ProHoster > Блог > Gudanarwa > Yadda aiki tare lokaci ya zama amintattu

Yadda aiki tare lokaci ya zama amintattu

Yadda aiki tare lokaci ya zama amintattu
Yadda za a tabbatar da cewa lokaci daya ba ya karya idan kana da miliyan manya da ƙananan na'urori masu sadarwa ta hanyar TCP/IP? Bayan haka, kowannensu yana da agogo, kuma dole ne lokacin ya dace da su duka. Ba za a iya kewaya wannan matsala ba tare da ntp ba.

Bari mu yi tunanin na minti ɗaya cewa a cikin yanki ɗaya na kayan aikin IT na masana'antu akwai matsaloli tare da ayyukan aiki tare akan lokaci. Nan da nan tarin tarin software na Enterprise ya fara faɗuwa, yankuna sun watse, masters da nodes na Jiran aiki ba su yi nasara ba don maido da halin da ake ciki.

Hakanan yana iya yiwuwa maharin da gangan yayi ƙoƙarin tarwatsa lokacin ta hanyar harin MiTM ko DDOS. A irin wannan yanayi, komai na iya faruwa:

  • Kalmomin sirri na asusun mai amfani za su ƙare;
  • Takaddun shaida na X.509 za su ƙare;
  • Tabbatar da abubuwa biyu na TOTP zai daina aiki;
  • madadin za su zama tsoho kuma tsarin zai share su;
  • DNSSec zai karye.

A bayyane yake cewa kowane sashen IT yana da sha'awar ingantaccen aiki na ayyukan daidaitawa lokaci, kuma zai yi kyau idan sun kasance masu aminci da aminci a cikin ayyukan masana'antu.

Karya NTP a cikin mintuna 25

Ka'idodin hanyar sadarwa - millennials suna da nau'ikan nau'ikan iri ɗaya, sun kasance m kuma ba su da kyau ga wani abu, amma maye gurbin su ba shi da sauƙi ko da lokacin da aka tara yawan masu goyon baya da kudade.

Babban korafi game da NTP na gargajiya shine rashin ingantattun hanyoyin kariya daga hare-haren masu kutse. An yi ƙoƙari daban-daban don magance wannan matsala. Don cimma wannan, mun fara aiwatar da tsarin da aka riga aka raba (PSK) don musayar maɓallai masu ma'ana.

Abin takaici, wannan hanyar ba ta biya ba don dalili mai sauƙi - ba ta da kyau. Ana buƙatar saitin hannu a gefen abokin ciniki dangane da uwar garken. Wannan yana nufin cewa kawai ba za ku iya ƙara wani abokin ciniki kamar haka ba. Idan wani abu ya canza akan uwar garken NTP, duk abokan ciniki dole ne a sake saita su.

Daga nan sai suka fito da AutoKey, amma nan da nan suka gano wasu manyan lahani a cikin ƙirar algorithm kanta kuma dole ne su yi watsi da shi. Abun shine cewa iri ya ƙunshi kawai 32-bits, yana da ƙanƙanta sosai kuma baya ƙunshe da isasshen ƙididdiga don harin gaba.

  • Maɓalli ID - maɓalli na 32-bit mai ma'ana;
  • MAC (lambar tabbatar da saƙo) - fakitin fakitin NTP;

Ana lissafin maɓalli kamar haka.

Autokey=H(Sender-IP||Receiver-IP||KeyID||Cookie)

Inda H() shine aikin hash na sirri.

Ana amfani da wannan aikin don ƙididdige adadin fakiti.

MAC=H(Autokey||NTP packet)

Ya bayyana cewa duk amincin fakitin cak ya dogara ne akan sahihancin kukis. Da zarar kana da su, za ka iya mayar da autokey sa'an nan spoof da MAC. Koyaya, uwar garken NTP yana amfani da iri lokacin samar da su. A nan ne abin kama yake.

Cookie=MSB_32(H(Client IP||Server IP||0||Server Seed))

Aikin MSB_32 yana katse 5 mafi mahimmancin ragi daga sakamakon lissafin md32 hash. Kuki ɗin abokin ciniki baya canzawa muddin sigogin uwar garken sun kasance ba canzawa. Sannan maharin zai iya dawo da lambar farko kawai kuma zai iya samar da kukis da kansa.

Da farko, kuna buƙatar haɗi zuwa uwar garken NTP a matsayin abokin ciniki kuma ku karɓi kukis. Bayan wannan, ta amfani da hanyar ƙarfi mai ƙarfi, maharin yana mayar da lambar farko ta bin algorithm mai sauƙi.

Algorithm don kai hari ga lissafin lambar farko ta amfani da hanyar daɗaɗɗa.

   for i=0:2^32 − 1 do
        Ci=H(Server-IP||Client-IP||0||i)
        if Ci=Cookie then
            return i
        end if 
    end for

An san adiresoshin IP, don haka abin da ya rage shi ne ƙirƙirar hashes 2^32 har sai kuki da aka ƙirƙira yayi daidai da wanda aka karɓa daga sabar NTP. A kan tashar gida na yau da kullun tare da Intel Core i5, wannan zai ɗauki mintuna 25.

NTS - sabon Autokey

Ba shi yiwuwa a saka irin wannan ramukan tsaro a cikin Autokey, kuma a cikin 2012 ya bayyana sabon salo yarjejeniya. Don yin sulhu da sunan, sun yanke shawarar sake yin suna, don haka Autokey v.2 an yi masa lakabi da Tsaron Lokaci na Network.

Yarjejeniyar NTS tsawo ce ta tsaro ta NTP kuma a halin yanzu tana goyan bayan yanayin unicast kawai. Yana ba da ƙaƙƙarfan kariya ta sirri daga magudin fakiti, yana hana snooping, ma'auni da kyau, yana da juriya ga asarar fakitin cibiyar sadarwa, kuma yana haifar da mafi ƙarancin adadin madaidaicin asarar da aka samu yayin amincin haɗin gwiwa.

Haɗin NTS ya ƙunshi matakai guda biyu waɗanda ke amfani da ƙa'idodin Layer na ƙasa. Kunna na farko A wannan mataki, abokin ciniki da uwar garken sun yarda akan sigogin haɗin kai daban-daban da musayar kukis masu ɗauke da maɓalli tare da duk saitin bayanai masu rakiyar. Kunna na biyu A wannan mataki, ainihin zaman NTS mai kariya yana faruwa tsakanin abokin ciniki da uwar garken NTP.

Yadda aiki tare lokaci ya zama amintattu

NTS ta ƙunshi ƙa'idodin ƙanana biyu: Canjin Maɓallin Tsaro na Time Network (NTS-KE), wanda ke ƙaddamar da amintaccen haɗi akan TLS, da NTPv4, sabuwar shigar da tsarin NTP. Ƙari kaɗan game da wannan a ƙasa.

Mataki na farko - NTS KE

A wannan mataki, abokin ciniki na NTP ya fara zama na TLS 1.2/1.3 akan haɗin TCP daban tare da uwar garken NTS KE. A yayin wannan zaman abubuwa masu zuwa suna faruwa.

  • Jam'iyyun suna ƙayyade sigogi AEAD algorithm na mataki na biyu.
  • Jam'iyyun sun ayyana ƙa'idar ƙananan Layer na biyu, amma a halin yanzu NTPv4 kawai ke samun tallafi.
  • Ƙungiyoyin sun ƙayyade adireshin IP da tashar jiragen ruwa na uwar garken NTP.
  • NTS KE uwar garken yana fitar da kukis a ƙarƙashin NTPv4.
  • Bangarorin suna fitar da maɓallan maɓalli guda biyu (C2S da S2C) daga kayan kuki.

Wannan hanya tana da babban fa'ida cewa duk nauyin watsa bayanan sirri game da sigogin haɗin kai ya faɗi kan ingantacciyar ƙa'idar TLS. Wannan yana kawar da buƙatar sake ƙirƙira dabaran naku don amintaccen musafaha NTP.

Mataki na biyu - NTP karkashin kariya ta NTS

A mataki na biyu, abokin ciniki yana aiki tare da amintaccen lokaci tare da sabar NTP. Don wannan dalili, yana watsa abubuwan haɓaka na musamman guda huɗu (filayen haɓakawa) a cikin tsarin fakitin NTPv4.

  • Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙaddamarwa ya ƙunsa ya ƙunshi ba zato ba tsammani don hana sake kunnawa harin.
  • NTS Cookie Extension ya ƙunshi ɗaya daga cikin kukis na NTP da ake samu ga abokin ciniki. Tunda abokin ciniki ne kawai ke da maɓallan AAED mai ma'ana na C2S da S2C, sabar NTP dole ne ta cire su daga kayan kuki.
  • NTS Cookie Placeholder Extension wata hanya ce ga abokin ciniki don neman ƙarin kukis daga sabar. Wannan tsawo yana da mahimmanci don tabbatar da cewa amsawar uwar garken NTP bai fi tsayi da buƙatun ba. Wannan yana taimakawa hana harin haɓakawa.
  • NTS Authenticator da Rufaffen Filayen Tsawowar Filayen Tsawowa ya ƙunshi sifar AAED tare da maɓallin C2S, taken NTP, tamburan lokaci, da EF na sama azaman bayanan rakiyar. Idan ba tare da wannan tsawaita ba, yana yiwuwa a zubar da tambura.

Yadda aiki tare lokaci ya zama amintattu

Bayan karɓar buƙata daga abokin ciniki, uwar garken yana tabbatar da sahihancin fakitin NTP. Don yin wannan, dole ne ya lalata kukis, cire AAED algorithm da maɓallan. Bayan nasarar bincika fakitin NTP don inganci, uwar garken yana amsawa abokin ciniki a cikin tsari mai zuwa.

  • Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwararren Ƙwaƙwalwa na Ƙaƙƙa ) ne, ma'auni na ƙin sake kunnawa.
  • NTS Cookie Extension ƙarin kukis don ci gaba da zama.
  • Mai tabbatar da NTS da Tsawaita Filayen Tsawaita Rufaffen ya ƙunshi sifar AEAD tare da maɓallin S2C.

Ana iya maimaita musafaha na biyu sau da yawa, ta ƙetare mataki na farko, tunda kowane buƙatu da amsa yana ba abokin ciniki ƙarin kukis. Wannan yana da fa'idar cewa ayyukan TLS mai ƙarfi-ƙarfi na ƙididdigewa da watsa bayanan PKI an raba su ta adadin maimaita buƙatun. Wannan ya dace musamman ga ƙwararrun masu kula da lokaci na FPGA, lokacin da za a iya tattara duk manyan ayyuka cikin ayyuka da yawa daga fagen simintin sinadarai, canja wurin duka tarin TLS zuwa wata na'ura.

NTPSec

Menene na musamman game da NTP? Duk da cewa marubucin aikin, Dave Mills, ya yi ƙoƙari ya rubuta lambarsa kamar yadda zai yiwu, mai shirya shirye-shirye ne wanda ba kasafai ba ne wanda zai iya fahimtar ma'auni na lokaci tare da algorithms masu shekaru 35. An rubuta wasu daga cikin lambar kafin zamanin POSIX, kuma Unix API a lokacin ya sha bamban da wanda ake amfani da shi a yau. Bugu da kari, ana buƙatar sanin kididdiga don share sigina daga tsangwama akan layukan hayaniya.

NTS ba shine farkon ƙoƙarin gyara NTP ba. Da zarar maharan sun koyi yin amfani da raunin NTP don haɓaka hare-haren DDoS, ya bayyana a fili cewa ana buƙatar canje-canje masu mahimmanci. Kuma yayin da ake shirye-shiryen da kuma kammala shirye-shiryen NTS, Cibiyar Kimiyya ta Ƙasa ta Amurka a ƙarshen 2014 ta ba da gudummawa cikin gaggawa don sabunta NTP.

Ƙungiya mai aiki ba ta kowa ba ne kawai ke jagoranta, amma Eric Steven Raymond ne adam wata - daya daga cikin wadanda suka assasa da ginshikan Budaddiyar Al'umma kuma marubucin littafin Cathedral da Bazaar. Abu na farko da Eric da abokansa suka yi ƙoƙari su yi shi ne motsa lambar NTP daga dandalin BitKeeper zuwa git, amma hakan bai yi aiki ba. Shugaban aikin Harlan Stenn ya yi adawa da wannan shawarar kuma tattaunawar ta tsaya cik. Sa'an nan aka yanke shawarar yin cokali mai yatsa na lambar aikin, kuma an haifi NTPSec.

Ƙwarewa mai ƙarfi, gami da aiki akan GPSD, asalin ilimin lissafi da fasaha na sihiri na karanta tsohuwar lambar - Eric Raymond shine ainihin ɗan gwanin kwamfuta wanda zai iya cire irin wannan aikin. Ƙungiyar ta sami ƙwararren ƙwararren ƙaura kuma a cikin makonni 10 kawai NTP zaunana GitLab. Aiki ya kasance cikin sauri.

Tawagar Eric Raymond ta dauki wannan aiki kamar yadda Auguste Rodin ya yi da katangar dutse. Ta hanyar cire 175 KLOC na tsohuwar lambar, sun sami damar rage girman harin ta hanyar rufe ramukan tsaro da yawa.

Ga jerin da bai cika ba na waɗanda aka haɗa cikin rabon:

  • Mara izini, tsohon, tsohon ko karye refclock.
  • Laburaren ICS da ba a yi amfani da shi ba.
  • libopts / autogen.
  • Tsohon code don Windows.
  • ntpdc.
  • Makullin mota.
  • An sake rubuta lambar ntpq C a cikin Python.
  • An sake rubuta lambar sntp/ntpdig C a cikin Python.

Baya ga tsaftace lambar, aikin yana da wasu ayyuka. Ga jerin jerin nasarorin da aka samu:

  • An inganta kariyar lamba daga zubar da jini sosai. Don hana cikar buffer, duk ayyukan kirtani marasa aminci (strcpy/strcat/strtok/sprintf/vsprintf/gets) an maye gurbinsu da amintattun juzu'ai waɗanda ke aiwatar da iyakokin girman buffer.
  • An ƙara tallafin NTS.
  • Ingantattun daidaito mataki na lokaci sau goma ta hanyar haɗa kayan aikin jiki. Hakan ya faru ne saboda yadda agogon kwamfuta na zamani ya yi daidai fiye da na lokacin da aka haifi NTP. Manyan waɗanda suka ci gajiyar wannan su ne GPSDO da radiyon lokaci da aka sadaukar.
  • An rage yawan harsunan shirye-shirye zuwa biyu. Maimakon Perl, awk har ma da rubutun S, yanzu duk Python ne. Saboda wannan, akwai ƙarin dama don sake amfani da lambar.
  • Maimakon noodles na rubutun autotools, aikin ya fara amfani da tsarin gina software waf.
  • Sabuntawa da sake tsara takaddun aikin. Daga tarin takardu masu cin karo da juna a wasu lokuta, sun ƙirƙiri cikakkun takardu masu wucewa. Kowane canjin layin umarni da kowane mahaɗin daidaitawa yanzu yana da sigar gaskiya guda ɗaya. Bugu da ƙari, shafukan mutum da takaddun gidan yanar gizo yanzu an ƙirƙira su daga ainihin fayilolin guda ɗaya.

NTPSec yana samuwa don adadin rarraba Linux. A halin yanzu, sabon sigar kwanciyar hankali shine 1.1.8, don Gentoo Linux shine mafi girma.

(1:696)$ sudo emerge -av ntpsec
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild   R    ] net-misc/ntpsec-1.1.7-r1::gentoo  USE="samba seccomp -debug -doc -early -gdb -heat -libbsd -nist -ntpviz -rclock_arbiter -rclock_generic -rclock_gpsd -rclock_hpgps -rclock_jjy -rclock_local -rclock_modem -rclock_neoclock -rclock_nmea -rclock_oncore -rclock_pps -rclock_shm -rclock_spectracom -rclock_trimble -rclock_truetime -rclock_zyfer -smear -tests" PYTHON_TARGETS="python3_6" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No]

Na zamani

Akwai wani yunƙuri na maye gurbin tsohuwar NTP tare da mafi amintaccen madadin. Chrony, ba kamar NTPSec ba, an rubuta shi daga ƙasa kuma an ƙirƙira shi don yin aiki da dogaro a ƙarƙashin yanayi da yawa, gami da haɗin yanar gizo mara tsayayye, samuwar hanyar sadarwa ko cunkoso, da canjin yanayin zafi. Bugu da kari, chrony yana da wasu fa'idodi:

  • chrony na iya aiki tare da agogon tsarin da sauri tare da mafi girman daidaito;
  • Chrony ya fi karami, yana cinye ƙananan ƙwaƙwalwar ajiya, kuma yana samun dama ga CPU kawai lokacin da ake buƙata. Wannan babban ƙari ne don adana albarkatu da makamashi;
  • Chrony yana goyan bayan tambura kayan masarufi akan Linux, yana ba da damar aiki tare sosai akan cibiyoyin sadarwar gida.

Koyaya, chrony ya rasa wasu fasalulluka na tsohuwar NTP, kamar watsa shirye-shirye da abokin ciniki/uwar garken multicast. Bugu da kari, classic NTP yana goyan bayan mafi girma adadin tsarin aiki da dandamali.

Don musaki aikin sabar da buƙatun NTP zuwa tsarin chronyd, kawai rubuta tashar jiragen ruwa 0 a cikin fayil ɗin chrony.conf. Ana yin wannan a cikin lokuta inda babu buƙatar kiyaye lokaci ga abokan cinikin NTP ko takwarorinsu. Tun da sigar 2.0, tashar sabar uwar garken NTP tana buɗewa ne kawai lokacin da aka ba da izinin shiga ta hanyar ba da izini ko umarni da ya dace, ko kuma an daidaita takwarorinsu na NTP, ko kuma ana amfani da umarnin watsa shirye-shirye.

Shirin ya ƙunshi nau'i biyu.

  • chronyd sabis ne da ke gudana a bango. Yana karɓar bayani game da bambanci tsakanin agogon tsarin da uwar garken lokacin waje kuma yana daidaita lokacin gida. Hakanan yana aiwatar da ka'idar NTP kuma tana iya aiki azaman abokin ciniki ko uwar garken.
  • Chronyc shine mai amfani da layin umarni don saka idanu da sarrafawa. Ana amfani da shi don daidaita sigogin sabis daban-daban, misali ba ka damar ƙara ko cire sabar NTP yayin da chronyd ke ci gaba da aiki.

Tun daga sigar 7 na RedHat Linux amfani chrony azaman sabis na aiki tare na lokaci. Hakanan akwai fakitin don sauran rabawa na Linux. Sabbin tsayayyen sigar ita ce 3.5, tana shirya don sakin v4.0.

(1:712)$ sudo emerge -av chrony
These are the packages that would be merged, in order:
Calculating dependencies... done!
[binary  N     ] net-misc/chrony-3.5-r2::gentoo  USE="adns caps cmdmon ipv6 ntp phc readline refclock rtc seccomp (-html) -libedit -pps (-selinux)" 246 KiB
Total: 1 package (1 new, 1 binary), Size of downloads: 246 KiB
Would you like to merge these packages? [Yes/No]

Yadda ake saita sabar saƙo mai nisa akan Intanet don daidaita lokaci akan hanyar sadarwar ofis. Da ke ƙasa akwai misalin kafa VPS.

Misali na kafa Chrony akan RHEL / CentOS akan VPS

Bari yanzu mu ɗan yi ɗan aiki sannan mu kafa sabar NTP ta kanmu akan VPS. Abu ne mai sauqi qwarai, kawai zaɓi jadawalin kuɗin fito da ya dace akan gidan yanar gizon RuVDS, sami sabar da aka yi da shirye-shiryen kuma buga umarni masu sauƙi dozin. Don dalilanmu, wannan zaɓin ya dace sosai.

Yadda aiki tare lokaci ya zama amintattu

Bari mu ci gaba don saita sabis ɗin kuma mu fara shigar da fakitin lokaci-lokaci.

[root@server ~]$ yum install chrony

RHEL 8 / CentOS 8 suna amfani da mai sarrafa fakiti na daban.

[root@server ~]$ dnf install chrony

Bayan shigar da chrony, kuna buƙatar farawa da kunna sabis ɗin.

[root@server ~]$ systemctl enable chrony --now

Idan ana so, zaku iya yin canje-canje zuwa /etc/chrony.conf, maye gurbin sabar NPT tare da na gida mafi kusa don rage lokacin amsawa.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.ru.pool.ntp.org iburst
server 1.ru.pool.ntp.org iburst
server 2.ru.pool.ntp.org iburst
server 3.ru.pool.ntp.org iburst

Na gaba, mun saita aiki tare na uwar garken NTP tare da nodes daga wurin da aka ƙayyade.

[root@server ~]$ timedatectl set-ntp true
[root@server ~]$ systemctl restart chronyd.service

Hakanan wajibi ne don buɗe tashar tashar NTP zuwa waje, in ba haka ba tacewar zaɓi zai toshe haɗin da ke shigowa daga nodes ɗin abokin ciniki.

[root@server ~]$ firewall-cmd --add-service=ntp --permanent 
[root@server ~]$ firewall-cmd --reload

A gefen abokin ciniki, ya isa ya saita yankin lokaci daidai.

[root@client ~]$ timedatectl set-timezone Europe/Moscow

Fayil ɗin /etc/chrony.conf yana ƙayyadaddun IP ko sunan mai masaukin uwar garken VPS ɗin mu yana gudanar da sabar NTP.

server my.vps.server

Kuma a ƙarshe, fara aiki tare lokaci akan abokin ciniki.

[root@client ~]$ systemctl enable --now chronyd
[root@client ~]$ timedatectl set-ntp true

Lokaci na gaba zan gaya muku waɗanne zaɓuɓɓukan da akwai don daidaita lokaci ba tare da Intanet ba.

Yadda aiki tare lokaci ya zama amintattu

Yadda aiki tare lokaci ya zama amintattu

source: www.habr.com

Add a comment