servers/clients/computers/programs/services/webservers need accurate time… they usually get it from time servers that have an atomic clock attached to their USB port. (just guessing)

ping time.google.com
PING time.google.com (216.239.35.4) 56(84) bytes of data.
64 bytes from time2.google.com (216.239.35.4): icmp_seq=1 ttl=46 time=43.5 ms
64 bytes from time2.google.com (216.239.35.4): icmp_seq=2 ttl=46 time=42.8 ms
64 bytes from time2.google.com (216.239.35.4): icmp_seq=3 ttl=46 time=43.3 ms

ping us.pool.ntp.org
PING us.pool.ntp.org (74.6.168.72) 56(84) bytes of data.
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=1 ttl=52 time=181 ms
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=2 ttl=52 time=191 ms
64 bytes from t1.time.gq1.yahoo.com (74.6.168.72): icmp_seq=3 ttl=52 time=186 ms

ping ru.pool.ntp.org
PING ru.pool.ntp.org (80.240.216.155) 56(84) bytes of data.
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=1 ttl=56 time=69.6 ms
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=2 ttl=56 time=68.4 ms
64 bytes from bagnikita.com (80.240.216.155): icmp_seq=3 ttl=56 time=68.7 ms

ping uk.pool.ntp.org
PING uk.pool.ntp.org (217.114.59.66) 56(84) bytes of data.
64 bytes from ns0.luns.net.uk (217.114.59.66): icmp_seq=1 ttl=53 time=57.5 ms
64 bytes from ns0.luns.net.uk (217.114.59.66): icmp_seq=2 ttl=53 time=57.2 ms

# THIS IS A VERY STRANGE TIME SERVER!?
ping de.pool.ntp.org
PING de.pool.ntp.org (144.76.0.164) 56(84) bytes of data.
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=1 ttl=58 time=38.8 ms
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=2 ttl=58 time=38.6 ms
64 bytes from server1.sim720.co.uk (144.76.0.164): icmp_seq=3 ttl=58 time=38.6 ms

but just as with ftp and/or mail and other very old services, security was not really a problem in the early days of the internet.

so i guess NTP needs an overhaul, just as ftp should be replaced by now with sftp (ftp over ssh, works like a charm, all you need server-side is a working ssh-server, no additional software = best solution, reduce amount of software running on server that needs maintenance/updates).

worst case scenario:

your computer sends request to sync time to a hacked time server sends an evil response that hacks your server (buffer overflow in ntpd daemon service/ntp client software) installs a virus and demands ransome for all your holiday pictures that are not on swappable external USB backup drives.

bad but not catastrophic:

hacked timeserver tries to send your computer „into the future“ (SSL-certificates/HTTPS very much depends on accurate times of client and server or refuses to work)

or:

your server will get used for DDoS

„NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p13

was released on 07 March 2019. It addresses 1 medium-severity security issue in ntpd, and provides 17 non-security bugfixes and 1 other improvements over 4.2.8p12.“

src: https://support.ntp.org/bin/view/Users/MiroslavLichvar (RedHat)

how to setup the time servers you trust:

Linux – set timezone and sync time and date with internet timeserver configure ntp

linux -> webserver -> ntpdate returning 1

linux time zones – change timezone

google’s guide:

Configuring Clients

Apple macOS (OS X)

  1. Open System Preferences.
  2. Choose the „Date & Time“ panel.
  3. Click the lock to make changes.
  4. Enter your password.
  5. Select „Date & Time“.
  6. In the box next to „Set date and time automatically“, enter
    time.google.com

    .

Cisco IOS and NX-OS


<span class="pln">router</span><span class="com"># config t</span>
<span class="typ">Enter</span><span class="pln"> configuration commands</span><span class="pun">,</span><span class="pln"> one per line</span><span class="pun">.</span><span class="pln">  </span><span class="typ">End</span> <span class="kwd">with</span><span class="pln"> CNTL</span><span class="pun">/</span><span class="pln">Z</span><span class="pun">.</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># no ntp server</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># ntp server time1.google.com</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># ntp server time2.google.com</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># ntp server time3.google.com</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># ntp server time4.google.com</span><span class="pln">
router</span><span class="pun">(</span><span class="pln">config</span><span class="pun">)</span><span class="com"># copy running-config startup-config</span>

Google Compute Engine

Although you can use Google Public NTP from Compute Engine, you will get better performance from the private cloud servers, which serve the same time using the same smear. Follow these instructions.

Juniper Junos

NTP is configured at the

[edit system ntp]

hierarchy level:


<span class="pln">system </span><span class="pun">{</span><span class="pln">
    ntp </span><span class="pun">{</span><span class="pln">
        server time1</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com</span><span class="pun">;</span><span class="pln">
        server time2</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com</span><span class="pun">;</span><span class="pln">
        server time3</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com</span><span class="pun">;</span><span class="pln">
        server time4</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com</span><span class="pun">;</span><span class="pln">
    </span><span class="pun">}</span>
<span class="pun">}</span>

Linux (ntpd)

  1. Edit
    /etc/ntp.conf

    using your favorite text editor.

  2. Remove or comment out any lines starting with
    server

    , to prevent your machine from trying to mix smeared and non-smeared servers.

  3. Add the lines:
    
    
    <span class="pln">server time1</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com iburst
    server time2</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com iburst
    server time3</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com iburst
    server time4</span><span class="pun">.</span><span class="pln">google</span><span class="pun">.</span><span class="pln">com iburst
    </span>
  4. Restart the NTP daemon using
    sudo service ntp reload

    .

Microsoft Windows

  1. Open the Control Panel.
  2. Click the „Date and Time“ icon.
  3. Choose the „Internet Time“ tab. (This will not be available if your PC is part of a domain. In that case, it will synchronize time with the domain controller. You can configure the controller to use Google Public NTP.)
  4. Click the „Change settings…“ button.
  5. Check the box „Synchronize with an Internet time server“.
  6. Next to „Server:“, enter
    time.google.com

    .

Microsoft Windows Server

Follow Microsoft’s instructions to update your registry.

Links:

https://www.golem.de/news/network-time-security-sichere-uhrzeit-uebers-netz-1907-142137.html

Securing Network Time

https://datatracker.ietf.org/meeting/104/materials/slides-104-ntp-ietf-hackathon-network-time-security-nts-01

https://datatracker.ietf.org/wg/ntp/documents/

https://www.f3nws.com/news/record-breaking-atomic-clocks-will-improve-understanding-of-the-earth-a88af64dde0

implementing Ingress and Egress filtering through BCP38

admin