Thursday, May 27, 2010

OpenNTPD - Open Network Time Protocol ( ntpd.conf )

When you have many machines to take care of it is imperative all machines have the correct time. This is important for your users and for security. People today expect if they see the time displayed on the computer that it is correct. We have heard excusses from people who are late to meetings because "the clock on my computer must be off." Time is also important when comparing logs between machines and servers. You need to know that logs on a user system corespond to the time on the firewall and to the mail server. It just makes sense and if you need to do a forensic report it will make your life a lot easier.

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (jitter).
NTP is one of the oldest Internet protocols still in use (since before 1985). NTP was originally designed by Dave Mills of the University of Delaware, who still maintains it, along with a team of volunteers. Wikipedia, Ntp
But there were problems with ntpd...
The development of OpenNTPD was motivated by a combination of issues with current NTP daemons: difficult configuration, complicated and difficult to audit code, and unsuitable licensing. OpenNTPD was designed to solve these problems and make time synchronization accessible to a wider userbase. After a period of development, OpenNTPD first appeared in OpenBSD 3.6. Its first release was announced on November 2, 2004.


OpenNTPD is born

The OpenBSD group have made a more secure version called OpenNTPD. OpenNTPD is an attempt by the OpenBSD team to produce an NTP daemon implementation which is secure, simple to security audit, trivial to set up and administer, and has small memory requirement that synchronizes local clock on the computer with remote NTP server with reasonable accuracy.

OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers. It is also able to act as an NTP server to NTP-compatible clients.
OpenNTPD is primarily developed by Henning Brauer as part of the OpenBSD project. Its design goals include being secure (non-exploitable), easy to configure, accurate enough for most purposes and with source code that can be distributed under a BSD license. Its portable version, like that of OpenSSH, is developed as a child project which adds the portability code to the OpenBSD version and releases it separately. The portable version is developed by Darren Tucker. Wikipedia, OpenNTPD


Getting Started

We are going to setup a time daemon to get its time from at least 3 external time servers for accuaracy, but you can always add more. Once our server has synced with the time server it will then allow clients on the internal lan to sync their time with our OpenNTPD server. You can expect an accuracy of +- 0.25 seconds.
The setup of OpenNTPD on OpenBSD is as easy as puttting the ntpd.conf file in place and starting the damon. In the following text window you will find the ntpd.conf file. When you place it in /etc/ntpd.conf it will do the following:
  • Listen on localhost. Use pf to redirect lan traffic to OpenNTPD.
  • Check the following servers for time: time-a.nist.gov and time-b.nist.gov
  • Query dns for the time "pool" of servers at: time-a.timefreq.bldrdoc.gov and north-america.pool.ntp.org
#
## Calomel.org  ntpd.conf
#
# Addresses to listen on (ntpd does not listen by default)
listen on 127.0.0.1

# Single server sync 
server time-a.nist.gov
server time-b.nist.gov

# Multi server time sync
servers time-a.timefreq.bldrdoc.gov
servers north-america.pool.ntp.org


Can you explain what single and multi server time sync is?

Single Server time sync means the hostname queried runs one time server. Every hostname listed is one more time server OpenNTPD will have access to.
Multi server time sync means the single hostname listed actually points to multiple ip address and each of those ip address run a ntpd time server. If you do a hostname lookup on time-a.timefreq.bldrdoc.gov it will resolve to at lease three(3) time servers.
user@machine: host time-a.timefreq.bldrdoc.gov
time-a.timefreq.bldrdoc.gov has address 132.163.4.101
time-a.timefreq.bldrdoc.gov has address 132.163.4.102
time-a.timefreq.bldrdoc.gov has address 132.163.4.103


Running the daemon

You can execute the deamon manually by typing "ntpd -s". This will start the OpenNTPD daemon and the "-s" argument tells the daemon to "set the time immediately at startup if the local clock is off by more than 180 seconds. This allows for large time corrections, eliminating the need to run rdate(8) before starting ntpd."
To start OpenNTPD at boot use the following line in your /etc/rc.conf.local if you made one or just put it in /etc/rc.conf.
ntpd_flags="-s"



You can reduce the power consumption of your firewall and keep track of system tempatures by using Power Managment with apmd and Sensorsd hardware monitor (sensorsd.conf).

No comments: