By Kurt Seifried [email protected]
NTP (Network Time Protocol) is rather simple in it’s mission, it keeps computers clocks in synchronization. So what? Try comparing log files from 3 separate servers if their clocks are out of synch by a few minutes. NTP simply works by a client connecting to a time server, working out the delay between them (on a local LAN it might be only 1-2ms, across the internet it might be several hundred ms), and then it asks for the time and sets it’s own clock. Additionally servers can be ‘clustered’ to keep themselves synchronized, the chances of 3 or more servers losing track of what time it is (also called ‘drift’) is relatively low.
The time signal is typically generated by an atomic clock or GPS signal, measured by a computer, these are ‘stratum 1’ time servers, below them are stratum 2 time servers that typically are publicly accessible, a company might maintain it’s own stratum 3 time servers if they have sufficient need, and so on.
The data NTP exchanges is of course not terribly sensitive, it’s a time signal, however if an attacker were able to tamper with it, all sorts of nastiness could result: log files might be rendered unusable, accounts might be expired early, cron jobs that backup your server might run in prime time causing delays, etc. Thus it is a good idea to run your own time server(s), and set the maximum adjustment they will make to only a few seconds (they shouldn’t drift very much in any case). If you are really paranoid, or have a great number of clients you should consider buying a GPS time unit.
They come in all shapes and sizes, from a 1U rack mount job that plugs directly into your LAN to ISA and PCI cards that plug into a server and have an antenna. It is a good idea to firewall off your timeserver, as a denial of service attack on it would be detrimental to your network. In addition to this if possible you should use the encryption available in ntpd, based on DES it is generally sufficient to thwart most attackers. NTP runs on port 123 using udp (and when you connect to servers they will come from port 123 to your port 123), so firewalling it is relatively simple:
ipfwadm -I -a accept -P udp -S 10.0.0.0/8 -D 0.0.0.0/0 123 ipfwadm -I -a accept -P udp -S some.trusted.host -D 0.0.0.0/0 123 ipfwadm -I -a deny -P udp -S 0.0.0.0/0 -D 0.0.0.0/0 123
or
ipchains -A input -p udp -j ACCEPT -s 10.0.0.0/8 -d 0.0.0.0/0 123 ipchains -A input -p udp -j ACCEPT -s some.trusted.host -d 0.0.0.0/0 123 ipchains -A input -p udp -j DENY -s 0.0.0.0/0 -d 0.0.0.0/0 123
XNTP is available from: http://www.eecis.udel.edu/~ntp/. There usually are no man pages with ntpd or xntpd (wonderful huh?) but documentation can be found in /usr/doc/ntp-xxxx/, or at: http://www.eecis.udel.edu/~ntp/ntp_spool/html/index.htm.
ntpdate ships with most distributions as part of xntp.
There is a version of ntp that uses the Linux kernel capability set system time and does not need to run as root (drops privileges once it binds to port 123). Need to find this.
Last updated on 1/9/2001
Copyright Kurt Seifried 2001 [email protected]