I-ISC Consortium
Kea DHCP server isekelwe BIND 10 kunye
Ulwazi malunga needilesi ezinikezelweyo kunye neeparameters zabaxhasi zingagcinwa kwiindidi ezahlukeneyo zokugcina - okwangoku i-backends inikezelwa ukugcinwa kwiifayile ze-CSV, i-MySQL DBMS, i-Apache Cassandra kunye ne-PostgreSQL. Iiparamitha zogcino zomamkeli zingacaciswa kwifayile yoqwalaselo kwifomathi ye-JSON okanye njengetafile kwi-MySQL ne-PostgreSQL. Iquka isixhobo se-perfdhcp sokulinganisa ukusebenza kweseva ye-DHCP kunye namacandelo okuqokelela izibalo. I-Kea ibonisa ukusebenza kakuhle, umzekelo, xa usebenzisa i-backend ye-MySQL, umncedisi unokwenza izabelo zedilesi ze-1000 ngomzuzwana (malunga neepakethi ze-4000 ngomzuzwana), kwaye xa usebenzisa i-backend ye-memfile, ukusebenza kufinyelela kwi-7500 izabelo ngesibini.
Isitshixo
- I-backend yoqwalaselo (CB, Configuration Backend) iphunyeziwe, ikuvumela ukuba ulawule ngokuphakathi izicwangciso zeeseva ezininzi zeDHCPv4 kunye neDHCPv6. I-backend ingasetyenziselwa ukugcina izicwangciso ezininzi ze-Kea, kubandakanywa izicwangciso zehlabathi jikelele, uthungelwano olwabelwanayo, ii-subnets, iinketho, amachibi, kunye neenkcazo zokukhetha. Esikhundleni sokugcina zonke ezi zicwangciso kwifayile yoqwalaselo yendawo, ngoku zinokubekwa kwisiseko sedatha sangaphandle. Kule meko, kunokwenzeka ukumisela kungekhona konke, kodwa ezinye izicwangciso nge-CB, iiparameters ezigqithisiweyo ezivela kwisiseko sedatha yangaphandle kunye neefayile zoqwalaselo zendawo (umzekelo, izicwangciso ze-interface interface zingashiywa kwiifayile zendawo).
Kwii-DBMS zokugcina uqwalaselo, kuphela i-MySQL exhaswayo okwangoku (i-MySQL, i-PostgreSQL kunye ne-Cassandra zingasetyenziselwa ukugcina i-database ye-assignment yedilesi (ingqeshiso), kunye ne-MySQL kunye ne-PostgreSQL ingasetyenziselwa ukugcina iinginginya. Ukucwangciswa kwisiseko sedatha kunokutshintshwa mhlawumbi ngokufikelela ngokuthe ngqo kwi-DBMS okanye ngokusebenzisa iilayibrari ezilungiselelwe ngokukodwa ezibonelela ngemigangatho yemiyalelo yolawulo loqwalaselo, njengokongeza kunye nokucima iiparitha, izibophelelo, iinketho zeDHCP kunye ne-subnets;
- Yongeza iklasi yomphathi omtsha we "DROP" (zonke iipakethi ezinxulumene neklasi ye-DROP zichithwa ngokukhawuleza), ezingasetyenziselwa ukulahla i-traffic engafunekiyo, umzekelo, iintlobo ezithile zemiyalezo ye-DHCP;
- Iparameters ezintsha zoqeshiso-ixesha kunye nemin-ixesha lokuqeshwa kongeziwe, okukuvumela ukuba umise ubomi bedilesi ebophelelayo kumxhasi (uqeshiso) hayi ngohlobo lwexabiso elinekhowudi enzima, kodwa ngohlobo lwe uluhlu olwamkelekileyo;
- Ukuphucula ukuhambelana nezixhobo ezingahambelani ngokupheleleyo nemigangatho yeDHCP. Ukusebenza malunga nemiba, i-Kea ngoku ithumela i-DHCPv4 yolwazi lohlobo lomyalezo ekuqaleni koluhlu lokukhetha, ibamba ukubonakaliswa okuhlukeneyo kwamagama abamkeli, iqaphela ukuhanjiswa kwegama lomninimzi elingenanto, kwaye ivumela iikhowudi zokunciphisa i-0 nge-255 ukuba ichazwe;
- Isokethi yolawulo eyahlukileyo yongezwe kwi-daemon yeDDNS, apho ungathumela ngokuthe ngqo imiyalelo kwaye wenze utshintsho kuqwalaselo. Le miyalelo ilandelayo iyaxhaswa: yakha-ingxelo, i-config-fumana, i-config-reload, i-config-set, i-config-test, i-config-bhala, uluhlu-imiyalelo, ukuvala kunye noguqulelo-fumana;
- Iphelisiwe
ubuthathaka (CVE-2019-6472, CVE-2019-6473, CVE-2019-6474), engasetyenziselwa ukubangela ukukhanyela kwenkonzo (okubangela ukuphazamiseka kwe-DHCPv4 kunye ne-DHCPv6 abaphathi be-server) ngokuthumela izicelo kunye neenketho ezingalunganga kunye namaxabiso. Eyona ngozi inkulu yingxakiCVE-2019-6474 , leyo, xa isetyenziselwa ukugcinwa kwe-memfile kwizibophelelo, yenza kube nzima ukuqalisa kwakhona inkqubo yomncedisi ngokwayo, ngoko ke ukungenelela ngesandla ngumlawuli (ukucoca i-database yokubopha) kuyadingeka ukubuyisela ukusebenza.
umthombo: opennet.ru