Building a local time server

security ntp ntpd time-server

I am trying to install a time server on a local Ubuntu machine, so other servers in my network would sync with it. We have decided to install our own time server, rather than letting each server update from an external server, to minimize the security risk.

  • Any ideas what's the best server to install?
  • Are there any known security issues?
  • Where should the server update from? Is there a well-trusted time server out there?

I would appreciate any help or reference links!

Thanks,

Udi


Some guides I use when setting up NTP networks:

  • It is a very good idea to configure at least two time-servers on your network. Set them up as peers (the line "peer [ipaddress]" in the ntp.conf), and if possible give them different external NTP hosts to sync from.
  • Configure your clients to use all of your time-servers. In case one goes away, they'll still have good time and won't go out of sync during the outage of the one.
  • Use either Autokey or symmetric key crypto between your peer servers.
  • Set up appropriate acl lines in your ntp.conf file, allowing the peers to talk to each other, but all other clients only get NTP information and no control data.

The first point is to give your network resilience in the face of internet outages. When the internet connection goes out, your peer servers will maintain a consensual time between themselves and never go out-of-sync. Which means that your clients will not go out-of-sync. If time is important to you, this is a very good thing.

As for the ACL options, setting reasonable defaults will help prevent evil happening:

restrict default ignore #deny access to general internet, just 'cause
restrict 192.168.0.0 255.255.0.0 nomodify nopeer # allow restricted access to internal
restrict 192.168.202.202 #allow TimeHost1 full access
restrict 192.168.202.203 #allow TimeHost2 full access
restrict 192.168.200.158 nopeer #allow the admin workstation to make changes

This will allow clients the ability to use tools like ntpq to diagnose NTP problems, but won't allow it to change anything.

As for autokey vs. symmetric key, that depends on how robust you want your network. Setting appropriate ACL values should provide resistance to evil, but this would provide an added layer of protection against spoofing. Of the two, autokey is easier to set up, but symmetric is newer and more robust.


The standard ntp (may also be ntp-server or ntp-simple) package on any physical linux machine is fine. Don't use a VM.

Many people will claim that there's information leakage when others can know what time you have, however many other services leak the time, and you get a benefit when all logs are syncronised in case of any issues. The default debian configuration locks remote users from doing anything but time syncronisation and is enough.

As for what to update from pool.ntp.org is the answer, use the appropriate pool for your country if possible. This is also almost always the default configuration for linux ntp's.

Related

Why isn't repository priority working in yum/dnf in Centos 8?
Windows 2003 SP1 server will not upgrade to SP2
Server 2003 SBS Crashing seemingly at random
Ruby testing on stable debian server
Unknown variable 'slow_query_log=1' [closed]
What is the easiest way to move mysql from linux box one my local Vista box?
How to properly test a local DNS server locally?
Capture text from website that's disabled copy-paste, printing and viewing source
How to configure the 'Never' 'Combine taskbar buttons' setting in Windows 11?
I have a desktop not a laptop, so why is Windows 10 (after update KB5005565) telling me my battery is low? [duplicate]
Will the user get notified when a Chrome extension changed its permission requirement in an update?
Where does the new notepad with Windows 11 save the window position?