Title: XNTPD - accurate time synchronization for Linux

KBTAG: kben10000029
URL: http://www.securityportal.com/lskb/10000000/kben10000029.html
Date created: 14/04/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: XNTPD - synchronizing your Linux servers and keeping them in synch
Keywords: Network/Time, Logging, System

Summary:

Keeping computers clocks accurate may not sound terribly important, but if you need to reconcile log files between machines, and the times are off it can be a horrible task. Additionally having computers out of synch can leads to hassles when moving files around (this file is newer the the current time!), and there are security implications.

More information:

NTP (Network Time Protocol) is rather simple in it’s mission, it keeps computers clocks in synchronization. So what? Try comparing log files from 3 separate servers if their clocks are out of synch by a few minutes. NTP simply works by a client connecting to a time server, working out the delay between them (on a local LAN it might be only 1-2ms, across the internet it might be several hundred ms), and then it asks for the time and sets it’s own clock. Additionally servers can be ‘clustered’ to keep themselves synchronized, the chances of 3 or more servers losing track of what time it is (also called ‘drift’) is relatively low. 

The time signal is typically generated by an atomic clock or GPS signal, measured by a computer, these are ‘stratum 1’ time servers, below them are stratum 2 time servers that typically are publicly accessible, a company might maintain it’s own stratum 3 time servers if they have sufficient need, and so on. 

The data NTP exchanges is of course not terribly sensitive, it’s a time signal, however if an attacker were able to tamper with it, all sorts of nastiness could result: log files might be rendered unusable, accounts might be expired early, cron jobs that backup your server might run in prime time causing delays, etc. Thus it is a good idea to run your own time server(s), and set the maximum adjustment they will make to only a few seconds (they shouldn’t drift very much in any case). If you are really paranoid, or have a great number of clients you should consider buying a GPS time unit. 

They come in all shapes and sizes, from a 1U rack mount job that plugs directly into your LAN to ISA and PCI cards that plug into a server and have an antenna. It is a good idea to firewall off your timeserver, as a denial of service attack on it would be detrimental to your network. In addition to this if possible you should use the encryption available in ntpd, based on DES it is generally sufficient to thwart most attackers. NTP runs on port 123 using udp (and when you connect to servers they will come from port 123 to your port 123), so firewalling it is relatively simple.

Downloads:

XNTP is available from: http://www.eecis.udel.edu/~ntp/. There usually are no man pages with ntpd or xntpd (wonderful huh?) but documentation can be found in /usr/doc/ntp-xxx/.

References:

http://www.eecis.udel.edu/~ntp/ntp_spool/html/index.htm