CN114662089A

CN114662089A - Webpage tamper-proofing method, system, electronic equipment and medium

Info

Publication number: CN114662089A
Application number: CN202210158985.5A
Authority: CN
Inventors: 王振众; 李震宇; 张哲�; 刘怡然
Original assignee: Hangxiao Steel Structure Co Ltd
Current assignee: Hangxiao Steel Structure Co Ltd
Priority date: 2022-02-21
Filing date: 2022-02-21
Publication date: 2022-06-24

Abstract

The application discloses a method, a system, electronic equipment and a medium for preventing webpage tampering. By applying the technical scheme of the application, the kernel can be protected by the protection strategy to the container running by the mirror image name of each container, the kernel protection layer is defaulted to prevent any process from modifying the file under the protection directory, and further the file parameters under the targeted protection service directory are realized. Therefore, the problem that files inside the container node cannot be identified and protected due to resource isolation of a virtual system in a server in the existing tamper-proof technology is solved.

Description

Method, system, electronic device and medium for preventing web page tampering

技术领域technical field

本申请中涉及数据处理技术，尤其是一种网页防篡改的方法、系统、电子设备及介质。The present application relates to data processing technology, in particular to a method, system, electronic device and medium for preventing tampering of web pages.

背景技术Background technique

在主机网页防篡改领域内，网页防篡改的解决方案目前通用的是使用内核事件触发保护机制，与操作系统底层文件驱动级保护技术紧密结合的，即使服务器遭受黑客攻击取得操作管理员权限也无法对被保护内容实施篡改，这样做可以解决普通Web内嵌防篡改软件采用轮询检测文件或者Web服务器内嵌检测可能发生的计算校验占用系统资源过多和延时等一系列风险，而且能提供对各种动态网页脚本进行防护。In the field of host webpage anti-tampering, the most common solution for webpage anti-tampering is to use the kernel event-triggered protection mechanism, which is closely integrated with the underlying file-driven protection technology of the operating system. To tamper with the protected content can solve a series of risks such as excessive system resource occupation and delay caused by common web embedded anti-tampering software using polling to detect files or web server embedded detection. Provides protection against various dynamic web scripts.

然而，相关技术中的防篡改技术由于对服务器中的虚拟系统即容器节点进行了资源隔离，这也导致无法识别容器节点内部的文件并对其进行防护。However, the tamper-proof technology in the related art isolates the resources of the virtual system in the server, that is, the container node, which also makes it impossible to identify and protect the files inside the container node.

发明内容SUMMARY OF THE INVENTION

本申请实施例提供一种网页防篡改的方法、系统、电子设备及介质。用以解决相关技术中存在的，现有防篡改技术由于对服务器中的虚拟系统进行了资源隔离所导致的无法识别容器节点内部的文件并对其进行防护的问题。Embodiments of the present application provide a method, a system, an electronic device, and a medium for preventing tampering of a webpage. The invention is used to solve the problem in the related art that the existing anti-tampering technology cannot identify and protect the files inside the container node due to the resource isolation of the virtual system in the server.

其中，根据本申请实施例的一个方面，提供的一种网页防篡改的方法，包括：Wherein, according to an aspect of the embodiments of the present application, a method for preventing tampering of a webpage is provided, including:

在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态；Deploy multiple service PODs and protection PODs on container nodes of the service server, where the container nodes are virtual systems deployed in the service server, the service PODs are used for service processing, and the protection PODs are used for Monitor tamper protection status;

实时检测每个所述容器节点的运行参数，所述运行参数包括所述容器节点名称，镜像名，容器节点ID，创建时间，容器节点运行状态以及篡改防护状态；Detecting the running parameters of each container node in real time, the running parameters include the container node name, image name, container node ID, creation time, container node running status and tamper protection status;

获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。Acquire all image directories stored in the container node, and generate a protection policy that prohibits modification of parameters under each image directory, wherein each image directory corresponds to a working node.

可选地，在基于本申请上述方法的另一个实施例中，在所述业务服务器的容器节点上部署多个业务POD以及防护POD之前，还包括：Optionally, in another embodiment based on the above method of the present application, before deploying multiple service PODs and protection PODs on the container nodes of the service server, the method further includes:

通过所述防护POD建立与客户端的连接；Establish a connection with the client through the protection POD;

创建管理控制中心，并利用所述管理控制中心管理所述防护POD，所述管理包括展示所述容器节点的篡改防护状态和容器节点基本信息，所述容器节点基本信息包括容器节点名称、容器节点系统名称、容器节点ID、镜像名、容器节点启动参数、容器节点创建时间、容器节点运行状、容器节点端口映射信息、容器节点运行开始结束时间。Create a management control center, and use the management control center to manage the protection POD. The management includes displaying the tamper protection status of the container node and basic information of the container node. The basic information of the container node includes the name of the container node, the container node System name, container node ID, image name, container node startup parameters, container node creation time, container node running status, container node port mapping information, container node running start and end time.

可选地，在基于本申请上述方法的另一个实施例中，所述利用所述管理控制中心管理所述防护POD，包括：Optionally, in another embodiment based on the above method of the present application, the managing the protection POD by using the management control center includes:

利用所述管理控制中心发送所述防护策略至防护POD，以及，Send the protection policy to the protection POD using the management control center, and,

利用所述防护POD发送所述防护策略至所述业务POD。The protection policy is sent to the service POD using the protection POD.

可选地，在基于本申请上述方法的另一个实施例中，在所述生成禁止修改每个镜像目录下参数的防护策略之后，还包括：Optionally, in another embodiment based on the above method of the present application, after the generating a protection policy that prohibits modification of parameters under each image directory, the method further includes:

利用所述防护策略指示所述容器节点的内核防护层阻止任何进程修改所述镜像目录下的任何参数，所述参数包括所述镜像目录下的子目录以及业务参数。The protection policy is used to instruct the kernel protection layer of the container node to prevent any process from modifying any parameters in the image directory, where the parameters include subdirectories and service parameters in the image directory.

确定每个容器节点所在的业务服务器ID；Determine the business server ID where each container node is located;

将检测到容器节点所在的业务服务器ID出现变更时，生成容器节点偏移消息，并将所述容器节点偏移消息发送给管理控制中心。When it is detected that the ID of the service server where the container node is located is changed, a container node offset message is generated, and the container node offset message is sent to the management control center.

获取接收到的业务请求报文；Get the received service request message;

对所述业务请求报文进行恶意字段检测，若确定所述业务请求报文存在恶意字段，对所述业务请求报文进行拦截。Malicious field detection is performed on the service request message, and if it is determined that the service request message has a malicious field, the service request message is intercepted.

若检测到所述业务服务器中存在新增容器节点时，在所述新增容器节点上安装部署对应的防护POD；或，If it is detected that a new container node exists in the service server, install and deploy the corresponding protection POD on the newly added container node; or,

若检测到所述业务服务器中执行删除容器节点指令时，将所述删除容器节点上的防护POD进行卸载。If it is detected that an instruction to delete a container node is executed in the service server, the protection POD on the container node for deletion is uninstalled.

其中，根据本申请实施例的又一个方面，提供的一种网页防篡改的系统，其特征在于，包括：Wherein, according to yet another aspect of the embodiments of the present application, a system for preventing tampering of web pages is provided, which is characterized in that it includes:

部署模块，被配置为在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态；a deployment module, configured to deploy multiple service PODs and protection PODs on container nodes of the service server, where the container nodes are virtual systems deployed in the service server, and the service PODs are used for service processing, The protection POD is used to monitor the tamper protection status;

检测模块，被配置为实时检测每个所述容器节点的运行参数，所述运行参数包括所述容器节点名称，镜像名，容器节点ID，创建时间，容器节点运行状态以及篡改防护状态；a detection module, configured to detect the running parameters of each container node in real time, the running parameters include the container node name, image name, container node ID, creation time, container node running status and tamper protection status;

生成模块，被配置为获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。The generating module is configured to obtain all the image directories saved in the container node, and generate a protection policy forbidding modification of parameters under each image directory, wherein each image directory corresponds to a working node.

根据本申请实施例的又一个方面，提供的一种电子设备，包括：According to yet another aspect of the embodiments of the present application, an electronic device is provided, comprising:

存储器，用于存储可执行指令；以及memory for storing executable instructions; and

显示器，用于与所述存储器以执行所述可执行指令从而完成上述任一所述网页防篡改的方法的操作。The display is used to execute the executable instructions with the memory to complete the operation of any one of the above-mentioned methods for preventing tampering of a webpage.

根据本申请实施例的还一个方面，提供的一种计算机可读存储介质，用于存储计算机可读取的指令，所述指令被执行时执行上述任一所述网页防篡改的方法的操作。According to another aspect of the embodiments of the present application, a computer-readable storage medium is provided for storing computer-readable instructions, and when the instructions are executed, the operations of any one of the foregoing methods for preventing tampering of webpages are performed.

本申请中，可以在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在业务服务器中的虚拟系统，业务POD用于进行业务处理，防护POD用于监控篡改防护状态；实时检测每个容器节点的运行参数，运行参数包括容器节点名称，镜像名，容器节点ID，创建时间，容器节点运行状态以及篡改防护状态；获取容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。通过应用本申请的技术方案，可以通防护策略实现内核防护以每个容器镜像名运行的容器，默认内核防护层阻止任何进程修改保护目录下的文件，进而实现针对性的保护业务目录下的文件参数。从而避免了现有防篡改技术由于对服务器中的虚拟系统进行了资源隔离所导致的无法识别容器节点内部的文件并对其进行防护的问题。In this application, multiple service PODs and protection PODs may be deployed on the container node of the service server, where the container node is a virtual system deployed in the service server, the service POD is used for service processing, and the protection POD is used for monitoring Tamper protection status; real-time detection of running parameters of each container node, running parameters include container node name, image name, container node ID, creation time, container node running status and tamper protection status; obtain all image directories saved in container nodes, And generate a protection policy that prohibits modification of parameters under each mirror directory, where each mirror directory corresponds to a worker node. By applying the technical solution of the present application, it is possible to realize the kernel protection of the container running under the name of each container image through the protection strategy, and the default kernel protection layer prevents any process from modifying the files in the protection directory, thereby realizing targeted protection of the files in the business directory. parameter. Thus, the problem that the existing anti-tampering technology cannot identify and protect the files inside the container node due to resource isolation of the virtual system in the server is avoided.

下面通过附图和实施例，对本申请的技术方案做进一步的详细描述。The technical solutions of the present application will be described in further detail below through the accompanying drawings and embodiments.

附图说明Description of drawings

构成说明书的一部分的附图描述了本申请的实施例，并且连同描述一起用于解释本申请的原理。The accompanying drawings, which form a part of the specification, illustrate embodiments of the application and together with the description serve to explain the principles of the application.

参照附图，根据下面的详细描述，可以更加清楚地理解本申请，其中：The present application may be more clearly understood from the following detailed description with reference to the accompanying drawings, wherein:

图1为本申请提出的一种网页防篡改的方法示意图；1 is a schematic diagram of a method for preventing tampering of a webpage proposed by the application;

图2为本申请提出的一种网页防篡改的系统架构示意图；2 is a schematic diagram of a system architecture for preventing tampering of a webpage proposed by the application;

图3为本申请提出的一种网页防篡改的电子系统的结构示意图；3 is a schematic structural diagram of a web page tamper-proof electronic system proposed by the application;

图4为本申请提出的一种网页防篡改的电子设备的结构示意图。FIG. 4 is a schematic structural diagram of an electronic device for preventing webpage tampering proposed by the present application.

具体实施方式Detailed ways

现在将参照附图来详细描述本申请的各种示例性实施例。应注意到：除非另外具体说明，否则在这些实施例中阐述的部件和步骤的相对布置、数字表达式和数值不限制本申请的范围。Various exemplary embodiments of the present application will now be described in detail with reference to the accompanying drawings. It should be noted that the relative arrangement of the components and steps, the numerical expressions and numerical values set forth in these embodiments do not limit the scope of the present application unless specifically stated otherwise.

同时，应当明白，为了便于描述，附图中所示出的各个部分的尺寸并不是按照实际的比例关系绘制的。Meanwhile, it should be understood that, for the convenience of description, the dimensions of various parts shown in the accompanying drawings are not drawn in an actual proportional relationship.

以下对至少一个示例性实施例的描述实际上仅仅是说明性的，不作为对本申请及其应用或使用的任何限制。The following description of at least one exemplary embodiment is merely illustrative in nature and is not intended to limit the application or its application or uses in any way.

对于相关领域普通技术人员已知的技术、方法和设备可能不作详细讨论，但在适当情况下，所述技术、方法和设备应当被视为说明书的一部分。Techniques, methods, and apparatus known to those of ordinary skill in the relevant art may not be discussed in detail, but where appropriate, such techniques, methods, and apparatus should be considered part of the specification.

应注意到：相似的标号和字母在下面的附图中表示类似项，因此，一旦某一项在一个附图中被定义，则在随后的附图中不需要对其进行进一步讨论。It should be noted that like numerals and letters refer to like items in the following figures, so once an item is defined in one figure, it does not require further discussion in subsequent figures.

另外，本申请各个实施例之间的技术方案可以相互结合，但是必须是以本领域普通技术人员能够实现为基础，当技术方案的结合出现相互矛盾或无法实现时应当认为这种技术方案的结合不存在，也不在本申请要求的保护范围之内。In addition, the technical solutions between the various embodiments of the present application can be combined with each other, but must be based on the realization by those of ordinary skill in the art. When the combination of technical solutions is contradictory or cannot be realized, it should be considered that the combination of technical solutions does not exist and is not within the scope of protection claimed in this application.

需要说明的是，本申请实施例中所有方向性指示(诸如上、下、左、右、前、后……)仅用于解释在某一特定姿态(如附图所示)下各部件之间的相对位置关系、运动情况等，如果该特定姿态发生改变时，则该方向性指示也相应地随之改变。It should be noted that all directional indications (such as up, down, left, right, front, back...) in the embodiments of the present application are only used to explain the relationship between the various components under a certain posture (as shown in the drawings). If the specific posture changes, the directional indication also changes accordingly.

下面结合图1-图2来描述根据本申请示例性实施方式的用于进行网页防篡改的方法。需要注意的是，下述应用场景仅是为了便于理解本申请的精神和原理而示出，本申请的实施方式在此方面不受任何限制。相反，本申请的实施方式可以应用于适用的任何场景。The following describes a method for preventing tampering of a webpage according to an exemplary embodiment of the present application with reference to FIGS. 1-2 . It should be noted that the following application scenarios are only shown to facilitate understanding of the spirit and principles of the present application, and the embodiments of the present application are not limited in this respect. Rather, the embodiments of the present application can be applied to any scenario where applicable.

本申请还提出一种网页防篡改的方法、系统、电子设备及介质。The present application also provides a method, system, electronic device and medium for preventing tampering of a webpage.

图1示意性地示出了根据本申请实施方式的一种网页防篡改的方法的流程示意图。如图1所示，该方法包括：FIG. 1 schematically shows a schematic flowchart of a method for preventing tampering of a webpage according to an embodiment of the present application. As shown in Figure 1, the method includes:

S101,在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态。S101, deploying multiple service PODs and protection PODs on a container node of the service server, where the container node is a virtual system deployed in the service server, the service PODs are used for service processing, and the protection PODs Used to monitor tamper protection status.

S102,实时检测每个所述容器节点的运行参数，所述运行参数包括所述容器节点名称，镜像名，容器节点ID，创建时间，容器节点运行状态以及篡改防护状态；S102, real-time detection of the running parameters of each of the container nodes, where the running parameters include the container node name, image name, container node ID, creation time, container node running status and tampering protection status;

S103,获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。S103: Acquire all image directories stored in the container node, and generate a protection policy that prohibits modification of parameters under each image directory, wherein each image directory corresponds to a worker node.

相关技术中，随着业务上云，公有云/私有云中网站业务容器化越来越流行，传统的防篡改技术方案大多数是基于目录监测和内核驱动保护技术来防止Web应用及Web内容不被篡改，但是由于容器进行了资源隔离，无法识别容器里的内容，另外由于容器弹性收缩和高可用机制在实际集群环境下会出现漂移，那么传统针对目录检测的技术无法做到容器内部文件的防护，因此如何防止容器下网站被植入恶意数据等，保障网页正常，需要在容器环境下重新考虑全新的防护机制。In related technologies, with the migration of services to the cloud, the containerization of website services in public clouds/private clouds is becoming more and more popular. Most of the traditional anti-tampering technical solutions are based on directory monitoring and kernel-driven protection technologies to prevent web applications and web content from being incompatible. It has been tampered with, but due to the resource isolation of the container, the content in the container cannot be identified. In addition, due to the elastic shrinkage of the container and the high availability mechanism will drift in the actual cluster environment, the traditional directory detection technology cannot achieve the internal file of the container. Therefore, how to prevent malicious data from being implanted in the website under the container, and ensure the normality of the webpage, it is necessary to reconsider a new protection mechanism in the container environment.

具体来说，在主机网页防篡改领域内，网页防篡改的解决方案目前通用的是使用内核事件触发保护机制，与操作系统底层文件驱动级保护技术紧密结合的，即使服务器遭受黑客攻击取得操作管理员权限也无法对被保护内容实施篡改，这样做可以解决普通Web内嵌防篡改软件采用轮询检测文件或者Web服务器内嵌检测可能发生的计算校验占用系统资源过多和延时等一系列风险，而且能提供对各种动态网页脚本进行防护。Specifically, in the field of host web page tamper-proofing, the most common solution for web page tampering is to use the kernel event-triggered protection mechanism, which is closely integrated with the underlying file-driven protection technology of the operating system. Even if the server is attacked by hackers, operations management The protected content cannot be tampered with the user's authority, which can solve a series of problems such as excessive system resource occupation and delay, etc. Risk, and can provide protection against various dynamic web scripts.

相应的技术在面对业务容器化后，网页防篡改技术进行了同样的变革，目前大部分的技术方案是网页防篡改监控客户端与网页防篡改管理后台和Docker守护进程连接用于监控站点的防攻击状态、执行管理中心配置的策略、阻止各类篡改攻击。但是存在如下问题：The corresponding technology has undergone the same transformation in the face of business containerization. At present, most of the technical solutions are that the web page tamper-proof monitoring client is connected with the web page tamper-proof management background and the Docker daemon to monitor the site. Anti-attack status, implement policies configured by the management center, and prevent various tampering attacks. But there are the following problems:

容器对系统资源做了隔离，传统的防篡改技术方案无法识别容器内部的文件并对其进行防护。Containers isolate system resources, and traditional anti-tampering technical solutions cannot identify and protect files inside containers.

进一步，为了解决上述问题，本申请提出一种网页防篡改的方法，其中包括：Further, in order to solve the above problems, the present application proposes a method for preventing tampering of web pages, including:

本申请需要首先构建管理控制中心，然后在防护POD上安装客户端，即可实现管理控制中心与客户端的安全连接。一种方式中，用户可在管理控制中心查看业务相关的详细信息，并且在管理中心配置和下发安全策略，并通过传输服务模块和通讯模块负责和监控端的业务文件传输、日志报警、系统状态等数据。In this application, the management control center needs to be constructed first, and then the client is installed on the protection POD, so that the secure connection between the management control center and the client can be realized. In one way, the user can view the detailed information related to the business in the management control center, configure and issue security policies in the management center, and be responsible for and monitor the business file transfer, log alarm, system status of the terminal through the transmission service module and the communication module. etc. data.

进一步的，如图2所示，为本申请提出的网页防篡改的系统架构示意图，其可以部署在业务服务器中。具体的，可以首先在每个容器工作节点上部署防护POD。其中一个防护POD为容器上的一个专用于监控防护业务参数的节点，可向其分配一定的计算以及运行资源。Further, as shown in FIG. 2 , it is a schematic diagram of the system architecture of webpage tamper-proofing proposed by the present application, which can be deployed in a service server. Specifically, a protection POD can be deployed on each container worker node first. One of the protection PODs is a node on the container dedicated to monitoring protection service parameters, and can be allocated certain computing and running resources.

需要说明的是，管控中心负责管理所有防护POD，统一监控所有容器的篡改防护状态和容器基本信息。其中，容器基本信息包括：容器名称、容器节点系统名称、容器ID、镜像名、容器启动参数、容器创建时间、容器运行状、容器端口映射信息、容器运行开始结束时间，统一配置防护策略。It should be noted that the control center is responsible for managing all protection PODs, and uniformly monitors the tamper protection status and basic container information of all containers. The basic container information includes: container name, container node system name, container ID, image name, container startup parameters, container creation time, container running status, container port mapping information, container running start and end time, and uniformly configure protection policies.

具体的，该防护策略用于禁止任何对象修改每个镜像目录下的参数。从而保证存放业务参数的每个镜像目录均不会因为参数受到恶意修改而影响业务处理的进程。Specifically, the protection policy is used to prohibit any object from modifying the parameters under each image directory. Therefore, it is ensured that each image directory storing service parameters will not affect the process of service processing because the parameters are maliciously modified.

进一步的，本申请可以由管控中心下发防护策略到防护POD，策略属性：容器镜像名，保护目录，默认以此容器镜像名运行的容器，任何进程都无法修改保护目录下的文件，可以针对保护目录设置子目录和进程白名单；Further, in this application, the management and control center can issue a protection policy to the protection POD, and the policy attributes: container image name, protection directory, the container running with this container image name by default, no process can modify the files in the protection directory, and can target the container image name. Protect the directory to set subdirectories and process whitelists;

其中，本申请可以由防护POD下发防护策略到内核防护层，策略属性：容器镜像名，保护目录，默认内核防护层阻止任何进程修改保护目录下的文件，可以针对保护目录设置子目录和进程白名单。Among them, this application can issue a protection policy from the protection POD to the kernel protection layer, the policy attributes: container image name, protection directory, the default kernel protection layer prevents any process from modifying the files in the protection directory, and subdirectories and processes can be set for the protection directory. whitelist.

更进一步的，本申请在生成禁止修改每个镜像目录下参数之后，还可以实施下述步骤以实现防篡改对网页的目的：Further, the application can also implement the following steps to achieve the purpose of preventing tampering to the web page after generating and prohibiting modification of the parameters under each image directory:

第一方面：first:

可以实现策略自动编排，其中包括：Automated policy orchestration can be achieved, including:

自动检测容器漂移；Automatic detection of container drift;

自动设置容器防护策略；Automatically set container protection policies;

策略绑定容器镜像名，以相同镜像名运行的所有容器节点中的容器都会被防护，镜像名支持*号通配符；The policy is bound to the container image name, the containers in all container nodes running with the same image name will be protected, and the image name supports the * wildcard;

容器停止再启动后，篡改防护自动生效；After the container is stopped and restarted, the tamper protection automatically takes effect;

容器删除再重新生成，篡改防护自动生效The container is deleted and regenerated, and the tamper protection takes effect automatically

第二方面：Second aspect:

可以实现网页防篡改，其中包括：Anti-tampering of web pages can be achieved, including:

将容器镜像内目录保护后，任何以该镜像创建的容器内的目录都将被保护。支持aufs,overlay2,container文件存储驱动格式的容器篡改防护。After the directory inside a container image is protected, any directory inside the container created with the image will be protected. Container tampering protection that supports aufs, overlay2, and container file storage driver formats.

目录下的所有目录、文件(包括子目录和文件)都将无法修改，策略镜像名支持通配符*号，支持仅记录日志不阻断篡改模式。All directories and files (including subdirectories and files) under the directory cannot be modified. The policy image name supports the wildcard character *, and supports only logging without blocking tampering mode.

第三方面：The third aspect:

可以实现新增规则，其中包括：New rules can be implemented, including:

规则名称：自定义规则名称；Rule name: custom rule name;

保护度对象：要保护的目录，支持选择目录或粘贴路径，支持通配符输入，但是一个目录里面只能存在一个”*”，如/a/*b/是正确的,但/a/*b*a/是错误的，且给文件夹配置通配符要以”/”结尾，如果是文件则不需要以”/”结尾Protection object: the directory to be protected, supports selecting the directory or pasting the path, supports wildcard input, but only one "*" exists in a directory, such as /a/*b/ is correct, but /a/*b* a/ is wrong, and the wildcard configuration for a folder must end with "/", if it is a file, it does not need to end with "/"

允许改写的IP：允许改写该对象的IP，支持填入单个IP，或多个IP用“，”隔开，不支持填入IP段。允许所有IP改写则填*；Allowed IP to be rewritten: Allows to rewrite the IP of the object, supports filling in a single IP, or multiple IPs separated by ",", does not support filling in the IP segment. Fill in * if all IP rewriting is allowed;

允许改写的进程：允许改写该对象的进程，可在系统中选择，会直接填写进程名。允许所有进程改写则填*；Process allowed to be rewritten: The process that is allowed to rewrite the object can be selected in the system, and the process name will be directly filled in. Fill in * if all processes are allowed to be rewritten;

允许改写的用户：在下拉列表中选择允许改写该对象的用户。允许所有用户改写则选*；Users allowed to overwrite: Select the users who are allowed to overwrite this object from the drop-down list. Select * to allow all users to rewrite;

处理方式：选择仅记录或阻断并记录；Processing method: choose to record only or block and record;

是否启用：选择是否启用该规则。Whether to enable: Select whether to enable the rule.

对于已添加的规则，可关闭/启用、重新编辑、删除或新增子规则。For added rules, you can disable/enable, re-edit, delete or add sub-rules.

其中，对于新增子规则来说，可以包括：Among them, for new sub-rules, it can include:

保护对象：选择或粘贴规则中保护对象的子目录；Protected Objects: Select or paste the subdirectories of protected objects in the rule;

允许改写的IP：允许改写该对象的IP，支持填入单个IP，或多个IP用“，”隔开，不支持填入IP段。允许所有IP改写则填*；Allowed IP to be rewritten: Allows to rewrite the IP of the object. It supports filling in a single IP, or multiple IPs are separated by ",", and does not support filling in the IP segment. Fill in * if all IP rewriting is allowed;

第四方面：Fourth aspect:

可以实现防攻击模块，其中包括：Anti-attack modules can be implemented, including:

使用Web容器的第三方安全插件机制实现，可在Web后台程序处理请求之前获取到所有的请求上下文信息提前过滤，对恶意请求及时拦截。网站漏洞防护，可对网站常见的SQL注入攻击、XSS跨站、Web容器及应用漏洞进行实时防护。每条规则都有单独的开关，开启网站漏洞防护后，除“自动屏蔽扫描器”外，其他规则默认全部开启。Implemented by the third-party security plug-in mechanism of the web container, all request context information can be obtained before the web background program processes the request, and it can be filtered in advance, and malicious requests can be intercepted in time. Website vulnerability protection, real-time protection against common website SQL injection attacks, XSS cross-site, Web container and application vulnerabilities. Each rule has a separate switch. After the website vulnerability protection is turned on, all other rules are turned on by default except "Automatically Block Scanners".

第五方面：Fifth aspect:

可以实现容器监控，其中包括：Container monitoring can be implemented, including:

展示所有容器节点上运行的容器，展示容器名称，镜像名，容器ID，创建时间，容器运行状态，篡改防护状态。Displays containers running on all container nodes, including container name, image name, container ID, creation time, container running status, and tamper protection status.

第六方面：Sixth aspect:

可以实现编排系统集成，其中包括：Orchestration system integration can be achieved, including:

与编排系统集成，首次部署支持自动化安装防护POD到编排系统管理的全部容器节点上。当容器节点新增或删除，自动安装卸载对应节点的防护POD，兼容K8S和Mesos。Integrated with the orchestration system, the first deployment supports automatic installation of protection PODs on all container nodes managed by the orchestration system. When a container node is added or deleted, the protection POD of the corresponding node is automatically installed and uninstalled, which is compatible with K8S and Mesos.

利用所述防护策略指示所述容器节点的内核防护层阻止任何进程修改所述镜像目录下的任何参数，所述参数包括所述镜像目录下的子目录以及业务参数。The protection policy is used to instruct the kernel protection layer of the container node to prevent any process from modifying any parameter under the image directory, where the parameter includes subdirectories and service parameters under the image directory.

若检测到所述业务服务器中执行删除容器节点指令时，将所述删除容器节点上的防护POD进行卸载。If it is detected that the service server executes the container node deletion instruction, the protection POD on the container node deletion is uninstalled.

通过应用本申请的技术方案，可以通防护策略实现内核防护以每个容器镜像名运行的容器，默认内核防护层阻止任何进程修改保护目录下的文件，进而实现针对性的保护业务目录下的文件参数。从而避免了现有防篡改技术由于对服务器中的虚拟系统进行了资源隔离所导致的无法识别容器节点内部的文件并对其进行防护的问题。By applying the technical solution of the present application, it is possible to realize the kernel protection of the container running under the name of each container image through the protection strategy, and the default kernel protection layer prevents any process from modifying the files in the protection directory, thereby realizing targeted protection of the files in the business directory. parameter. Thus, the problem that the existing anti-tampering technology cannot identify and protect the files inside the container node due to resource isolation of the virtual system in the server is avoided.

可选的，在本申请的另外一种实施方式中，如图3所示，本申请还提供一种网页防篡改的系统。其中包括：Optionally, in another implementation manner of the present application, as shown in FIG. 3 , the present application further provides a system for preventing tampering of a webpage. These include:

部署模块201，被配置为在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态；The deployment module 201 is configured to deploy multiple service PODs and protection PODs on container nodes of the service server, where the container nodes are virtual systems deployed in the service servers, and the service PODs are used for service processing , the protection POD is used to monitor the tamper protection status;

检测模块202，被配置为实时检测每个所述容器节点的运行参数，所述运行参数包括所述容器节点名称，镜像名，容器节点ID，创建时间，容器节点运行状态以及篡改防护状态；The detection module 202 is configured to detect the running parameters of each container node in real time, and the running parameters include the container node name, image name, container node ID, creation time, container node running status and tamper protection status;

生成模块203，被配置为获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。The generating module 203 is configured to acquire all image directories stored in the container node, and generate a protection policy forbidding modification of parameters under each image directory, wherein each image directory corresponds to a working node.

在本申请的另外一种实施方式中，部署模块201，被配置执行的步骤包括：In another embodiment of the present application, the steps configured to execute the deployment module 201 include:

图4是根据一示例性实施例示出的一种电子设备的逻辑结构框图。例如，电子设备300可以是移动电话，计算机，数字广播终端，消息收发设备，游戏控制台，平板设备，医疗设备，健身设备，个人数字助理等。Fig. 4 is a logical structural block diagram of an electronic device according to an exemplary embodiment. For example, electronic device 300 may be a mobile phone, computer, digital broadcast terminal, messaging device, game console, tablet device, medical device, fitness device, personal digital assistant, and the like.

在示例性实施例中，还提供了一种包括指令的非临时性计算机可读存储介质，例如包括指令的存储器，上述指令可由电子设备处理器执行以完成上述网页防篡改的方法，该方法包括：当在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态；In an exemplary embodiment, there is also provided a non-transitory computer-readable storage medium including instructions, such as a memory including instructions, the instructions can be executed by an electronic device processor to complete the above-mentioned method for preventing tampering of a webpage, the method comprising: : When multiple service PODs and protection PODs are deployed on the container node of the service server, the container node is a virtual system deployed in the service server, the service POD is used for service processing, and the protection POD Used to monitor tamper protection status;

获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。可选地，上述指令还可以由电子设备的处理器执行以完成上述示例性实施例中所涉及的其他步骤。例如，非临时性计算机可读存储介质可以是ROM、随机存取存储器(RAM)、CD-ROM、磁带、软盘和光数据存储设备等。Acquire all image directories stored in the container node, and generate a protection policy that prohibits modification of parameters under each image directory, wherein each image directory corresponds to a working node. Optionally, the above-mentioned instructions may also be executed by the processor of the electronic device to complete other steps involved in the above-mentioned exemplary embodiments. For example, the non-transitory computer-readable storage medium may be ROM, random access memory (RAM), CD-ROM, magnetic tape, floppy disk, optical data storage device, and the like.

在示例性实施例中，还提供了一种应用程序/计算机程序产品，包括一条或多条指令，该一条或多条指令可以由电子设备的处理器执行，以完成上述网页防篡改的方法，该方法包括：在所述业务服务器的容器节点上部署多个业务POD以及防护POD，所述容器节点为部署在所述业务服务器中的虚拟系统，所述业务POD用于进行业务处理，所述防护POD用于监控篡改防护状态；In an exemplary embodiment, an application program/computer program product is also provided, which includes one or more instructions, and the one or more instructions can be executed by a processor of an electronic device to complete the above-mentioned method for preventing tampering of a webpage, The method includes: deploying a plurality of service PODs and protection PODs on a container node of the service server, where the container node is a virtual system deployed in the service server, the service PODs are used for service processing, and the The protection POD is used to monitor the tamper protection status;

获取所述容器节点中保存的所有镜像目录，并生成禁止修改每个镜像目录下参数的防护策略，其中每个镜像目录对应于一个工作节点。可选地，上述指令还可以由电子设备的处理器执行以完成上述示例性实施例中所涉及的其他步骤。Acquire all image directories stored in the container node, and generate a protection policy that prohibits modification of parameters under each image directory, wherein each image directory corresponds to a working node. Optionally, the above-mentioned instructions may also be executed by the processor of the electronic device to complete other steps involved in the above-mentioned exemplary embodiments.

本领域技术人员可以理解，示意图4仅仅是电子设备300的示例，并不构成对电子设备300的限定，可以包括比图示更多或更少的部件，或者组合某些部件，或者不同的部件，例如电子设备300还可以包括输入输出设备、网络接入设备、总线等。Those skilled in the art can understand that the schematic diagram 4 is only an example of the electronic device 300, and does not constitute a limitation to the electronic device 300, and may include more or less components than the one shown, or combine some components, or different components For example, the electronic device 300 may further include an input and output device, a network access device, a bus, and the like.

所称处理器302可以是中央处理单元(Central Processing Unit，CPU)，还可以是其他通用处理器、数字信号处理器(Digital Signal Processor，DSP)、专用集成电路(Application Specific Integrated Circuit，ASIC)、现场可编程门阵列(Field-Programmable Gate Array，FPGA)或者其他可编程逻辑器件、分立门或者晶体管逻辑器件、分立硬件组件等。通用处理器可以是微处理器或者该处理器302也可以是任何常规的处理器等，处理器302是电子设备300的控制中心，利用各种接口和线路连接整个电子设备300的各个部分。The so-called processor 302 may be a central processing unit (Central Processing Unit, CPU), and may also be other general-purpose processors, digital signal processors (Digital Signal Processors, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), Field-Programmable Gate Array (FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, etc. The general-purpose processor can be a microprocessor or the processor 302 can also be any conventional processor, etc. The processor 302 is the control center of the electronic device 300, and uses various interfaces and lines to connect various parts of the entire electronic device 300.

存储器301可用于存储计算机可读指令，处理器302通过运行或执行存储在存储器301内的计算机可读指令或模块，以及调用存储在存储器301内的数据，实现电子设备300的各种功能。存储器301可主要包括存储程序区和存储数据区，其中，存储程序区可存储操作系统、至少一个功能所需的应用程序(比如声音播放功能、图像播放功能等)等；存储数据区可存储根据电子设备300的使用所创建的数据等。此外，存储器301可以包括硬盘、内存、插接式硬盘，智能存储卡(Smart Media Card，SMC)，安全数字(Secure Digital，SD)卡，闪存卡(Flash Card)、至少一个磁盘存储器件、闪存器件、只读存储器(Read-Only Memory，ROM)、随机存取存储器(Random Access Memory，RAM)或其他非易失性/易失性存储器件。The memory 301 can be used to store computer-readable instructions, and the processor 302 implements various functions of the electronic device 300 by running or executing the computer-readable instructions or modules stored in the memory 301 and calling data stored in the memory 301 . The memory 301 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program (such as a sound playback function, an image playback function, etc.) required for at least one function, and the like; Data created by the use of the electronic device 300, and the like. In addition, the memory 301 may include a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a Flash Card (Flash Card), at least one disk storage device, a flash memory device, read-only memory (Read-Only Memory, ROM), random access memory (Random Access Memory, RAM) or other non-volatile/volatile storage devices.

电子设备300集成的模块如果以软件功能模块的形式实现并作为独立的产品销售或使用时，可以存储在一个计算机可读取存储介质中。基于这样的理解，本申请实现上述实施例方法中的全部或部分流程，也可以通过计算机可读指令来指令相关的硬件来完成，的计算机可读指令可存储于一计算机可读存储介质中，该计算机可读指令在被处理器执行时，可实现上述各个方法实施例的步骤。If the modules integrated in the electronic device 300 are implemented in the form of software functional modules and sold or used as independent products, they may be stored in a computer-readable storage medium. Based on this understanding, the present application realizes all or part of the processes in the methods of the above embodiments, and can also be completed by instructing relevant hardware through computer-readable instructions, and the computer-readable instructions can be stored in a computer-readable storage medium, The computer-readable instructions, when executed by the processor, can implement the steps of the above-mentioned various method embodiments.

本领域技术人员在考虑说明书及实践这里公开的发明后，将容易想到本申请的其它实施方案。本申请旨在涵盖本申请的任何变型、用途或者适应性变化，这些变型、用途或者适应性变化遵循本申请的一般性原理并包括本申请未公开的本技术领域中的公知常识或惯用技术手段。说明书和实施例仅被视为示例性的，本申请的真正范围和精神由下面的权利要求指出。Other embodiments of the present application will readily occur to those skilled in the art upon consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses or adaptations of this application that follow the general principles of this application and include common knowledge or conventional techniques in the technical field not disclosed in this application . The specification and examples are to be regarded as exemplary only, with the true scope and spirit of the application being indicated by the following claims.

应当理解的是，本申请并不局限于上面已经描述并在附图中示出的精确结构，并且可以在不脱离其范围进行各种修改和改变。本申请的范围仅由所附的权利要求来限制。It is to be understood that the present application is not limited to the precise structures described above and illustrated in the accompanying drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims

1. A method for preventing webpage from being tampered is applied to a business server and comprises the following steps:

deploying a plurality of service PODs and protection PODs on a container node of the service server, wherein the container node is a virtual system deployed in the service server, the service PODs are used for performing service processing, and the protection PODs are used for monitoring tampering protection states;

detecting the operation parameters of each container node in real time, wherein the operation parameters comprise the name of the container node, the name of a mirror image, the ID of the container node, the creation time, the operation state of the container node and the tamper protection state;

and acquiring all mirror image catalogues stored in the container node, and generating a protection strategy for forbidding to modify parameters under each mirror image catalog, wherein each mirror image catalog corresponds to a working node.

2. The method of claim 1, wherein prior to deploying a plurality of service PODs and guard PODs on a container node of the service server, further comprising:

establishing a connection with a client through the protection POD;

creating a management control center, and managing the protection POD by using the management control center, wherein the management comprises displaying the tampering protection state of the container node and the basic information of the container node, and the basic information of the container node comprises the name of the container node, the system name of the container node, the ID of the container node, the mirror image name, the starting parameter of the container node, the creation time of the container node, the operation state of the container node, the port mapping information of the container node and the operation starting and ending time of the container node.

3. The method of claim 2, wherein said managing said protected PODs with said management control center comprises:

sending, with the management control center, the protection policy to a protection POD, and,

and sending the protection strategy to the service POD by using the protection POD.

4. The method of claim 1, wherein after generating the protection policy that prohibits modification of parameters under each image catalog, further comprising:

and utilizing the protection strategy to instruct a kernel protection layer of the container node to prevent any process from modifying any parameter under the mirror directory, wherein the parameter comprises a subdirectory under the mirror directory and a service parameter.

5. The method of claim 1, wherein after generating the protection policy that prohibits modification of parameters under each image catalog, further comprising:

determining the ID of a service server where each container node is located;

and when the ID of the service server where the container node is located is detected to be changed, generating a container node offset message, and sending the container node offset message to a management control center.

6. The method of claim 1, wherein after generating the protection policy that prohibits modification of parameters under each image catalog, further comprising:

acquiring a received service request message;

and detecting malicious fields of the service request message, and if the service request message is determined to have the malicious fields, intercepting the service request message.

7. The method of claim 1, wherein after generating the protection policy that prohibits modification of parameters under each image catalog, further comprising:

if detecting that a new container node exists in the service server, installing and deploying a corresponding protection POD on the new container node; or the like, or, alternatively,

and if detecting that the instruction for deleting the container node is executed in the service server, unloading the protective POD on the container node.

8. A system for preventing webpage tampering is applied to a business server and comprises the following components:

a deployment module configured to deploy a plurality of service PODs and protection PODs on a container node of the service server, where the container node is a virtual system deployed in the service server, the service PODs are used for performing service processing, and the protection PODs are used for monitoring a tamper protection state;

the detection module is configured to detect the operation parameters of each container node in real time, wherein the operation parameters comprise the name of the container node, the name of a mirror image, the ID of the container node, the creation time, the operation state of the container node and the tamper protection state;

and the generating module is configured to acquire all the mirror image catalogues stored in the container node and generate a protection strategy for forbidding to modify parameters under each mirror image catalog, wherein each mirror image catalog corresponds to one working node.

9. An electronic device, comprising:

a memory for storing executable instructions; and the number of the first and second groups,

a processor for executing the executable instructions with the memory to perform the operations of the method of tamper-proofing a web page of any of claims 1-7.

10. A computer-readable storage medium storing computer-readable instructions, wherein the instructions, when executed, perform the operations of the method for webpage tamper resistance of any of claims 1-7.