ProHoster > Blog > Ulamuliro > Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka
Momwe mungatsimikizire kuti nthawi pa se sinama ngati muli ndi zida zazikulu ndi zazing'ono miliyoni zomwe zimalumikizana kudzera pa TCP / IP? Kupatula apo, aliyense wa iwo ali ndi koloko, ndipo nthawi iyenera kukhala yolondola kwa onsewo. Vutoli silingathe kuzunguliridwa popanda ntp.

Tiyeni tiyerekeze kwa mphindi kuti mu gawo limodzi la mafakitale a IT pamakhala zovuta ndi kulumikizana kwa ntchito pakapita nthawi. Nthawi yomweyo gulu lamagulu a mapulogalamu a Enterprise akuyamba kulephera, madambwe amasokonekera, ma masters ndi ma Standby node amalephera kuyesetsa kubwezeretsa momwe zinthu ziliri.

N'kuthekanso kuti woukira amayesa mwadala kusokoneza nthawi kudzera mu MiTM kapena DDOS. Zikatero, chilichonse chikhoza kuchitika:

  • Mawu achinsinsi a akaunti ya ogwiritsa ntchito atha;
  • Masatifiketi a X.509 atha ntchito;
  • Kutsimikizika kwazinthu ziwiri za TOTP kudzasiya kugwira ntchito;
  • zosunga zobwezeretsera zidzatha ndipo dongosolo lizichotsa;
  • DNSSec idzasweka.

Zikuwonekeratu kuti dipatimenti iliyonse ya IT ili ndi chidwi ndi ntchito yodalirika ya mautumiki ogwirizanitsa nthawi, ndipo zingakhale zabwino ngati ali odalirika komanso otetezeka pa ntchito ya mafakitale.

Dulani NTP mu mphindi 25

Ma protocol a netiweki - Zakachikwi ali ndi mawonekedwe amodzi, akhala zachikale ndipo salinso abwino pa chilichonse, koma kuwasintha sikophweka ngakhale pamene gulu lalikulu la okonda ndi ndalama likusonkhanitsidwa.

Chidandaulo chachikulu cha NTP yachikale ndi kusowa kwa njira zodalirika zodzitetezera ku ziwawa za olowa. Anthu ayesetsa mosiyanasiyana kuti athetse vutoli. Kuti tikwaniritse izi, tidayambitsa kachipangizo kogawana makiyi (PSK) posinthana makiyi a symmetric.

Tsoka ilo, njira iyi sinalipire pazifukwa zosavuta - sizimakula bwino. Kukonzekera kwamanja kumafunika kumbali ya kasitomala kutengera seva. Izi zikutanthauza kuti simungathe kuwonjezera kasitomala wina monga choncho. Ngati china chake chikusintha pa seva ya NTP, makasitomala onse ayenera kukonzedwanso.

Kenako adabwera ndi AutoKey, koma adapeza zovuta zingapo pamapangidwe a aligorivimu yokha ndipo adayenera kusiya. Chowonadi ndi chakuti mbewuyo ili ndi ma 32-bits okha, ndi yaying'ono kwambiri ndipo ilibe zovuta zowerengera zokwanira pakuwukira kutsogolo.

  • ID yofunika - symmetric 32-bit key;
  • MAC (kodi yotsimikizira uthenga) - NTP paketi checksum;

Autokey imawerengedwa motere.

Autokey=H(Sender-IP||Receiver-IP||KeyID||Cookie)

Kumene H () ndi ntchito ya cryptographic hash.

Ntchito yomweyi imagwiritsidwa ntchito powerengera cheke cha mapaketi.

MAC=H(Autokey||NTP packet)

Zikuoneka kuti kukhulupirika konse kwa macheke a phukusi kumakhazikika pa kutsimikizika kwa ma cookie. Mukakhala nawo, mutha kubwezeretsa autokey kenako ndikuwononga MAC. Komabe, seva ya NTP imagwiritsa ntchito mbewu pozipanga. Apa ndi pamene nsomba zagona.

Cookie=MSB_32(H(Client IP||Server IP||0||Server Seed))

Ntchito ya MSB_32 imadula magawo 5 ofunika kwambiri kuchokera pazotsatira za md32 hashi. Ma cookie a kasitomala sasintha bola ngati magawo a seva sasintha. Kenako wowukirayo atha kungobwezeretsa nambala yoyamba ndikutha kupanga ma cookie okha.

Choyamba, muyenera kulumikizana ndi seva ya NTP ngati kasitomala ndikulandila ma cookie. Pambuyo pa izi, pogwiritsa ntchito njira ya brute force, wowukirayo amabwezeretsa nambala yoyamba potsatira ndondomeko yosavuta.

Algorithm yowukira kuwerengera kwa nambala yoyamba pogwiritsa ntchito njira ya brute-force.

   for i=0:2^32 − 1 do
        Ci=H(Server-IP||Client-IP||0||i)
        if Ci=Cookie then
            return i
        end if 
    end for

Ma adilesi a IP amadziwika, kotero chomwe chatsala ndikungopanga 2^32 ma hashe mpaka cookie yomwe idapangidwa ifanane ndi yomwe idalandiridwa kuchokera ku seva ya NTP. Panyumba yokhazikika yokhala ndi Intel Core i5, izi zitenga mphindi 25.

NTS - Autokey yatsopano

Zinali zosatheka kupirira mabowo otetezedwa ku Autokey, ndipo mu 2012 zidawonekera Baibulo latsopano protocol. Pofuna kusokoneza dzinali, adaganiza zopanganso dzina, motero Autokey v.2 idatchedwa Network Time Security.

Protocol ya NTS ndikuwonjezera chitetezo cha NTP ndipo pakadali pano imathandizira mawonekedwe a unicast. Amapereka chitetezo cholimba cha cryptographic motsutsana ndi kupusitsa paketi, chimalepheretsa kupendekera, masikelo bwino, chimatha kuthana ndi kutayika kwa paketi ya netiweki, ndipo kumabweretsa kutayika kocheperako komwe kumachitika panthawi yachitetezo cholumikizira.

Kulumikizana kwa NTS kumakhala ndi magawo awiri omwe amagwiritsa ntchito ma protocol apansi. Yambani yoyamba Pakadali pano, kasitomala ndi seva amavomereza magawo osiyanasiyana olumikizirana ndikusinthanitsa ma cookie okhala ndi makiyi omwe ali ndi seti yonse yotsatsira. Yambani chachiwiri Pakadali pano, gawo lenileni la NTS lotetezedwa limachitika pakati pa kasitomala ndi seva ya NTP.

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

NTS imakhala ndi ma protocol awiri apansi: Network Time Security Key Exchange (NTS-KE), yomwe imayambitsa kulumikizana kotetezeka pa TLS, ndi NTPv4, mawonekedwe atsopano a protocol ya NTP. Zambiri za izi pansipa.

Gawo loyamba - NTS KE

Pakadali pano, kasitomala wa NTP amayambitsa gawo la TLS 1.2/1.3 pa kulumikizana kosiyana kwa TCP ndi seva ya NTS KE. Pa gawoli zotsatirazi zimachitika.

  • Maphwando amasankha magawo AEAD algorithm pagawo lachiwiri.
  • Maphwando amatanthauzira protocol yachiwiri yotsika, koma pakadali pano NTPv4 yokha ndiyomwe imathandizidwa.
  • Maphwando amasankha adilesi ya IP ndi doko la seva ya NTP.
  • Seva ya NTS KE imatulutsa makeke pansi pa NTPv4.
  • Maphwando amachotsa makiyi awiri ofananira (C2S ndi S2C) kuchokera ku cookie.

Njirayi ili ndi mwayi waukulu kuti katundu wonse wotumizira mauthenga achinsinsi okhudza magawo ogwirizanitsa amagwera pa protocol yotsimikiziridwa ndi yodalirika ya TLS. Izi zimathetsa kufunikira koyambitsanso gudumu lanu kuti mugwire dzanja lotetezeka la NTP.

Gawo lachiwiri - NTP pansi pa chitetezo cha NTS

Mu sitepe yachiwiri, kasitomala amagwirizanitsa motetezeka nthawi ndi seva ya NTP. Pachifukwa ichi, imatumiza zowonjezera zinayi zapadera (minda yowonjezera) mu ndondomeko ya paketi ya NTPv4.

  • Unique Identifier Extension ili ndi nonce yachisawawa yoletsa kuwukiranso.
  • NTS Cookie Extension ili ndi imodzi mwama cookie a NTP omwe amapezeka kwa kasitomala. Popeza kasitomala yekhayo ali ndi makiyi a C2S ndi S2C ofananira AAED, seva ya NTP iyenera kuwachotsa muzinthu za cookie.
  • NTS Cookie Placeholder Extension ndi njira yomwe kasitomala angapemphe ma cookie owonjezera kuchokera pa seva. Kukulitsa uku ndikofunikira kuti muwonetsetse kuti kuyankha kwa seva ya NTP sikutalikirapo kuposa pempho. Izi zimathandiza kupewa kuukira kwa amplification.
  • NTS Authenticator and Encrypted Extension Fields Extension ili ndi cipher ya AAED yokhala ndi kiyi ya C2S, mutu wa NTP, masitampu anthawi, ndi EF yomwe ili pamwambapa monga data yotsagana. Popanda chowonjezera ichi ndizotheka kusokoneza ma timestamp.

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Mukalandira pempho kuchokera kwa kasitomala, seva imatsimikizira zowona za paketi ya NTP. Kuti achite izi, ayenera kutsitsa ma cookie, kuchotsa algorithm ya AAED ndi makiyi. Pambuyo poyang'ana bwino paketi ya NTP kuti ikhale yovomerezeka, seva imayankha kasitomala motere.

  • Unique Identifier Extension ndi kope lagalasi la pempho la kasitomala, muyeso wotsutsana ndi kuwukiranso.
  • NTS Cookie Extension ma cookie ambiri kuti mupitilize gawoli.
  • NTS Authenticator and Encrypted Extension Fields Extension ili ndi cipher ya AEAD yokhala ndi kiyi ya S2C.

Kugwirana chanza kwachiwiri kumatha kubwerezedwa kangapo, kudutsa sitepe yoyamba, popeza pempho lililonse ndi yankho limapatsa kasitomala ma cookie owonjezera. Izi zili ndi ubwino kuti ntchito za TLS zogwiritsa ntchito makompyuta ndi kutumiza deta ya PKI zimagawidwa ndi chiwerengero cha zopempha mobwerezabwereza. Izi ndizosavuta makamaka kwa osunga nthawi apadera a FPGA, pomwe magwiridwe antchito onse amatha kuikidwa muzinthu zingapo kuchokera pagawo la symmetric cryptography, kusamutsa stack yonse ya TLS kupita ku chipangizo china.

NTPSec

Kodi chapadera cha NTP ndi chiyani? Ngakhale kuti wolemba pulojekitiyi, Dave Mills, adayesa kulemba code yake momwe angathere, ndi wosowa mapulogalamu omwe adzatha kumvetsa zovuta za ma algorithms a nthawi yomwe ali ndi zaka 35. Zina mwazolemba zidalembedwa nthawi ya POSIX isanachitike, ndipo Unix API ndiye inali yosiyana kwambiri ndi yomwe imagwiritsidwa ntchito masiku ano. Kuphatikiza apo, chidziwitso cha ziwerengero chimafunikira kuti muchotse chizindikirocho kuti chisasokonezedwe pamizere yaphokoso.

NTS sinali kuyesa koyamba kukonza NTP. Owukirawo ataphunzira kugwiritsa ntchito chiwopsezo cha NTP kuti awonjezere kuwukira kwa DDoS, zidawonekeratu kuti kusintha kwakukulu kumafunika. Ndipo pamene zolemba za NTS zinali kukonzedwa ndikumalizidwa, US National Science Foundation kumapeto kwa chaka cha 2014 idapereka mwachangu ndalama zothandizira kukonzanso kwa NTP.

Gulu logwira ntchito silinatsogolere aliyense, koma Eric Steven Raymond - m'modzi mwa oyambitsa ndi mizati ya gulu la Open Source komanso wolemba bukuli Cathedral ndi Bazaar. Chinthu choyamba chimene Eric ndi anzake adayesera kuchita chinali kusuntha code ya NTP kuchokera pa BitKeeper platform kupita ku git, koma sizinayende mwanjira imeneyo. Mtsogoleri wa polojekitiyi Harlan Stenn adatsutsana ndi chisankhochi ndipo zokambirana zidayima. Kenako anaganiza zofooketsa kachidindo polojekiti, ndipo NTPSec anabadwa.

Zochitika zolimba, kuphatikiza kugwira ntchito pa GPSD, maziko a masamu komanso luso lamatsenga lowerenga ma code akale - Eric Raymond ndiye ndendende wobera yemwe amatha kuyambitsa pulojekiti yotere. Gululo lidapeza katswiri wazosamuka komanso m'milungu 10 yokha ya NTP kukhazikikapa GitLab. Ntchito inali patsogolo.

Gulu la Eric Raymond linagwira ntchitoyi mofanana ndi mmene Auguste Rodin anachitira ndi mwala. Pochotsa 175 KLOC ya code yakale, adatha kuchepetsa kwambiri kuukira potseka mabowo ambiri achitetezo.

Nawu mndandanda wosakwanira wa omwe akuphatikizidwa pakugawa:

  • Wosalemba, wachikale, wachikale kapena wosweka.
  • Laibulale ya ICS yosagwiritsidwa ntchito.
  • libopts/autogen.
  • Code yakale ya Windows.
  • ntpdc.
  • Autokey.
  • Khodi ya ntpq C yalembedwanso ku Python.
  • Khodi ya sntp/ntpdig C yalembedwanso ku Python.

Kuphatikiza pa kuyeretsa kachidindo, ntchitoyi inali ndi ntchito zina. Nawu mndandanda wazomwe zapambana:

  • Kutetezedwa kwa code pakusefukira kwa bifa kwawongoleredwa kwambiri. Pofuna kupewa kusefukira kwa buffer, zingwe zonse zosatetezedwa (strcpy/strcat/strtok/sprintf/vsprintf/gets) zasinthidwa ndi zotetezedwa zomwe zimayika malire a kukula kwa buffer.
  • Thandizo lowonjezera la NTS.
  • Kuwongolera kwanthawi yayitali kuwirikiza kakhumi polumikiza zida zakuthupi. Izi ndichifukwa choti mawotchi amakono apakompyuta akhala olondola kwambiri kuposa omwe NTP idabadwa. Omwe adapindula kwambiri ndi izi anali GPSDO komanso ma wayilesi anthawi yodzipereka.
  • Chiwerengero cha zilankhulo zamapulogalamu chachepetsedwa kukhala ziwiri. M'malo mwa Perl, awk komanso zolemba za S, tsopano zonse ndi Python. Chifukwa cha ichi, pali mipata yambiri yogwiritsanso ntchito ma code.
  • M'malo mwa zolembera za autotools, polojekitiyi idayamba kugwiritsa ntchito pulogalamu yomanga mapulogalamu waf.
  • Zolemba zosinthidwa ndikukonzedwanso. Kuchokera pazolemba zotsutsana komanso nthawi zina zakale, adapanga zolembedwa zosavuta. Kusintha kulikonse kwa mzere wamalamulo ndi masinthidwe aliwonse tsopano ali ndi chowonadi chimodzi. Kuphatikiza apo, masamba amunthu ndi zolemba zapaintaneti tsopano zidapangidwa kuchokera kumafayilo amtundu womwewo.

NTPSec ilipo pamagawidwe angapo a Linux. Pakadali pano, mtundu waposachedwa kwambiri ndi 1.1.8, wa Gentoo Linux ndiye woyamba.

(1:696)$ sudo emerge -av ntpsec
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild   R    ] net-misc/ntpsec-1.1.7-r1::gentoo  USE="samba seccomp -debug -doc -early -gdb -heat -libbsd -nist -ntpviz -rclock_arbiter -rclock_generic -rclock_gpsd -rclock_hpgps -rclock_jjy -rclock_local -rclock_modem -rclock_neoclock -rclock_nmea -rclock_oncore -rclock_pps -rclock_shm -rclock_spectracom -rclock_trimble -rclock_truetime -rclock_zyfer -smear -tests" PYTHON_TARGETS="python3_6" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No]

Chrony

Panalinso kuyesa kwina kosintha NTP yakale ndi njira ina yotetezeka. Chrony, mosiyana ndi NTPSec, imalembedwa kuchokera pansi ndipo idapangidwa kuti igwire ntchito modalirika pansi pazikhalidwe zosiyanasiyana, kuphatikizapo kugwirizanitsa kosasunthika kwa maukonde, kupezeka kwapang'ono kwa intaneti kapena kusokonezeka, ndi kusintha kwa kutentha. Kuphatikiza apo, chrony ili ndi zabwino zina:

  • chrony imatha kulunzanitsa wotchi yamakina mwachangu ndikulondola kwambiri;
  • chrony ndi yaying'ono, imadya kukumbukira pang'ono, ndipo imapeza CPU pokhapokha ikafunika. Izi ndi kuphatikiza kwakukulu pakupulumutsa chuma ndi mphamvu;
  • chrony imathandizira masitampu a hardware pa Linux, kulola kulunzanitsa kolondola kwambiri pamanetiweki am'deralo.

Komabe, chrony ilibe zina mwazinthu za NTP yakale, monga kuwulutsa ndi multicast kasitomala / seva. Kuphatikiza apo, NTP yachikale imathandizira kuchuluka kwa machitidwe ndi nsanja.

Kuti mulepheretse magwiridwe antchito a seva ndi zopempha za NTP ku njira ya chronyd, ingolembani doko 0 mu fayilo ya chrony.conf. Izi zimachitika ngati palibe chifukwa chosungira nthawi yamakasitomala a NTP kapena anzawo. Popeza mtundu wa 2.0, doko la seva la NTP limatsegulidwa pokhapokha ngati mwayi wofikira ukuloledwa ndi chilolezo chololeza kapena lamulo loyenera, kapena mnzake wa NTP akonzedwa, kapena chitsogozo chowulutsa chikugwiritsidwa ntchito.

Pulogalamuyi imakhala ndi ma module awiri.

  • chronyd ndi ntchito yomwe imayenda chakumbuyo. Imalandira chidziwitso chokhudza kusiyana pakati pa wotchi yadongosolo ndi seva yakunja ya nthawi ndikusintha nthawi yakomweko. Imagwiritsanso ntchito protocol ya NTP ndipo imatha kukhala ngati kasitomala kapena seva.
  • chronyc ndi chida chothandizira pakuwunika ndi kuwongolera pulogalamu. Amagwiritsidwa ntchito kukonza magawo osiyanasiyana a ntchito, mwachitsanzo kukulolani kuti muwonjezere kapena kuchotsa ma seva a NTP pomwe chronyd ikupitiliza kugwira ntchito.

Popeza mtundu 7 wa RedHat Linux amagwiritsa chrony ngati ntchito yolumikizira nthawi. Phukusili likupezekanso pamagawidwe ena a Linux. Mtundu waposachedwa kwambiri ndi 3.5, kukonzekera kutulutsidwa kwa v4.0.

(1:712)$ sudo emerge -av chrony
These are the packages that would be merged, in order:
Calculating dependencies... done!
[binary  N     ] net-misc/chrony-3.5-r2::gentoo  USE="adns caps cmdmon ipv6 ntp phc readline refclock rtc seccomp (-html) -libedit -pps (-selinux)" 246 KiB
Total: 1 package (1 new, 1 binary), Size of downloads: 246 KiB
Would you like to merge these packages? [Yes/No]

Momwe mungakhazikitsire seva yanu yakutali ya chrony pa intaneti kuti mugwirizanitse nthawi pa netiweki yamaofesi. Pansipa pali chitsanzo chokhazikitsa VPS.

Chitsanzo chokhazikitsa Chrony pa RHEL / CentOS pa VPS

Tiyeni tsopano tiyese pang'ono ndikukhazikitsa seva yathu ya NTP pa VPS. Ndizosavuta, ingosankhani mtengo woyenera pa tsamba la RuVDS, pezani seva yokonzekera ndikulemba malamulo khumi ndi awiri osavuta. Zolinga zathu, njirayi ndiyabwino kwambiri.

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Tiyeni tipitirire kukhazikitsa ntchitoyo ndikuyika kaye phukusi la chrony.

[root@server ~]$ yum install chrony

RHEL 8 / CentOS 8 imagwiritsa ntchito ma phukusi osiyanasiyana.

[root@server ~]$ dnf install chrony

Pambuyo kukhazikitsa chrony, muyenera kuyamba ndi kuyambitsa ntchito.

[root@server ~]$ systemctl enable chrony --now

Ngati mungafune, mutha kusintha /etc/chrony.conf, m'malo mwa maseva a NPT ndi omwe ali pafupi kuti muchepetse nthawi yoyankha.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.ru.pool.ntp.org iburst
server 1.ru.pool.ntp.org iburst
server 2.ru.pool.ntp.org iburst
server 3.ru.pool.ntp.org iburst

Kenako, timakhazikitsa kulumikizana kwa seva ya NTP ndi node kuchokera padziwe lomwe latchulidwa.

[root@server ~]$ timedatectl set-ntp true
[root@server ~]$ systemctl restart chronyd.service

Ndikofunikiranso kutsegula doko la NTP kunja, apo ayi chozimitsa moto chidzatseka maulumikizidwe obwera kuchokera kumagulu a kasitomala.

[root@server ~]$ firewall-cmd --add-service=ntp --permanent 
[root@server ~]$ firewall-cmd --reload

Kumbali ya kasitomala, ndikwanira kukhazikitsa nthawi yoyenera.

[root@client ~]$ timedatectl set-timezone Europe/Moscow

Fayilo ya /etc/chrony.conf imatchula IP kapena dzina lachidziwitso la seva yathu ya VPS yomwe ikuyendetsa seva ya NTP.

server my.vps.server

Ndipo potsiriza, kuyambira nthawi kalunzanitsidwe pa kasitomala.

[root@client ~]$ systemctl enable --now chronyd
[root@client ~]$ timedatectl set-ntp true

Nthawi ina ndidzakuuzani zomwe mungachite kuti mulunzanitse nthawi popanda intaneti.

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Momwe kulunzanitsa kwa nthawi kudakhalira kotetezeka

Source: www.habr.com

Kuwonjezera ndemanga