I-ISC Consortium
Iseva ye-Kea DHCP isekelwe ku-BIND 10 kanye
Ulwazi olumayelana namakheli abelwe namapharamitha weklayenti lungagcinwa ezinhlotsheni ezihlukene zokulondoloza - okwamanje okungemuva kunikezwa ukuze kugcinwe kumafayela e-CSV, i-MySQL DBMS, i-Apache Cassandra ne-PostgreSQL. Imingcele yokubhukha yomsingathi ingacaciswa kufayela lokumisa ngefomethi ye-JSON noma njengethebula ku-MySQL ne-PostgreSQL. Ihlanganisa ithuluzi le-perfdhcp lokulinganisa ukusebenza kweseva ye-DHCP kanye nezingxenye zokuqoqa izibalo. I-Kea ibonisa ukusebenza okuhle, isibonelo, uma usebenzisa i-backend ye-MySQL, iseva ingenza izabelo zekheli eziyi-1000 ngomzuzwana (cishe amaphakethe angu-4000 ngomzuzwana), futhi uma usebenzisa i-backend ye-memfile, ukusebenza kufinyelela izabelo ze-7500 ngomzuzwana.
Ukhiye
- I-backend yokumisa (i-CB, i-Configuration Backend) iqalisiwe, ekuvumela ukuthi uphathe izilungiselelo zamaseva ambalwa e-DHCPv4 kanye ne-DHCPv6. Ingemuva lingasetshenziswa ukugcina izilungiselelo eziningi ze-Kea, okuhlanganisa izilungiselelo zomhlaba, amanethiwekhi okwabelwana ngawo, ama-subnet, izinketho, amachibi, nezincazelo zenketho. Esikhundleni sokugcina zonke lezi zilungiselelo kufayela lokumisa lendawo, manje zingabekwa kusizindalwazi sangaphandle. Kulokhu, kungenzeka ukunquma hhayi konke, kodwa ezinye izilungiselelo ngokusebenzisa i-CB, imingcele embozekile evela ku-database yangaphandle kanye namafayela okumisa wendawo (isibonelo, izilungiselelo zesixhumi esibonakalayo zingashiywa kumafayela wendawo).
Kuma-DBMS okugcina ukucushwa, i-MySQL kuphela esekelwayo njengamanje (i-MySQL, i-PostgreSQL ne-Cassandra engasetshenziswa ukugcina imininingo egciniwe yezabelo (iziqashiso), futhi i-MySQL ne-PostgreSQL ingasetshenziswa ukugcina ababungazi). Ukucushwa kusizindalwazi kungashintshwa noma ngokufinyelela okuqondile ku-DBMS noma ngokusebenzisa imitapo yolwazi esendlalelo elungiselelwe ngokukhethekile enikeza isethi evamile yemiyalo yokuphathwa kokucushwa, njengokwengeza nokususa amapharamitha, ukubophezela, izinketho ze-DHCP nama-subnets;
- Kwengezwe isigaba esisha somphathi we-"DROP" (wonke amaphakethe ahlotshaniswa nekilasi le-DROP adedelwa ngokushesha), angasetshenziswa ukulahla ithrafikhi engadingeki, isibonelo, izinhlobo ezithile zemilayezo ye-DHCP;
- Imingcele emisha yesikhathi sokuqashisa esikhulu kanye nesikhathi esincane sokuqashisa sengeziwe, okukuvumela ukuba unqume impilo yonke yekheli elibophezela iklayenti (ukuqasha) hhayi ngesimo senani elinekhodi eqinile, kodwa ngendlela ububanzi obamukelekayo;
- Ukuhambisana okuthuthukisiwe namadivayisi angathobeli ngokugcwele amazinga e-DHCP. Ukuze axazulule izinkinga, u-Kea manje uthumela ulwazi lohlobo lomlayezo we-DHCPv4 ekuqaleni kohlu lwezinketho, uphatha izethulo ezihlukene zamagama omethuleli, uqaphela ukudluliselwa kwegama lomethuleli elingenalutho, futhi uvumela amakhodi okukhetha 0 kuya ku-255 ukuba achazwe;
- Isokhethi ehlukile yokulawula yengezwe ku-daemon ye-DDNS, ongathumela ngayo imiyalo ngokuqondile futhi wenze izinguquko zokumisa. Imiyalo elandelayo iyasekelwa: ukwakha-umbiko, hlela-thola, hlela kabusha, hlela-setha, hlela-ukuhlola, hlela-bhala, imiyalo yohlu, ukuvala shaqa kanye nenguqulo-thola;
- Kuqediwe
ubuthakathaka (CVE-2019-6472, CVE-2019-6473, CVE-2019-6474), engasetshenziswa ukudala ukunqatshelwa kwesevisi (okubangela ukuphahlazeka kwezibambi zeseva ye-DHCPv4 ne-DHCPv6) ngokuthumela izicelo ngezinketho namanani angalungile. Ingozi enkulu inkingaI-SVE-2019-6474 , okuyinto, lapho isetshenziselwa isitoreji se-memfile sokubophezela, yenza kube nzima ukuqala kabusha inqubo yeseva ngokwayo, ngakho-ke ukungenelela okwenziwa ngesandla ngumlawuli (ukuhlanza i-database ebophayo) kuyadingeka ukuze kubuyiselwe ukusebenza.
Source: opennet.ru