SALUAP:  基於用戶位置自動限制使用者帳戶權限之系統

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：52

、訪客IP：3.145.68.120

姓名

林孟玄(Meng-Syuan Lin) 查詢紙本館藏

畢業系所

資訊工程學系

論文名稱

SALUAP: 基於用戶位置自動限制使用者帳戶權限之系統
(SALUAP: A System That Automatically Limits User Account Privileges Based on Users’ Locations)

相關論文

★ USB WORM KILLER: Cure USB Flash Worms Through a USB Flash Worm	★ Discoverer- Rootkit即時偵測系統
★ 一項Android手機上詐騙簡訊的偵測與防禦機制	★ SRA系統防禦ARP欺騙劫持路由器
★ A Solution for Detecting and Defending ARP Spoofing on Virtual Machines	★ 針對遠端緩衝區溢位攻擊之自動化即時反擊系統
★ 即時血清系統: 具攻性防壁之自動化蠕蟲治癒系統	★ DNSPD: Entrap Botnets Through DNS Cache Poisoning Detection
★ TransSQL: A Translation and Validation-based Solution for SQL-Injection Attacks	★ A Spam Mail-based Solution for Botnet Detection and Network Bandwidth Protection
★ Shark: Phishing Information Recycling from Spam Mails	★ FFRTD: Beat Fast-Flux by Response Time Differences
★ Antivirus Software Shield against Antivirus Terminators	★ MAC-YURI : My ACcount, YoUr ResponsIbility
★ KKBB: Kernel Keylogger Bye-Bye	★ CIDP Treatment: An Innovative Mobile Botnet Covert Channel based on Caller IDs with P8 Treatment

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

至系統瀏覽論文 (2029-6-30以後開放)

摘要(中)

在現在的後疫情時代，許多公司開始給員工遠端上班[1]，所以越來越多軟體工程師直接透過SSH連進伺服器，進行軟體開發，或是測試產品，這也意味著很多員工只要有伺服器的IP以及密碼，就可以任意連進伺服器存取裡面的任何檔案，也很容易可以在家拍攝重要的文件，一但攻擊者拿到伺服器的IP以及密碼，伺服器裡頭的檔案很有可能被ransomware進行加密，感染的電腦也可能被spyware竊取到其他內部電腦的密碼，造成嚴重的資料外洩。
而且遠端使用者可能會先連上一台跳板機，再連上目標伺服器，但這會使得目標伺服器只知道來源是跳板機，卻不知道跳板機的來源是外部的遠端使用者還是內部使用者，而且遠端使用者可以透過跳板去存取敏感資料，為了解決這些SSH連線的安全性問題，本文建立在RFAP的架構下，在Linux作業系統中實作了一個更加安全的系統A System That Automatically Limits User Account Privileges Based on Users’ Locations (SALUAP)，透過判定TCP header的資訊，可以根據使用者的位置來判別是否需要開放存取權限。
當遠端使用者透過跳板機連到目標伺服器時，會受到限制，但如果是在公司直接使用跳板機連到目標伺服器，則不會受到限制。這意味著系統只限制外網IP，目標伺服器可以判斷使用者是由外部電腦透過跳板機連到目標伺服器，還是單純從跳板機跳連進目標伺服器。這樣的設計使得內部網絡的正常運作不受影響，同時提升了對於從外部連線進入系統的安全機制，並且系統不再被遠端使用者利用ransomware進行加密，而且就算被spyware竊取到其他內部電腦的密碼，登入到其他內部機器也無法對敏感資料進行存取。

摘要(英)

In the post-pandemic era, many companies have begun allowing employees to work remotely. As a result, an increasing number of software engineers directly access servers via SSH for software development or product testing. This means that employees can easily connect to servers and access any files on them with just the server′s IP and password. It also implies that important documents can be easily photographed at home. If an attacker obtains the server′s IP and password, the files on the server are highly likely to be encrypted by ransomware. Infected computers could also have passwords for other internal computers stolen by spyware, leading to severe data leakage.
Remote users may connect to a target server through a jump server, which means the target server only knows the source is the jump server but not whether the jump server′s source is an external remote user or an internal user. Remote users can access sensitive files through the jump server. To address these SSH connection security issues, this paper builds upon the RFAP architecture and implements a more secure system in the Linux operating system: A System That Automatically Limits User Account Privileges Based on Users’ Locations (SALUAP). By analyzing the TCP header information, the system can determine the user′s location and decide whether to grant access privileges.
When remote users connect to the target server via a jump server, they will face restrictions. However, if they use the jump server from within the company to connect to the target server, they will not be restricted. This means the system only restricts external IPs, allowing the target server to distinguish between external computers connecting through the jump server and straightforward connections from the jump server to the target server. This design ensures that the normal operation of the internal network is not affected while enhancing the security mechanisms for external connections. Consequently, the system is no longer vulnerable to ransomware encryption by remote users. Even if spyware steals passwords for other internal computers, logging into other internal machines will not grant access to sensitive files.

關鍵字(中)

★ 帳戶權限

關鍵字(英)

★ User Account Privileges

論文目次

摘要 i
Abstract iii
目錄 vi
圖目錄 viii
表目錄 x
第1章緒論 1
第2章背景介紹 4
2.1 RFAP 4
2.2 TCP Header 6
第3章相關研究 8
第4章系統架構與實作 10
4.1 設計原則 10
4.2 系統使用情形 10
4.3 系統架構 11
4.4 系統操作流程 12
第5章實驗結果及分析 14
5.1 實驗環境 14
5.2 功能測試 14
5.3 安全測試 22
5.4 效能測試 24
第6章討論 25
6.1 貢獻 25
6.2 研究限制 26
6.3 未來工作 27
第7章結論 28
第8章參考資料 29

參考文獻

[1] Percentage of employees who work from home all or most of the time worldwide from 2015 to 2023. 簡自 https://www.statista.com/statistics/1450450/employees-remote-work-share/
[2] TCP Header. 簡自 https://commons.wikimedia.org/wiki/File:TCP_Header.png
[3] HOW TO KEEP DOCUMENTS SAFE WHILE WORKING REMOTELY。簡自 https://www.whitakerbrothers.com/blogs/news/how-to-keep-documents-safe
[4] Muhammad Fakrullah Kamarudin Shah, Marina Md-Arshad, Adlina Abdul Samad & Fuad A. Ghaleb Faculty of Computing Universiti Teknologi Malaysia, Comparing FTP and SSH Password Brute Force Attack Detection using k-Nearest Neighbour (k-NN) and Decision Tree in Cloud Computing. 簡自 https://www.researchgate.net/publication/371158514_Comparing_FTP_and_SSH_Password_Brute_Force_Attack_Detection_using_k-Nearest_Neighbour_k-NN_and_Decision_Tree_in_Cloud_Computing
[5] Phuong M. Cao, Yuming Wu, Subho S. Banerjee, Justin Azoff, Alexander Withers, Zbigniew T. Kalbarczyk, Ravishankar K. Iyer University of Illinois at Urbana-Champaign, Corelight, National Center for Supercomputing Applications. 簡自 https://www.usenix.org/system/files/nsdi19-cao.pdf
[6] Assigning File Permissions to Specific Users with chmod and setfacl。簡自 https://linuxconfig.org/assigning-file-permissions-to-specific-users-with-chmod-and-setfacl

指導教授

許富皓(Fu-Hau Hsu)

審核日期

2024-7-17

推文