Search

US-12621281-B2 - Extensible server management framework based on reverse connection protocol and operation method thereof and access operating method thereof

US12621281B2US 12621281 B2US12621281 B2US 12621281B2US-12621281-B2

Abstract

A server management framework based on a reverse connection protocol according to various embodiments of the present disclosure may include: a user device; an agent installed in a server; and an integrated console, wherein the agent may be configured to request communication connection to the integrated console by a reverse connection protocol according to a command received from the integrated console, the integrated console may be configured to receive an access request to the server from the user device, and transmit an address of a connection socket to the user device and the agent, and the agent may be configured to create a shell, and request communication connection for the address of the connection socket, in response to receiving the address of the connection socket from the integrated console, and the user device and the server may be configured to be communication-connected through the connection socket. Various other embodiments are possible.

Inventors

  • Eunyoung Jeong

Assignees

  • ALPACAX INC.

Dates

Publication Date
20260505
Application Date
20231219
Priority Date
20221221

Claims (20)

  1. 1 . A server management framework based on a reverse connection protocol, comprising: a user device; an agent installed in a server; and an integrated console, the integrated console including an authentication module, a reverse connection manager, and a websocket server, wherein the agent is configured to request a communication connection to the integrated console by the reverse connection protocol according to a command received from the integrated console, wherein the integrated console is configured, in response to receiving an access request for the communication connection from the agent, to authenticate a universally unique identifier (UUID) received from the agent and, when the authentication is determined to be valid, to transmit an address of a control socket to the agent so that the communication connection between the integrated console and the agent is established through the control socket, wherein the integrated console is configured, in response to receiving an access request to the server from the user device, to cause the websocket server to generate a single-use and time limited connection websocket for a session and to transmit an address of the connection websocket to the user device and the agent, wherein the agent is configured, in response to receiving the address of the connection websocket from the integrated console, to create a shell and to request a communication connection to the address of the connection websocket, wherein the user device is configured, in response to receiving the address of the connection websocket from the integrated console, to create a terminal and request a communication connection to the address of the connection websocket, wherein the user device and the server are configured to establish a communication connection therebetween through the connection websocket, and the user device is enabled to control the server in real time through the shell, and wherein the integrated console is configured to provide a server page including a list of registered servers for server management and information of each registered server, and an Identity Access Management (IAM) page for managing user accounts and groups.
  2. 2 . The server management framework of claim 1 , wherein the address of the connection websocket is defined by a websocket protocol, enabling two-way communication and real-time networking.
  3. 3 . The server management framework of claim 1 , wherein the command or request transmitted or received between the integrated console and the agent is carried through a REST API or the connection websocket.
  4. 4 . The server management framework of claim 1 , wherein the agent is configured to establish the communication connection to the integrated console through the control socket, and the address of the connection websocket is transmitted or received through the control socket.
  5. 5 . The server management framework of claim 1 , wherein the integrated console is further configured to collect system information of the server from the agent through the control socket.
  6. 6 . An operation method of a server management framework based on a reverse connection protocol, the server management framework comprising a user device, an agent installed in a server, and an integrated console, wherein the agent is configured to request a communication connection to the integrated console by a reverse connection protocol according to a command received from the integrated console, the operation method comprising: receiving, by the integrated console, an access request to the server from the user device; causing, by the integrated console, a websocket server to generate a single-use and time-limited connection websocket for a session and transmitting, through a control socket, an address of the connection websocket to the user device and the agent; creating, by the agent, a shell, and requesting a communication connection from the agent to the address of the connection websocket, in response to receiving the address of the connection websocket from the integrated console, and mediating, by the integrated console, a communication connection between the user device and the server through the connection websocket.
  7. 7 . The operation method of claim 6 , wherein the address of the connection websocket is defined by a websocket protocol, enabling two-way communication and real-time networking.
  8. 8 . The operation method of claim 6 , wherein the command and request transmitted or received between the integrated console and the agent is carried through a REST API or the connection websocket.
  9. 9 . The operation method of claim 6 , further comprising: authenticating, by the integrated console, a universally unique identifier (UUID) received from the agent; transmitting, by the integrated console, an address of a control socket to the agent when the authentication is valid; and establishing, by the agent, the communication connection to the integrated console through the control socket, wherein the address of the connection websocket is transmitted or received through the control socket.
  10. 10 . The operation method of claim 9 , further comprising: collecting, by the integrated console, system information of the server from the agent through the control socket.
  11. 11 . The operation method of claim 10 , wherein the system information is collected by an osquery program included in the agent.
  12. 12 . A server management framework based on a reverse connection protocol, comprising: a user device; an agent installed in a server; and an integrated console, wherein the agent is configured to request a communication connection to the integrated console by a reverse connection protocol according to a command received from the integrated console, wherein the integrated console is configured to determine whether an access of the user device to the server is authorized in response to receiving an access request to the server from the user device, and when it is determined that the access of the user device to the server is authorized, transmit an address of a connection websocket to the user device and the agent, wherein the agent is configured to create a shell and request a communication connection to the address of the connection websocket, in response to receiving the address of the connection websocket from the integrated console, wherein the user device requests a communication connection to the address of the connection websocket, wherein the integrated consoler mediates a communication connection of the user device and the agent when both the user device and the agent are connected to the connection websocket, wherein the integrated console is configured to receive a sharing request signal for the server from the user device, to create a disposable HTTP URL and a disposable password, and to transmit the disposable HTTP URL and the disposable password to another user device in response to the sharing request, wherein, upon authentication of the disposable password input by accessing the disposable HTTP URL, the integrated console transmits the address of the connection websocket to the another user device, and wherein the another user device is configured to access the address of the connection websocket to share a session of the shell.
  13. 13 . The server management framework of claim 12 , wherein the command or request transmitted or received between the integrated console and the agent is carried through a REST API or the connection websocket, and the address of the connection websocket is defined by a websocket protocol, enabling two-way communication and real-time networking.
  14. 14 . The server management framework of claim 12 , wherein, when receiving the address of the connection websocket from the integrated console, the user device and the agent are configured to determine whether the address of the connection websocket is valid, and, when the address of the connection websocket is valid, to access the address of the connection websocket.
  15. 15 . The server management framework of claim 12 , wherein the integrated console is configured to: receive a file upload request signal to the server from the user device; receive a file from the user device; and transmit a download command signal for the file to the agent, wherein the agent is configured, in response to receiving the download command signal, to transmit a download request signal to the integrated console and to download the file.
  16. 16 . The server management framework of claim 15 , wherein, upon receiving the file upload request signal to the server from the user device, the integrated console is further configured to determine whether the user device has an upload authority to the server.
  17. 17 . The server management framework of claim 15 , wherein, when the agent completes downloading of the file, the integrated console is further configured to invalidate the file.
  18. 18 . The server management framework of claim 12 , wherein, when receiving an authority raising request from the user device connected to the server via the address of the connection websocket, the integrated console retrieves a secondary-level right holder in a group to which the user device belongs, transmits a notification of an authority raising request to a user device of the secondary-level right holder, and adjusts an authority of the user device based on a response signal indicating acceptance or denial from the user device of the secondary-level right holder.
  19. 19 . The server management framework of claim 12 , wherein the integrated console is configured to: confirm whether the user device has an account for the server; when it is confirmed that the user device does not have the account for the server, create the account for the server by using identity information stored in a database within the integrated console; and mediate the communication connection of the user device and the agent by using the created account.
  20. 20 . An access method of a server management framework based on a reverse connection protocol, wherein the framework comprises a user device, an agent installed in a server, and an integrated console, and the agent is configured to request a communication connection to the integrated console by the reverse connection protocol according to a command received from the integrated console, the access method comprising: determining, by the integrated console, whether an access of the user device to the server is authorized in response to receiving an access request to the server from the user device; when the access of the user device to the server is authorized, causing, by the integrated console, a websocket server to generate a single-used and time-limited connection websocket for a session and transmitting, through a control socket, an address of the connection websocket to the user device and the agent; creating, by the agent, a shell and requesting a communication connection to the address of the connection websocket, in response to receiving the address of the connection websocket from the integrated console; requesting, by the user device, a communication connection to the address of the connection websocket; and mediating, by the integrated console, a communication connection of the user device and the agent when both the user device and the agent are connected to the connection websocket.

Description

CROSS-REFERENCE TO RELATED APPLICATION This application claims under 35 U.S.C. § 119(a) the benefit of Korean Patent Application No. 10-2022-0180378 filed on Dec. 21, 2022, and Korean Patent Application No. 10-2022-0180383 filed on Dec. 21, 2022, the entire contents of which are incorporated herein by reference. BACKGROUND (a) Technical Field The present disclosure relates to an extensible server management framework based on a reverse connection protocol and an operation method thereof and an access operating method thereof. (b) Background Art Secure Shell (SSH) has been used as the most standard server connection protocol for approximately 30 years up to now. End-to-end confidentiality and authenticity are guaranteed through an encrypted communication channel, and clients such as OpenSSH and PuTTY are utilized. However, the SSH exposes vulnerabilities to brute force and man-in-the-middle attacks by using password or public key-type login. To mitigate these risks, many studies have introduced additional security measures such as blocking root login, blocking remote access, and changing ports, but these reduce user convenience and work productivity. In the SSH, user account and password verification are handled by a Pluggable Authentication Module (PAM). The PAM as an integrated UNIX authentication framework is a module that controls user authentication and authorization for an application program in the system. It is possible to add an authentication method such as Fast Identity Online (FIDO) by replacing the password in the PAM, but there is the inconvenience of having to implement a Service Programming Interface (SPI) appropriate for each module and register the SPI in the PAM. In other words, if the PAM is used, even if technology with enhanced convenience and safety is developed, it is difficult to apply the technology immediately. Unlike the past, a current computing environment has become more diverse and the size of the infrastructure has grown due to cloud computing, IoT, and remote work, and as a result, difficulties in server management are increasing due to increasing security threats. At the time when the SSH or PAM is designed, the design is appropriate in terms of scale and security threats, but in the current environment, a server access authentication and management method using the SSH or PAM may not be efficient. Accordingly, the need for a new server access method and authentication method to fundamentally replace the server access authentication and management method is emerging. SUMMARY OF THE DISCLOSURE The present disclosure is to provide a new server management framework based on a reverse connection protocol, which is practical and extensible, and is suitable for a current computing environment. According to the present disclosure, the framework is replaced with an SSH and a PAM by the reverse connection protocol (e.g., a reverse shell protocol or SSH reverse tunneling), and is managed by accessing a server through an integrated console to provide convenience of maintenance. Further, web authentication, and identity provider (IDP), multi factor authentication (MFA), etc., may also be flexibly introduced into an authentication method between a web server and a client. Through this, it is possible to design a practical framework that may safely and more conveniently manage large-scale servers. Specifically, the present disclosure proposes a server management framework based on a reverse connection protocol, thereby additionally providing a function of allowing a web terminal of a server accessed by a user to be shared and collaborated with other persons, a detection and reporting function when an abnormal behavior occurs, a function of saving an audit record for work contents, and a function of reflecting changes through REST API when changing terminal attributes. Technical problems to be achieved in the present disclosure are not limited to the aforementioned technical problems, and other technical problems not described above will be apparently understood to those skilled in the art from the following disclosure below. A server management framework based on a reverse connection protocol according to various embodiments of the present disclosure may include: a user device; an agent installed in a server; and an integrated console, and the agent may be configured to request communication connection to the integrated console by a reverse connection protocol (e.g. reverse shell or SSH reverse tunneling) according to a command received from the integrated console, the integrated console may be configured to receive an access request to the server from the user device, and transmit an address of a connection socket to the user device and the agent, the agent may be configured to create a shell, and request communication connection for the address of the connection socket, in response to receiving the address of the connection socket from the integrated console, and the user device and th