Re: [suse-security] Looking for a secure time service
jdanield@dodin.net wrote:
I beg you pardon if I say something stupid, but why can't you use a cron task and a small script to do so. I can't see a security problem as so. once a day should be enough.
A time server does a lot more than ask one other host about the current time. There's multiple servers, clock drifts, networking lags and much more involved. I want to provide a couple of machines in my internal network with the most accurate time information available from public Stratum 2 time servers (with a reasonable amount of effort and as-low-as-possible security risk). I think a time server on my firewall is the method of choice. A time server in a DMZ would probably be even better, but as I don't use a DMZ yet, I'll go for the firewall. Mit freundlichen Grüssen / Regards Dipl. Inform. Ralph Seichter ISC Informatik Service & Consulting GmbH Tel +49 2241 867-0 mailto:r.seichter@isc-inf.com Fax +49 2241 867-222 http://www.isc-inf.com/
* Ralph Seichter wrote on Wed, Aug 29, 2001 at 09:54 +0200:
jdanield@dodin.net wrote:
I want to provide a couple of machines in my internal network with the most accurate time information available from public Stratum 2 time servers (with a reasonable amount of effort and as-low-as-possible security risk).
You may use tree (four, five, ... :)) external time sources ans [x]ntp-server. I would set up at least two time servers in the LAN (as backup) and configure both to act as peers. Sample: peer ntps1-1.yourlocaldomain.de # local time peer server server ntps1-0.cs.tu-berlin.de # public time server server ntps1-0.uni-erlangen.de # public time server don't forget: restrict default notrust nomodify restrict ntps1-0.cs.tu-berlin.de nomodify restrict ntps1-0.uni-erlangen.de nomodify #the local addresses are unrestricted (we are ntps1-0) restrict ntps1-0.yourlocaldomain.de restrict 127.0.0.1 #trust peer server too: restrict ntps1-1.yourlocaldomain.de [IIRC this was this way :)]
I think a time server on my firewall is the method of choice. A time server in a DMZ would probably be even better, but as I don't use a DMZ yet, I'll go for the firewall.
:) oki! You can MASQ the ntp traffic (port 123->123). I would set up a restricted firewall which allows port 123->123 only to the choosen time servers and which drops all other *->123 packets. If you are not useing MASQ I would suggest to drop any other packet to your timeserver (maybe except SSH :)). oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
participants (2)
-
Ralph Seichter
-
Steffen Dettmer