login. Moreover, it should be understood that the SSH service may provide different login accounts and corresponding login passwords for different remote clients, or may provide the same login account and login password for different remote clients, so that the account information stored in the sandbox SSH service may be one or more groups, which is not limited in this application. The account information of the original SSH service in the host system is inherited by the sandbox SSH service, so that after the safe sandbox environment is built, the remote client can still log in the host by using the original account and the original password, and for the remote client, the SSH log-in of the remote client is not influenced before and after the safe sandbox environment is built, and the remote client does not sense the safe sandbox environment.
In an embodiment, a monitoring port of a sandbox SSH service in the secure sandbox environment may be set as a monitoring port of an original SSH service in the host system, and in order to avoid port collision and to avoid the original SSH service monitoring a remote control of a remote client for the host, when a configuration parameter of the original SSH service in the host system is modified, the monitoring port of the original SSH service in the host system may be modified to a local port, so that the original SSH service in the main sentence system is modified to local monitoring, so that the secure sandbox environment in the host system may be connected to the host system environment based on a local address of the secure sandbox SSH service and the modified monitoring port SSH of the original SSH service in the host system, thereby establishing a local connection between the sandbox SSH service and the original SSH service and supporting the secure sandbox environment to log in and access the host system. By establishing local connection between the sandbox SSH service and the original SSH service, the host system environment can be locally logged in through the secure sandbox environment according to a predefined switching instruction in the secure sandbox environment, such as a switchtohost command, so that the host system can be managed when needed.
In one embodiment, a host system includes at least one business process running in a business system container environment deployed at the host system. Namely, each running business process in the host system runs in the container, and isolation is generated between the container network and the host system, and only necessary ports need to be exposed according to the calling requirement. In this case, for example, common vulnerability middleware such as tomcat, mq, mysql and the like are only located in the service system container environment, on one hand, since the service system container environment is isolated from the host system, the vulnerability of the middleware cannot be directly accessed through the host network, and the attack risk is low; on the other hand, even if the vulnerability does exist, the vulnerability can be repaired only by updating the corresponding container version, and the version of the container is updated conveniently and the cost is low.
In an embodiment, since the vulnerability is generated all the time and is continuously exploded, that is, the vulnerability may be generated in the secure sandbox environment, when the business system is updated, the version of the sandbox container may be updated at the same time, so that the secure sandbox environment corresponds to the business system container environment, and the version-following update of the secure sandbox environment is realized by updating the sandbox container along with the version update of the application container.
Furthermore, after the secure sandbox environment is constructed, direct access between the remote client and the host system can be isolated through the secure sandbox environment, and the secure sandbox environment can be used as an operation and maintenance diagnosis environment dedicated to the service system.
In an embodiment, the secure sandbox environment may further establish a communication connection with a service system container environment in the host system, and when an untrusted service exists in the service system container environment or when a service fails and operation and maintenance diagnosis needs to be performed, a data file or a container related to the service in the service system container environment may be transmitted to the secure sandbox environment through the communication connection, so as to perform a test run on the service in the secure sandbox environment, and monitor an operating state of the service in a test run process, so that a corresponding security analysis report may be generated, and security of production and deployment of the service system is improved.
According to the technical scheme, the safe sandbox environment supporting the SSH service is built in the host system, so that the remote client can only log in the safe sandbox environment when remotely logging in the host through the SSH service and cannot directly log in the host system, the probability of security holes of the host system due to SSH login attack is reduced, and the safety of the host system is improved.
Fig. 2 is a schematic diagram of a network architecture of a system security enhancing system according to an embodiment of the present application. As shown in fig. 2, the system security lift system may include a sandbox manager 21, a host system 22, and a remote client 23. The host system 22 further includes a secure sandbox environment 221, a service system container environment 222 and a host environment 223, and the host environment 223 is an environment isolated from the sandbox environment 221 and the service system container environment 222 in the host system 22. Included in the secure sandboxed environment 221 is sandboxed SSH service 224, which is used to receive SSH login access sent by remote client 23 for the host system 22. The host environment 223 includes an instruction receiving tool 225 and an original SSH service 226 that the host system 22 has before the secure sandbox environment 221 is built, the instruction receiving tool 225 is configured to receive a management instruction for the secure sandbox issued by the sandbox manager 21, the original SSH service 226 is configured to receive an SSH login access sent by the remote client 23 for the host system 22 before the secure sandbox environment 221 is built, and after the secure sandbox environment 221 is built, the original SSH service 226 is configured to receive the login access from the secure sandbox environment 221, that is, after the secure sandbox environment 221 is built, when the remote client 23 logs in the host system 22 through an SSH login account, the remote client can only log in the secure sandbox environment 221. At least one business process is run in the business system container environment 22, and a communication connection is established between the business system container environment 22 and the secure sandbox environment 21, so that the business system container environment 22 can provide the business system into the secure sandbox environment 21 to perform operation and maintenance diagnosis on the business system in the secure sandbox environment 21.
In the technical scheme of the application, a secure sandbox environment supporting the SSH service is established in the host system, so that the remote client can only log in the secure sandbox environment when remotely logging in the host through the SSH service, but cannot directly log in the host system, thereby reducing the probability of security vulnerabilities occurring when the host system is attacked by SSH login, improving the security of the host system, and the details are described below with reference to fig. 3. Fig. 3 is a flowchart illustrating a system security enhancing method according to an exemplary embodiment of the present application. As shown in fig. 3, a system security upgrade for a host system may include the following steps:
in step 301, the host system 22 obtains a sandbox container.
The host system 22 obtains a sandbox container storing sandbox configuration information, which may be provided by the sandbox manager 21 or may be pre-deployed in the host system 22.
In step 302, the instruction receiving tool in the host system 22 receives the installation instruction issued by the sandbox manager 21.
Step 303 modifies the listening port of the original SSH service 226 in the host system 22 to listen locally.
The host system 22 includes an original SSH service 226 having a listening port of 2.2 for receiving SSH login access of the remote client 23, and after receiving an installation instruction issued by the sandbox manager 21, the listening port of the original SSH service 226 may be modified to be a local listening port.
At step 304, the sandbox container is run to build the secure sandbox environment 221 in the host system 22.
The sandbox container is run to build a secure sandbox environment 221 in the host system 22, the secure sandbox environment 221 containing a sandbox SSH service 224 which listens to port 2.2 for receiving SSH login access sent by the remote client 23.
Step 305, a communication connection is established between the secure sandbox environment 221 and the business system container environment 222.
Also included in the host system 22 is a business system container environment 222, and after the secure sandbox environment 221 is built, a communication connection can be established between the business system container environment 222 and the secure sandbox environment 221. So that the secure sandbox environment 221 can perform data interaction with the business system container environment 222 to perform operation and maintenance diagnosis on the business system in the business system container environment 222.
Corresponding to the method embodiments, the present specification also provides an embodiment of an apparatus.
Fig. 4 is a schematic structural diagram of a system security enhancing electronic device according to an exemplary embodiment of the present application. Referring to fig. 4, at the hardware level, the electronic device includes a processor 402, an internal bus 404, a network interface 406, a memory 408, and a non-volatile memory 410, but may also include hardware required for other services. The processor 402 reads a corresponding computer program from the non-volatile memory 410 into the memory 408 and then runs the computer program, thereby forming a device for solving the system security vulnerability problem at a logic level. Of course, besides the software implementation, the present application does not exclude other implementations, such as logic devices or a combination of software and hardware, and the like, that is, the execution subject of the following processing flow is not limited to each logic unit, and may also be hardware or logic devices.
Fig. 5 is a block diagram illustrating a system safety lift device according to an exemplary embodiment of the present application.
Referring to fig. 5, the apparatus comprises an obtaining unit 502, a modifying unit 504 and a constructing unit 506, wherein:
the obtaining unit 502 is configured to obtain a sandbox container for deploying a secure sandbox environment, which is a file running environment isolated from the host system resources.
The modifying unit 504 is configured to modify configuration parameters of an original SSH service in the host system to prohibit remote client login access to the host system.
The building unit 506 is configured to run the sandbox container to build a secure sandbox environment in the host system, the secure sandbox environment including a sandbox SSH service for supporting remote client login access to the secure sandbox environment.
Optionally, account information of the sandbox SSH service corresponds to account information of the original SSH service, where the account information includes a login account and a login password matched with the login account, and is used to perform permission verification on the remote client requesting to login.
Optionally, the monitoring port of the sandbox SSH service is the monitoring port of the original SSH service, and the modifying the configuration parameter of the original SSH service in the host system includes: and modifying a monitoring port of the original SSH service in the host system into a local port so as to establish local connection between the sandbox SSH service and the original SSH service and support the safe sandbox environment to log in and access the host system.
Optionally, the host system includes at least one business process, and the business process operates in a business system container environment deployed in the host system.
Optionally, the apparatus further comprises:
the connection unit 508 is configured to establish a communication connection between the service system container environment and the secure sandbox environment, so as to perform commissioning on the service process in the service system container environment in the secure sandbox environment.
Optionally, the secure sandbox environment corresponds to the container environment, and the sandbox container is updated with the version update of the application container.
Optionally, the host system is further provided with an instruction receiving tool, where the instruction receiving tool is configured to receive a management instruction issued by a sandbox manager outside the host system, so that the host system manages the sandbox container according to the management instruction.
Optionally, the management instruction includes an installation instruction, and the executing the sandbox container includes: and under the condition that the instruction receiving tool is determined to receive the installation instruction, operating the sandbox container according to the installation instruction.
Optionally, the management instruction includes a removal instruction, and the apparatus further includes:
the detection unit 510 is configured to detect whether the secure sandbox environment is operating normally;
the removal unit 512 is configured to remove the secure sandbox environment if it is determined that the instruction receiving tool received the removal instruction; wherein the removal instruction is sent by the sandbox manager when it is determined that the secure sandbox environment is not operating normally according to the detection result.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In an exemplary embodiment, there is also provided a non-transitory computer readable storage medium, for example a memory, comprising instructions executable by a processor of a system safety lifting device to implement a method as described in any of the above embodiments, such as the method may comprise:
obtaining a sandbox container, wherein the sandbox container is used for deploying a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resources; modifying configuration parameters of original SSH service in the host system to prohibit a remote client from logging in to access the host system; and operating the sandbox container to establish a secure sandbox environment in the host system, wherein the secure sandbox environment comprises a sandbox SSH service, and the sandbox SSH service is used for supporting a remote client to log in and access the secure sandbox environment.
The non-transitory computer readable storage medium may be a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, etc., which is not limited in this application.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (12)

1. A system security promotion method is applied to a host system, and comprises the following steps:
obtaining a sandbox container, wherein the sandbox container is used for deploying a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resources;
modifying configuration parameters of original SSH service in the host system to prohibit a remote client from logging in to access the host system;
and operating the sandbox container to establish a secure sandbox environment in the host system, wherein the secure sandbox environment comprises a sandbox SSH service, and the sandbox SSH service is used for supporting a remote client to log in and access the secure sandbox environment.
2. The method of claim 1, wherein account information of the sandbox SSH service corresponds to account information of the original SSH service, and the account information comprises a login account and a login password matched with the login account, and is used for performing authority verification on a remote client requesting login.
3. The method of claim 1, wherein the listening port of the sandbox SSH service is the listening port of the original SSH service, and wherein modifying the configuration parameters of the original SSH service in the host system comprises:
and modifying a monitoring port of the original SSH service in the host system into a local port so as to establish local connection between the sandbox SSH service and the original SSH service and support the safe sandbox environment to log in and access the host system.
4. The method of claim 1, wherein the host system comprises at least one business process, and wherein the business process runs in a business system container environment deployed on the host system.
5. The method of claim 4, further comprising:
and establishing communication connection between the business system container environment and the safe sandbox environment so as to perform trial operation on the business process in the business system container environment in the safe sandbox environment.
6. The method of claim 4, wherein the secure sandbox environment corresponds to the container environment, and wherein the sandbox container is updated as the version of the application container is updated.
7. The method according to claim 1, wherein an instruction receiving tool is further installed in the host system, and the instruction receiving tool is configured to receive a management instruction issued by a sandbox manager outside the host system, so that the host system manages the sandbox container according to the management instruction.
8. The method of claim 7, wherein the management instructions comprise installation instructions, and wherein executing the sandbox container comprises:
and under the condition that the instruction receiving tool is determined to receive the installation instruction, operating the sandbox container according to the installation instruction.
9. The method of claim 7, wherein the management instruction comprises a remove instruction, the method further comprising:
detecting whether the safe sandbox environment operates normally or not;
removing the secure sandbox environment if it is determined that the instruction receiving tool received the removal instruction; wherein the removal instruction is sent by the sandbox manager when it is determined that the secure sandbox environment is not operating normally according to the detection result.
10. A system safety lifting device is characterized in that the device is applied to a host system and comprises:
an obtaining unit, configured to obtain a sandbox container, where the sandbox container is used to deploy a secure sandbox environment, and the secure sandbox environment is a file operation environment isolated from the host system resource;
a modification unit, configured to modify configuration parameters of an original SSH service in the host system, so as to prohibit a remote client from logging on to access the host system;
the system comprises a construction unit and a remote client, wherein the construction unit is used for operating the sandbox container to construct a safe sandbox environment in the host system, the safe sandbox environment comprises sandbox SSH service, and the sandbox SSH service is used for supporting the remote client to log in and access the safe sandbox environment.
11. An electronic device, comprising:
a processor;
a memory for storing processor-executable instructions;
wherein the processor implements the method of any one of claims 1-9 by executing the executable instructions.
12. A computer-readable storage medium having stored thereon computer instructions, which, when executed by a processor, carry out the steps of the method according to any one of claims 1-9.
CN202111673082.2A 2021-12-31 2021-12-31 System safety improving method and device Pending CN114329444A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111673082.2A CN114329444A (en) 2021-12-31 2021-12-31 System safety improving method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111673082.2A CN114329444A (en) 2021-12-31 2021-12-31 System safety improving method and device

Publications (1)

Publication Number Publication Date
CN114329444A true CN114329444A (en) 2022-04-12

Family

ID=81021748

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111673082.2A Pending CN114329444A (en) 2021-12-31 2021-12-31 System safety improving method and device

Country Status (1)

Country Link
CN (1) CN114329444A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861411A (en) * 2023-06-05 2023-10-10 北京连山科技股份有限公司 Secure sandbox data protection method and system based on Seccomp mechanism

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116861411A (en) * 2023-06-05 2023-10-10 北京连山科技股份有限公司 Secure sandbox data protection method and system based on Seccomp mechanism

Similar Documents

Publication Publication Date Title
US8954897B2 (en) Protecting a virtual guest machine from attacks by an infected host
CN109076063B (en) Protecting dynamic and short-term virtual machine instances in a cloud environment
EP3660713B1 (en) Securing privileged virtualized execution instances
US11374964B1 (en) Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints
JP2020508519A (en) Systems and methods for context-based mitigation of computer security risks
JP2016031762A (en) Process control software security architecture based on least privileges
CN1981277A (en) Quarantine system
US8234711B2 (en) Apparatus and method for checking PC security
KR102379720B1 (en) System for controlling data flow in virtualization terminal and method of the same
CN110162978A (en) A kind of terminal security risk assessment management method, apparatus and system
US20230319112A1 (en) Admission control in a containerized computing environment
CN114329444A (en) System safety improving method and device
CN114491582A (en) Authentication method and device and terminal equipment
CN113779562A (en) Zero trust based computer virus protection method, device, equipment and medium
CN113922975A (en) Security control method, server, terminal, system and storage medium
CN109376557B (en) Information security management system
US20120174206A1 (en) Secure computing environment
CN117494144A (en) Cloud platform-based safety environment protection method
US11822648B2 (en) Systems and methods for remote anomaly data scanner for cyber-physical systems
CN116962149A (en) Network fault detection method and device, storage medium and electronic equipment
CN117648100B (en) Application deployment method, device, equipment and storage medium
Riegler et al. Mode Switching for Secure Edge Devices
WO2020157482A1 (en) Task engine
CN114640490B (en) Method and system for realizing equipment account use safety, monitoring and management termination
CN114124558B (en) Operation response method, device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination