servers/clients/computers/programs/services/webservers need accurate time… they usually get it from time servers that have an atomic clock attached to their USB port. (just guessing)

ping time.google.com
PING time.google.com (216.239.35.4) 56(84) bytes of data.
64 bytes from time2.google.com (216.239.35.4): icmp_seq=1 ttl=46 time=43.5 ms
64 bytes from time2.google.com (216.239.35.4): icmp_seq=2 ttl=46 time=42.8 ms
64 bytes from time2.google.com (216.239.35.4): icmp_seq=3 ttl=46 time=43.3 ms

ping us.pool.ntp.org
PING us.pool.ntp.org (74.6.168.72) 56(84) bytes of data.
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=1 ttl=52 time=181 ms
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=2 ttl=52 time=191 ms
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=3 ttl=52 time=186 ms

ping ru.pool.ntp.org
PING ru.pool.ntp.org (80.240.216.155) 56(84) bytes of data.
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=1 ttl=56 time=69.6 ms
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=2 ttl=56 time=68.4 ms
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=3 ttl=56 time=68.7 ms

ping uk.pool.ntp.org
PING uk.pool.ntp.org (217.114.59.66) 56(84) bytes of data.
64 bytes from ns0.luns.net.uk (217.114.59.66): icmp_seq=1 ttl=53 time=57.5 ms
64 bytes from ns0.luns.net.uk (217.114.59.66): icmp_seq=2 ttl=53 time=57.2 ms

# THIS IS A VERY STRANGE TIME SERVER!?
ping de.pool.ntp.org
PING de.pool.ntp.org (144.76.0.164) 56(84) bytes of data.
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=1 ttl=58 time=38.8 ms
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=2 ttl=58 time=38.6 ms
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=3 ttl=58 time=38.6 ms

but just as with ftp and/or mail and other very old services, security was not really a problem in the early days of the internet.

so i guess NTP needs an overhaul, just as ftp should be replaced by now with sftp (ftp over ssh, works like a charm, all you need server-side is a working ssh-server, no additional software = best solution, reduce amount of software running on server that needs maintenance/updates).

worst case scenario:

your computer sends request to sync time to a hacked time server sends an evil response that hacks your server (buffer overflow in ntpd daemon service/ntp client software) installs a virus and demands ransome for all your holiday pictures that are not on swappable external USB backup drives.

bad but not catastrophic:

hacked timeserver tries to send your computer “into the future” (SSL-certificates/HTTPS very much depends on accurate times of client and server or refuses to work)

or:

your server will get used for DDoS

“NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p13 was released on 07 March 2019. It addresses 1 medium-severity security issue in ntpd, and provides 17 non-security bugfixes and 1 other improvements over 4.2.8p12.”

src: https://support.ntp.org/bin/view/Users/MiroslavLichvar (RedHat)

how to setup the time servers you trust:

Linux – set timezone and sync time and date with internet timeserver configure ntp

linux -> webserver -> ntpdate returning 1

linux time zones – change timezone

google’s guide:

Configuring Clients

Apple macOS (OS X)

  1. Open System Preferences.
  2. Choose the “Date & Time” panel.
  3. Click the lock to make changes.
  4. Enter your password.
  5. Select “Date & Time”.
  6. In the box next to “Set date and time automatically”, enter time.google.com.

Cisco IOS and NX-OS

router# config t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)# no ntp server
router(config)# ntp server time1.google.com
router(config)# ntp server time2.google.com
router(config)# ntp server time3.google.com
router(config)# ntp server time4.google.com
router(config)# copy running-config startup-config

Google Compute Engine

Although you can use Google Public NTP from Compute Engine, you will get better performance from the private cloud servers, which serve the same time using the same smear. Follow these instructions.

Juniper Junos

NTP is configured at the [edit system ntp] hierarchy level:

system {
    ntp {
        server time1.google.com;
        server time2.google.com;
        server time3.google.com;
        server time4.google.com;
    }
}

Linux (ntpd)

  1. Edit /etc/ntp.conf using your favorite text editor.
  2. Remove or comment out any lines starting with server, to prevent your machine from trying to mix smeared and non-smeared servers.
  3. Add the lines:
    server time1.google.com iburst
    server time2.google.com iburst
    server time3.google.com iburst
    server time4.google.com iburst
    
  4. Restart the NTP daemon using sudo service ntp reload.

Microsoft Windows

  1. Open the Control Panel.
  2. Click the “Date and Time” icon.
  3. Choose the “Internet Time” tab. (This will not be available if your PC is part of a domain. In that case, it will synchronize time with the domain controller. You can configure the controller to use Google Public NTP.)
  4. Click the “Change settings…” button.
  5. Check the box “Synchronize with an Internet time server”.
  6. Next to “Server:”, enter time.google.com.

Microsoft Windows Server

Follow Microsoft’s instructions to update your registry.

Links:

https://www.golem.de/news/network-time-security-sichere-uhrzeit-uebers-netz-1907-142137.html

Securing Network Time

https://datatracker.ietf.org/meeting/104/materials/slides-104-ntp-ietf-hackathon-network-time-security-nts-01

https://datatracker.ietf.org/wg/ntp/documents/

https://www.f3nws.com/news/record-breaking-atomic-clocks-will-improve-understanding-of-the-earth-a88af64dde0

implementing Ingress and Egress filtering through BCP38

liked this article?

  • only together we can create a truly free world
  • plz support dwaves to keep it up & running!
  • (yes the info on the internet is (mostly) free but beer is still not free (still have to work on that))
  • really really hate advertisement
  • contribute: whenever a solution was found, blog about it for others to find!
  • talk about, recommend & link to this blog and articles
  • thanks to all who contribute!
admin