姓名 |
林孟玄(Meng-Syuan Lin)
查詢紙本館藏 |
畢業系所 |
資訊工程學系 |
論文名稱 |
SALUAP: 基於用戶位置自動限制使用者帳戶權限之系統 (SALUAP: A System That Automatically Limits User Account Privileges Based on Users’ Locations)
|
相關論文 | |
檔案 |
[Endnote RIS 格式]
[Bibtex 格式]
[相關文章] [文章引用] [完整記錄] [館藏目錄] 至系統瀏覽論文 (2029-6-30以後開放)
|
摘要(中) |
在現在的後疫情時代,許多公司開始給員工遠端上班[1],所以越來越多軟體工程師直接透過SSH連進伺服器,進行軟體開發,或是測試產品,這也意味著很多員工只要有伺服器的IP以及密碼,就可以任意連進伺服器存取裡面的任何檔案,也很容易可以在家拍攝重要的文件,一但攻擊者拿到伺服器的IP以及密碼,伺服器裡頭的檔案很有可能被ransomware進行加密,感染的電腦也可能被spyware竊取到其他內部電腦的密碼,造成嚴重的資料外洩。
而且遠端使用者可能會先連上一台跳板機,再連上目標伺服器,但這會使得目標伺服器只知道來源是跳板機,卻不知道跳板機的來源是外部的遠端使用者還是內部使用者,而且遠端使用者可以透過跳板去存取敏感資料,為了解決這些SSH連線的安全性問題,本文建立在RFAP的架構下,在Linux作業系統中實作了一個更加安全的系統A System That Automatically Limits User Account Privileges Based on Users’ Locations (SALUAP),透過判定TCP header的資訊,可以根據使用者的位置來判別是否需要開放存取權限。
當遠端使用者透過跳板機連到目標伺服器時,會受到限制,但如果是在公司直接使用跳板機連到目標伺服器,則不會受到限制。這意味著系統只限制外網IP,目標伺服器可以判斷使用者是由外部電腦透過跳板機連到目標伺服器,還是單純從跳板機跳連進目標伺服器。這樣的設計使得內部網絡的正常運作不受影響,同時提升了對於從外部連線進入系統的安全機制,並且系統不再被遠端使用者利用ransomware進行加密,而且就算被spyware竊取到其他內部電腦的密碼,登入到其他內部機器也無法對敏感資料進行存取。 |
摘要(英) |
In the post-pandemic era, many companies have begun allowing employees to work remotely. As a result, an increasing number of software engineers directly access servers via SSH for software development or product testing. This means that employees can easily connect to servers and access any files on them with just the server′s IP and password. It also implies that important documents can be easily photographed at home. If an attacker obtains the server′s IP and password, the files on the server are highly likely to be encrypted by ransomware. Infected computers could also have passwords for other internal computers stolen by spyware, leading to severe data leakage.
Remote users may connect to a target server through a jump server, which means the target server only knows the source is the jump server but not whether the jump server′s source is an external remote user or an internal user. Remote users can access sensitive files through the jump server. To address these SSH connection security issues, this paper builds upon the RFAP architecture and implements a more secure system in the Linux operating system: A System That Automatically Limits User Account Privileges Based on Users’ Locations (SALUAP). By analyzing the TCP header information, the system can determine the user′s location and decide whether to grant access privileges.
When remote users connect to the target server via a jump server, they will face restrictions. However, if they use the jump server from within the company to connect to the target server, they will not be restricted. This means the system only restricts external IPs, allowing the target server to distinguish between external computers connecting through the jump server and straightforward connections from the jump server to the target server. This design ensures that the normal operation of the internal network is not affected while enhancing the security mechanisms for external connections. Consequently, the system is no longer vulnerable to ransomware encryption by remote users. Even if spyware steals passwords for other internal computers, logging into other internal machines will not grant access to sensitive files. |
關鍵字(中) |
★ 帳戶權限 |
關鍵字(英) |
★ User Account Privileges |
論文目次 |
摘要 i
Abstract iii
目錄 vi
圖目錄 viii
表目錄 x
第1章 緒論 1
第2章 背景介紹 4
2.1 RFAP 4
2.2 TCP Header 6
第3章 相關研究 8
第4章 系統架構與實作 10
4.1 設計原則 10
4.2 系統使用情形 10
4.3 系統架構 11
4.4 系統操作流程 12
第5章 實驗結果及分析 14
5.1 實驗環境 14
5.2 功能測試 14
5.3 安全測試 22
5.4 效能測試 24
第6章 討論 25
6.1 貢獻 25
6.2 研究限制 26
6.3 未來工作 27
第7章 結論 28
第8章 參考資料 29 |
參考文獻 |
[1] Percentage of employees who work from home all or most of the time worldwide from 2015 to 2023. 簡自 https://www.statista.com/statistics/1450450/employees-remote-work-share/
[2] TCP Header. 簡自 https://commons.wikimedia.org/wiki/File:TCP_Header.png
[3] HOW TO KEEP DOCUMENTS SAFE WHILE WORKING REMOTELY。簡自 https://www.whitakerbrothers.com/blogs/news/how-to-keep-documents-safe
[4] Muhammad Fakrullah Kamarudin Shah, Marina Md-Arshad, Adlina Abdul Samad & Fuad A. Ghaleb Faculty of Computing Universiti Teknologi Malaysia, Comparing FTP and SSH Password Brute Force Attack Detection using k-Nearest Neighbour (k-NN) and Decision Tree in Cloud Computing. 簡自 https://www.researchgate.net/publication/371158514_Comparing_FTP_and_SSH_Password_Brute_Force_Attack_Detection_using_k-Nearest_Neighbour_k-NN_and_Decision_Tree_in_Cloud_Computing
[5] Phuong M. Cao, Yuming Wu, Subho S. Banerjee, Justin Azoff, Alexander Withers, Zbigniew T. Kalbarczyk, Ravishankar K. Iyer University of Illinois at Urbana-Champaign, Corelight, National Center for Supercomputing Applications. 簡自 https://www.usenix.org/system/files/nsdi19-cao.pdf
[6] Assigning File Permissions to Specific Users with chmod and setfacl。簡自 https://linuxconfig.org/assigning-file-permissions-to-specific-users-with-chmod-and-setfacl |
指導教授 |
許富皓(Fu-Hau Hsu)
|
審核日期 |
2024-7-17 |
推文 |
facebook plurk twitter funp google live udn HD myshare reddit netvibes friend youpush delicious baidu
|
網路書籤 |
Google bookmarks del.icio.us hemidemi myshare
|