I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Iseva ye-DHCP i-Kea 1.6, eyakhiwe yi-ISC consortium, ishicilelwe

Iseva ye-DHCP i-Kea 1.6, eyakhiwe yi-ISC consortium, ishicilelwe

I-ISC Consortium eshicilelwe Ukukhishwa kweseva ye-DHCP ibe 1.6.0, esikhundleni se-ISC DHCP yakudala. Imithombo yephrojekthi ukubhebhetheka ngaphansi kwelayisensi Ilayisensi Yomphakathi ye-Mozilla (MPL) 2.0, esikhundleni Selayisensi ye-ISC eyayisetshenziswa ngaphambilini ku-ISC DHCP.

Iseva ye-Kea DHCP isekelwe ku-BIND 10 kanye eyakhelwe usebenzisa i-architecture ye-modular, okusho ukuhlukanisa ukusebenza kuzinqubo ezihlukene zokucubungula. Umkhiqizo uhlanganisa ukusetshenziswa kweseva okunesici esigcwele ngokusekelwa kwephrothokholi ye-DHCPv4 ne-DHCPv6, ekwazi ukufaka esikhundleni se-ISC DHCP. I-Kea inamathuluzi akhelwe ngaphakathi okuvuselela izindawo ze-DNS (Dynamic DNS), isekela izindlela zokutholwa kweseva, ukunikezwa kwekheli, ukuvuselela nokuxhuma kabusha, ukusevisa izicelo zolwazi, ukugcina amakheli abasingathi, nokuqalisa i-PXE. Ukuqaliswa kwe-DHCPv6 futhi kunikeza amandla okuthumela iziqalo. I-API ekhethekile inikezwa ukuze ihlanganyele nezinhlelo zokusebenza zangaphandle. Kungenzeka ukubuyekeza ukucushwa endizeni ngaphandle kokuqalisa kabusha iseva.

Ulwazi olumayelana namakheli abelwe namapharamitha weklayenti lungagcinwa ezinhlotsheni ezihlukene zokulondoloza - okwamanje okungemuva kunikezwa ukuze kugcinwe kumafayela e-CSV, i-MySQL DBMS, i-Apache Cassandra ne-PostgreSQL. Imingcele yokubhukha yomsingathi ingacaciswa kufayela lokumisa ngefomethi ye-JSON noma njengethebula ku-MySQL ne-PostgreSQL. Ihlanganisa ithuluzi le-perfdhcp lokulinganisa ukusebenza kweseva ye-DHCP kanye nezingxenye zokuqoqa izibalo. I-Kea ibonisa ukusebenza okuhle, isibonelo, uma usebenzisa i-backend ye-MySQL, iseva ingenza izabelo zekheli eziyi-1000 ngomzuzwana (cishe amaphakethe angu-4000 ngomzuzwana), futhi uma usebenzisa i-backend ye-memfile, ukusebenza kufinyelela izabelo ze-7500 ngomzuzwana.

Iseva ye-DHCP i-Kea 1.6, eyakhiwe yi-ISC consortium, ishicilelwe

Ukhiye ukuthuthukiswa ku-Kea 1.6:

  • I-backend yokumisa (i-CB, i-Configuration Backend) iqalisiwe, ekuvumela ukuthi uphathe izilungiselelo zamaseva ambalwa e-DHCPv4 kanye ne-DHCPv6. Ingemuva lingasetshenziswa ukugcina izilungiselelo eziningi ze-Kea, okuhlanganisa izilungiselelo zomhlaba, amanethiwekhi okwabelwana ngawo, ama-subnet, izinketho, amachibi, nezincazelo zenketho. Esikhundleni sokugcina zonke lezi zilungiselelo kufayela lokumisa lendawo, manje zingabekwa kusizindalwazi sangaphandle. Kulokhu, kungenzeka ukunquma hhayi konke, kodwa ezinye izilungiselelo ngokusebenzisa i-CB, imingcele embozekile evela ku-database yangaphandle kanye namafayela okumisa wendawo (isibonelo, izilungiselelo zesixhumi esibonakalayo zingashiywa kumafayela wendawo).

    Kuma-DBMS okugcina ukucushwa, i-MySQL kuphela esekelwayo njengamanje (i-MySQL, i-PostgreSQL ne-Cassandra engasetshenziswa ukugcina imininingo egciniwe yezabelo (iziqashiso), futhi i-MySQL ne-PostgreSQL ingasetshenziswa ukugcina ababungazi). Ukucushwa kusizindalwazi kungashintshwa noma ngokufinyelela okuqondile ku-DBMS noma ngokusebenzisa imitapo yolwazi esendlalelo elungiselelwe ngokukhethekile enikeza isethi evamile yemiyalo yokuphathwa kokucushwa, njengokwengeza nokususa amapharamitha, ukubophezela, izinketho ze-DHCP nama-subnets;

  • Kwengezwe isigaba esisha somphathi we-"DROP" (wonke amaphakethe ahlotshaniswa nekilasi le-DROP adedelwa ngokushesha), angasetshenziswa ukulahla ithrafikhi engadingeki, isibonelo, izinhlobo ezithile zemilayezo ye-DHCP;
  • Imingcele emisha yesikhathi sokuqashisa esikhulu kanye nesikhathi esincane sokuqashisa sengeziwe, okukuvumela ukuba unqume impilo yonke yekheli elibophezela iklayenti (ukuqasha) hhayi ngesimo senani elinekhodi eqinile, kodwa ngendlela ububanzi obamukelekayo;
  • Ukuhambisana okuthuthukisiwe namadivayisi angathobeli ngokugcwele amazinga e-DHCP. Ukuze axazulule izinkinga, u-Kea manje uthumela ulwazi lohlobo lomlayezo we-DHCPv4 ekuqaleni kohlu lwezinketho, uphatha izethulo ezihlukene zamagama omethuleli, uqaphela ukudluliselwa kwegama lomethuleli elingenalutho, futhi uvumela amakhodi okukhetha 0 kuya ku-255 ukuba achazwe;
  • Isokhethi ehlukile yokulawula yengezwe ku-daemon ye-DDNS, ongathumela ngayo imiyalo ngokuqondile futhi wenze izinguquko zokumisa. Imiyalo elandelayo iyasekelwa: ukwakha-umbiko, hlela-thola, hlela kabusha, hlela-setha, hlela-ukuhlola, hlela-bhala, imiyalo yohlu, ukuvala shaqa kanye nenguqulo-thola;
  • Kuqediwe ubuthakathaka (CVE-2019-6472, CVE-2019-6473, CVE-2019-6474), engasetshenziswa ukudala ukunqatshelwa kwesevisi (okubangela ukuphahlazeka kwezibambi zeseva ye-DHCPv4 ne-DHCPv6) ngokuthumela izicelo ngezinketho namanani angalungile. Ingozi enkulu inkinga I-SVE-2019-6474, okuyinto, lapho isetshenziselwa isitoreji se-memfile sokubophezela, yenza kube nzima ukuqala kabusha inqubo yeseva ngokwayo, ngakho-ke ukungenelela okwenziwa ngesandla ngumlawuli (ukuhlanza i-database ebophayo) kuyadingeka ukuze kubuyiselwe ukusebenza.

Source: opennet.ru

Engeza amazwana