Looking for a secure time service
Hi all, I'd like to run a time service like 'xntp' on my firewall machine (Kernel 2.4 w/ iptables, no DMZ) which should be able to a) connect to public Internet time servers (obviously), b) do so with a minimum security impact, and c) send NTP broadcasts to my internal network. Looking at b), is NTP a wise protocol to use? Are there more secure protocols? If you have some setup tips or sample 'iptables' scripts to share, that'd be fine. And if there's a FAQ for this which I missed, kindly point me to it. Thank you! Mit freundlichen Grüssen / Regards Dipl. Inform. Ralph Seichter ISC Informatik Service & Consulting GmbH Tel +49 2241 867-0 mailto:r.seichter@isc-inf.com Fax +49 2241 867-222 http://www.isc-inf.com/
Firewall it, port 123, udp. problem is spoofing udp is trivial. Choose a stratum 2 server, there are more of them, and it's more polite. As for time synch ntp is really you only choice for UNIX, a more secure solution might be to buy your own NTP time server (i.e. takes digital time signal/GPS) to keep it all internal. Kurt Seifried, seifried@seifried.org PGP Key ID: 0xAD56E574 Fingerprint: A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://www.seifried.org/ ----- Original Message ----- From: Ralph Seichter To: suse-security@suse.com Sent: Tuesday, August 28, 2001 7:45 AM Subject: [suse-security] Looking for a secure time service Hi all, I'd like to run a time service like 'xntp' on my firewall machine (Kernel 2.4 w/ iptables, no DMZ) which should be able to a) connect to public Internet time servers (obviously), b) do so with a minimum security impact, and c) send NTP broadcasts to my internal network. Looking at b), is NTP a wise protocol to use? Are there more secure protocols? If you have some setup tips or sample 'iptables' scripts to share, that'd be fine. And if there's a FAQ for this which I missed, kindly point me to it. Thank you! Mit freundlichen Grüssen / Regards Dipl. Inform. Ralph Seichter ISC Informatik Service & Consulting GmbH Tel +49 2241 867-0 mailto:r.seichter@isc-inf.com Fax +49 2241 867-222 http://www.isc-inf.com/
I beg you pardon if I say something stupid, but why can't you use a cron task and a small script to do so. I can't see a security problem as so. once a day should be enough. jdd http://www.dodin.net mailto:jdanield@dodin.net WHO'S THAT GUY ? Help me found it Russia & South america help needed http://www.dodin.net/serge/index.html
On Tuesday 28 August 2001 15:45, Ralph Seichter wrote:
I'd like to run a time service like 'xntp' on my firewall machine (Kernel 2.4 w/ iptables, no DMZ) which should be able to
If you have some setup tips or sample 'iptables' scripts to share, that'd be fine.
my suggestions are: iptables entries for ntp: ------------------------------- iptables -t filter -A INPUT -i <your interface> -m state -p udp -d <your ip> -s <ntp server> --sport 123 --state ESTABLISHED -j ACCEPT iptables -t filter -A OUTPUT -o <your interface> -m state -p udp -s <your ip> -d <ntp server> --dport 123 --state NEW,ESTABLISHED -j ACCEPT ------------------------------- This allows (AFAIK) only connections originated from your server, even with udp. entries for the remote server in /etc/ntp.conf: ------------------------------- server a.b.c.d restrict a.b.c.d noquery nomodify notrap ------------------------------- any comments from the list ? Andreas Baetz ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been scanned for the presence of computer viruses. **********************************************************************
participants (4)
-
Andreas Bätz
-
jdd
-
Kurt Seifried
-
Ralph Seichter