An gano yanayin rauni wanda ke ba da damar satar hanyoyin VPN

Darkcrizt

4 minti

Linux vnp hack

Kwanakin baya an sake shi dabarun kai hari (CVE-2019-14899), wanda ba ka damar sauyawa, sauyawa ko sauya fakiti akan haɗin TCP da aka tura ta hanyar tunnels ta VPN. Matsalar Yana shafar Linux, FreeBSD, OpenBSD, Android, macOS, iOS, da sauran tsarin-kamar Unix.

Hanyar tana ba da damar sauya fakiti a matakin haɗin TCP wanda ya wuce cikin ɓoyayyen ramin, amma ba ya ba da izinin haɗi a cikin haɗin ta amfani da ƙarin matakan ɓoyayyen ɓoyewa (misali, TLS, HTTPS, SSH). Abubuwan algorithms na ɓoyewa waɗanda aka yi amfani da su a cikin VPNs ba su da mahimmanci, kamar yadda fakitin bogi suka fito daga ƙirar waje, amma kwaya tana aiwatar da su azaman fakiti daga aikin VPN.

Babban makasudin harin shi ne tsoma baki tare da hanyoyin haɗin HTTP da ba a ɓoye ba, amma ba a cire amfani da harin don sarrafa amsoshin DNS ba.

An tabbatar da maye gurbin kunshin mai nasara don rami an ƙirƙira tare da OpenVPN, WireGuard da IKEv2 / IPSec.Tor. Matsalar ba ta shafarta ba yayin da take amfani da SOCKS don tura zirga-zirga kuma ta haɗu da ƙirar madauki.

Don IPv4, hari zai yiwu idan an saka rp_filter cikin Yanayin Sako. Ana amfani da hanyar rp_filter don ƙarin tabbatar da hanyoyin fakiti don kauce wa ɓarna adireshin tushe.

  • Lokacin da aka saita zuwa 0, ba a tabbatar da adireshin tushe ba kuma ana iya miƙa kowane fakiti tsakanin hanyoyin sadarwa ba tare da ƙuntatawa ba.
  • Yanayi na 1 "Mai tsauri" ya haɗa da tabbatar da cewa kowane fakiti da yake zuwa daga waje yana bin tebur ne, kuma idan hanyar sadarwar da aka karɓi fakiti ba a haɗa ta da hanyar isar da amsa mafi kyau ba, an watsar da fakitin.
  • Yanayin 2 "Sako" yana satar da gwajin don ba da izinin aiki yayin amfani da ma'aunin nauyi ko hanyar asymmetric, inda hanyar amsawa ba za ta bi ta hanyar haɗin cibiyar sadarwar da fakiti mai shigowa ya iso ba.

A cikin yanayin "Loose", an bincika cewa fakiti mai shigowa yayi biyayya da teburin sarrafawa, amma ana ɗaukarsa mai inganci idan ana iya samun damar adireshin tushe ta kowace hanyar sadarwa da ke akwai.

Kai wani hari:

Primero dole ne a sarrafa ƙofar da mai amfani da ita zai shiga zuwa hanyar sadarwar (alal misali, ta hanyar kungiyar MITM, lokacin da wanda aka azabtar ya haɗu da hanyar samun mara waya ta wanda maharin ke sarrafawa ko ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa).

Ta hanyar sarrafa ƙofar hanyar haɗi wanda aka haɗa mai amfani da cibiyar sadarwa, maharin na iya aika fakiti mara dadi Za a iya fahimtar su a cikin yanayin haɗin cibiyar sadarwar VPN, amma za a aika da martani ta hanyar ramin.

Lokacin samar da rafin fakiti mai ɓoyayyiya wanda a ciki an maye gurbin adireshin IP na ƙirar VPN, an yi ƙoƙari don tasiri tasirin haɗin da abokin ciniki ya kafae, amma tasirin waɗannan fakiti kaɗai za'a iya kiyaye su ta hanyar nazarin wucewa na ɓoyayyen zirga-zirgar da ke haɗuwa da aikin ramin.

Don kai hari, kuna buƙatar gano adireshin IP na cibiyar sadarwar ramin da aka sanya ta uwar garken VPN kuma kuma ƙayyade cewa haɗi zuwa takamaiman mai shiri a halin yanzu yana aiki ta ramin.

Don ƙayyade IP - game da VPN na cibiyar sadarwar kama-da-wane, an aika fakitoci zuwa fakitin SYN-ACK na tsarin wanda aka cutar, bi da bi a kowane fanni na adiresoshin kamala.

Hakanan, an ƙaddara kasancewar haɗi zuwa takamaiman shafin da lambar tashar jiragen ruwa a gefen abokin harka: odar lambobin tashar jiragen ruwa ga mai amfani, an aika da fakiti na SYN a matsayin adireshin tushe wanda aka maye gurbin shafin yanar gizon, kuma adireshin makiyaya mai kama da VPN IP.

Za'a iya yin hasashen tashar tashar jiragen ruwa (80 don HTTP), kuma ana iya lissafin lambar tashar jiragen ruwa a gefen abokin ciniki ta ƙarfin zafin nama, bincika lambobi daban-daban canjin canjin ƙarfin martani na ACK a haɗe tare da rashin fakiti tare da tutar RST.

A wannan matakin, maharin ya san abubuwa huɗu na haɗin (tushen adireshin IP / tashar jiragen ruwa da tashar IP adireshin / tashar jiragen ruwa), amma don samar da fakiti mara kyau wanda tsarin wanda aka cutar zai karɓa, dole ne maharin ya tantance jerin da lambobin fitarwa (seq da ack) TCP -haɗi.

Magani.

A ƙarshe don kariya yayin amfani da tunnels tare da adiresoshin IPv4, ya isa kafa rp_filter a cikin "Tsananin" yanayin

sysctl net.ipv4.conf.all.rp_filter = 1

A gefen VPN, ana iya katange hanyar tantance lambar jerin ta ƙara ƙarin padding zuwa ɓoyayyen fakiti, yin girman dukkan fakiti iri ɗaya.


Bar tsokaci

Your email address ba za a buga. Bukata filayen suna alama da *

*

*

  1. Wanda ke da alhakin bayanan: Miguel Ángel Gatón
  2. Manufar bayanan: Sarrafa SPAM, sarrafa sharhi.
  3. Halacci: Yarda da yarda
  4. Sadarwar bayanan: Ba za a sanar da wasu bayanan ga wasu kamfanoni ba sai ta hanyar wajibcin doka.
  5. Ajiye bayanai: Bayanin yanar gizo wanda Occentus Networks (EU) suka dauki nauyi
  6. Hakkoki: A kowane lokaci zaka iyakance, dawo da share bayanan ka.

  1.   Hakkin mallakar hoto Fernando Tlatilolpa m
    sa 3 shekaru

    Kyakkyawan gudummawar tsaro, musamman a waɗannan lokutan da hare-haren tsaro suka ƙaru. Godiya da jinjina.

    Amsa wa Fernando Tlatilolpa