Printable View
I am looking to implement an 'internal' NTP server (preferably freeware)
on a Win 2003 server so that I can broadcast NTP across Windows, Unix and
S400 servers.
Has anyone been successful in doing this and can recommend a utility to me
please?
Access to NTP externally is not permitted.
Thank you in advance.
Many thanks for your response, I appreciate your thoughts.
I should have said, I am using an HTTP utility on the server to
synchronise with the Internet given that NTP is blocked. I can sync
Windows systems easiliy enough with this but I'm really after the ability
to broadcast to the UNIX and AS400 systems.
<metogroup@group.com> wrote in message
news:QVi0h.7$3n2.2@newreader.ukcore.bt.net...
[color=blue]
> I should have said, I am using an HTTP utility on the server to
> synchronise with the Internet given that NTP is blocked.[/color]
Talk about shooting yourself in the foot. Getting your time
from HTTP responses is _vastly_ inferior to NTP.
I'm also not quite sure what good they think they're doing. I'd
say that HTTP is the more dangerous of the two.
If they're worried about punching holes in their firewall, they
could limit it to (NTP) traffic to and from an ISP NTP server.
Presumably they trust their ISP for that, given that they trust
everybody and his dog HTTP-wise.
Groetjes,
Maarten Wiltink
[email]metogroup@group.com[/email] wrote:
[color=blue]
> I should have said, I am using an HTTP utility on the server to
> synchronise with the Internet given that NTP is blocked.[/color]
ntp allows for using the local system clock as a reference, which
fits your case. However, my guess is that the utility that you
use makes step adjustments to the local clock, making ntp's life
somewhat miserable. But, in a way, it should work.
N
[email]metogroup@group.com[/email] wrote:
[color=blue]
> Many thanks for your response, I appreciate your thoughts.
>
> I should have said, I am using an HTTP utility on the server to
> synchronise with the Internet given that NTP is blocked. I can sync
> Windows systems easiliy enough with this but I'm really after the ability
> to broadcast to the UNIX and AS400 systems.[/color]
All right. I give up!! There are many sites that are not allowed to
have an internet connection but I think yours is the first I've heard of
where the NTP protocol is specifically forbidden.
What is the rationale for this? As far as anyone here knows there are
no "exploits" associated with NTP.
"Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com...
[color=blue]
> As far as anyone here knows there are no "exploits" associated with NTP.[/color]
After a short look-around on SecurityFocus, I would like to exclude
myself from that 'anyone' group.
Groetjes,
Maarten Wiltink
[color=blue]
>The problem is not so much the software; that's readily available and
>free, but the time source. The typical computer does not keep time very
>well; most systems gain or lose several seconds a day. Using such a
>clock as a time source means that, while all your systems are more or
>less in synchronization none of them have the correct time. In a really
>bad case, all the systems could gain or lose twenty to thirty minutes a
>month.[/color]
I'd expect you could get to a few seconds a week by hand tuning
the drift. That assumes your system is running in a reasonably
stable temperature.
Has anybody done the experiment recently?
--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.
Maarten Wiltink wrote:
[color=blue]
> "Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
> news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com...
>
>[color=green]
>>As far as anyone here knows there are no "exploits" associated with NTP.[/color]
>
>
> After a short look-around on SecurityFocus, I would like to exclude
> myself from that 'anyone' group.
>
> Groetjes,
> Maarten Wiltink
>
>[/color]
All right, there are, or were, fifteen reported exploits. None is dated
more recently than 2004 and some seem to be complaining about ten year
old software distributed by companies such as Sun, Redhat, Debian, etc.
Other reports concerned Microsoft's attempts to implement the protocol.
None of these exploits has been mentioned here in the 2-1/2 to 3 years
that I've been reading this newsgroup.
Does anyone know of exploits available in the reference implementations
released since 1-JAN-2004?
I'd say that the proper response is not to forbid the use of the NTP
protocol but rather to avoid running defective implementations thereof!
In article <-7SdnWIhbMBktN_YnZ2dnUVZ_oidnZ2d@megapath.net>,
[email]hmurray@suespammers.org[/email] (Hal Murray) wrote:
[color=blue]
> I'd expect you could get to a few seconds a week by hand tuning
> the drift. That assumes your system is running in a reasonably
> stable temperature.[/color]
My home system manages better than a second a week, and that is with
the temperature only controlled during part of the day in winter, and
not at all in summer! This is without frequency correction after the
initial calibration.
The last time I tried it with a system in the office (some years ago),
about 30 seconds a year would have been achieved if the air conditioning
hadn't broken down. This is without either frequency or phase correction
after the initial calibration.
However, I agree with others that the actual current problem is a
human factors problem. The wrong solution is being sought because
of an irrational rejection of the right one.
>>> In article <454202e7$0$323$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" <maarten@kittensandcats.net> writes:
[color=blue][color=green]
>> As far as anyone here knows there are no "exploits" associated with NTP.[/color][/color]
Maarten> After a short look-around on SecurityFocus, I would like to exclude
Maarten> myself from that 'anyone' group.
OK, I see nothing there that was not fixed several years ago. And while I
saw claims of a root exploit, I was unable to duplicate that expoit in my
testing (I tried it a few times).
Do you see anything current, or even more recent?
H
Harlan,
Watch the from address; I may have fixed the problem.
I think you are referring to a CDRT advisory severak years ago that
claimed a stack vulnerability. There was at that time a possible stack
vulnerability, quickly corrected, but the CERT-supplied code was itself
defective and could not work in any configuration. I also tried several
machines; none were affected.
Dave
Harlan Stenn wrote:[color=blue][color=green][color=darkred]
>>>>In article <454202e7$0$323$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" <maarten@kittensandcats.net> writes:[/color][/color]
>
>[color=green][color=darkred]
>>>As far as anyone here knows there are no "exploits" associated with NTP.[/color][/color]
>
>
> Maarten> After a short look-around on SecurityFocus, I would like to exclude
> Maarten> myself from that 'anyone' group.
>
> OK, I see nothing there that was not fixed several years ago. And while I
> saw claims of a root exploit, I was unable to duplicate that expoit in my
> testing (I tried it a few times).
>
> Do you see anything current, or even more recent?
>
> H[/color]
On Fri, 27 Oct 2006, Maarten Wiltink wrote:
[color=blue]
> <metogroup@group.com> wrote in message
> news:QVi0h.7$3n2.2@newreader.ukcore.bt.net...
>[color=green]
>> I should have said, I am using an HTTP utility on the server to
>> synchronise with the Internet given that NTP is blocked.[/color]
>
> Talk about shooting yourself in the foot. Getting your time
> from HTTP responses is _vastly_ inferior to NTP.
>
> I'm also not quite sure what good they think they're doing. I'd
> say that HTTP is the more dangerous of the two.[/color]
Maybe the people who set the policy did a risk benefit analysis where
"benefit of HTTP" was thought to be BIGNUM*"benefit of NTP" while
"risk of HTTP" was only several times "risk of NTP".
[color=blue]
> If they're worried about punching holes in their firewall, they
> could limit it to (NTP) traffic to and from an ISP NTP server.
> Presumably they trust their ISP for that, given that they trust
> everybody and his dog HTTP-wise.[/color]
Where I work, we do have holes in firewalls limited to particular machines
and external IP's, but they are high maintenance -- the holes tend to
close whenever the configuration is tweaked, external sites reconfigure,
etc.
c.t.p.ntp gets many requests for people looking for tools to deal with
situations that are outside ntp's mandate:
1. cheap and easy ntp service for an isolated network
2. quickly sync a machine that runs intermittently or has
intermittent/sporadic network connection but performs a time-critical task
such as pointing a high-gain antenna at a satellite in a low orbit
It should be noted that it is often cheaper and easier to stick with bog
standard configurations even if the result is overkill. Many people
assume a GPS time source will be hard/expensive.
--
George N. White III <aa056@chebucto.ns.ca>
"Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d@comcast.com...[color=blue]
> Maarten Wiltink wrote:[color=green]
>> "Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
>> news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com...[/color][/color]
[color=blue][color=green][color=darkred]
>>> As far as anyone here knows there are no "exploits" associated with
>>> NTP.[/color][/color][/color]
[color=blue][color=green]
>> After a short look-around on SecurityFocus, I would like to exclude
>> myself from that 'anyone' group.[/color][/color]
[color=blue]
> All right, there are, or were, fifteen reported exploits. None is dated
> more recently than 2004 and some seem to be complaining about ten year
> old software distributed by companies such as Sun, Redhat, Debian, etc.[/color]
Still distributed right now, yes. For all those people who aren't allowed
to run something not backed by RFCs, and then come here with questions
about something called xntp. Sound familiar?
[...][color=blue]
> I'd say that the proper response is not to forbid the use of the NTP
> protocol but rather to avoid running defective implementations thereof![/color]
That would be nice. However, letting your guard down is _never_ a
secure response. I will work on the assumption that there are exploits
in the current NTP until you _prove_ to me it's safe, and I'm not
holding my breath.
Which doesn't stop me from running it. But I keep it on a short leash.
Groetjes,
Maarten Wiltink
Maarten Wiltink wrote:
[color=blue]
> "Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
> news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d@comcast.com...
>[color=green]
>>Maarten Wiltink wrote:
>>[color=darkred]
>>>"Richard B. Gilbert" <rgilbert88@comcast.net> wrote in message
>>>news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com...[/color][/color]
>
>[color=green][color=darkred]
>>>>As far as anyone here knows there are no "exploits" associated with
>>>>NTP.[/color][/color]
>
>[color=green][color=darkred]
>>>After a short look-around on SecurityFocus, I would like to exclude
>>>myself from that 'anyone' group.[/color][/color]
>
>[color=green]
>>All right, there are, or were, fifteen reported exploits. None is dated
>>more recently than 2004 and some seem to be complaining about ten year
>>old software distributed by companies such as Sun, Redhat, Debian, etc.[/color]
>
>
> Still distributed right now, yes. For all those people who aren't allowed
> to run something not backed by RFCs, and then come here with questions
> about something called xntp. Sound familiar?
>
>
> [...]
>[color=green]
>>I'd say that the proper response is not to forbid the use of the NTP
>>protocol but rather to avoid running defective implementations thereof![/color]
>
>
> That would be nice. However, letting your guard down is _never_ a
> secure response. I will work on the assumption that there are exploits
> in the current NTP until you _prove_ to me it's safe, and I'm not
> holding my breath.[/color]
If you want "proof" that ANY piece of software is free from bugs or
exploits, you may have a very long wait!
Ever wonder why half the world failed to handle the last leap second
properly??? A large number of servers were running software with a bug.
>>> In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" <maarten@kittensandcats.net> writes:
[color=blue][color=green]
>> All right, there are, or were, fifteen reported exploits. None is dated
>> more recently than 2004 and some seem to be complaining about ten year
>> old software distributed by companies such as Sun, Redhat, Debian, etc.[/color][/color]
Maarten> Still distributed right now, yes. For all those people who aren't
Maarten> allowed to run something not backed by RFCs, and then come here
Maarten> with questions about something called xntp. Sound familiar?
What's your point? I don't see how what you just said applies to the
thread.
Maarten> I will work on the assumption that there are exploits in the
Maarten> current NTP until you _prove_ to me it's safe, and I'm not holding
Maarten> my breath.
Are you volunteering to perform or pay for a code audit?
H
"Harlan Stenn" <stenn@ntp.isc.org> wrote in message
news:ywn9ac3eipyd.fsf@ntp1.isc.org...[color=blue][color=green][color=darkred]
>>>> In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink"[/color][/color][/color]
<maarten@kittensandcats.net> writes:
[color=blue][color=green][color=darkred]
>>> All right, there are, or were, fifteen reported exploits. None is
>>> dated more recently than 2004 and some seem to be complaining about
>>> ten year old software distributed by companies such as Sun, Redhat,
>>> Debian, etc.[/color][/color]
>
> Maarten> Still distributed right now, yes. For all those people who
> Maarten> aren't allowed to run something not backed by RFCs, and then
> Maarten> come here with questions about something called xntp. Sound
> Maarten> familiar?
>
> What's your point? I don't see how what you just said applies to the
> thread.[/color]
I object to Richard's statement that old vulnerabilities are irrelevant
and no cause for concern. More than most other software, NTP is haunted
by users of old versions.
[color=blue]
> Maarten> I will work on the assumption that there are exploits in the
> Maarten> current NTP until you _prove_ to me it's safe, and I'm not
> Maarten> holding my breath.
>
> Are you volunteering to perform or pay for a code audit?[/color]
Don't be silly. I'll just teach my firewall to block access from
untrusted sources to my NTP server, as I do for every service on every
host.
Richard says not to worry, there are no recent vulnerabilities known.
I say never to stop worrying, there are too many unknowns.
Groetjes,
Maarten Wiltink
Harlan Stenn wrote:[color=blue][color=green][color=darkred]
>>>>In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" <maarten@kittensandcats.net> writes:[/color][/color]
>
>[color=green][color=darkred]
>>>All right, there are, or were, fifteen reported exploits. None is dated
>>>more recently than 2004 and some seem to be complaining about ten year
>>>old software distributed by companies such as Sun, Redhat, Debian, etc.[/color][/color]
>
>
> Maarten> Still distributed right now, yes. For all those people who aren't
> Maarten> allowed to run something not backed by RFCs, and then come here
> Maarten> with questions about something called xntp. Sound familiar?
>
> What's your point? I don't see how what you just said applies to the
> thread.
>
> Maarten> I will work on the assumption that there are exploits in the
> Maarten> current NTP until you _prove_ to me it's safe, and I'm not holding
> Maarten> my breath.
>
> Are you volunteering to perform or pay for a code audit?
>
> H[/color]
Should one try to shove ntpq sources to coverity?
They do a "for free" scan for a bunch of OSS ( of varying licenses ) stuff
like Python, perl, tcl*, apache, linux-kernel, some of the bsds.
* we found some usefull things that way and had some false positives. ymmv
uwe
Maarten Wiltink wrote:
[color=blue]
> "Harlan Stenn" <stenn@ntp.isc.org> wrote in message
> news:ywn9ac3eipyd.fsf@ntp1.isc.org...
>[color=green][color=darkred]
>>>>>In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink"[/color][/color]
>
> <maarten@kittensandcats.net> writes:
>
>[color=green][color=darkred]
>>>>All right, there are, or were, fifteen reported exploits. None is
>>>>dated more recently than 2004 and some seem to be complaining about
>>>>ten year old software distributed by companies such as Sun, Redhat,
>>>>Debian, etc.[/color]
>>
>>Maarten> Still distributed right now, yes. For all those people who
>>Maarten> aren't allowed to run something not backed by RFCs, and then
>>Maarten> come here with questions about something called xntp. Sound
>>Maarten> familiar?
>>
>>What's your point? I don't see how what you just said applies to the
>>thread.[/color]
>
>
> I object to Richard's statement that old vulnerabilities are irrelevant
> and no cause for concern. More than most other software, NTP is haunted
> by users of old versions.
>[/color]
Old vulnerabilities that have been fixed are not a problem of much
concern to me. I run a recent version of ntpd that does not exhibit
these vulnerabilities. If people chose, for whatever reason, to run a
ten year old version of ntpd they must accept the associated risks and
inferior performance. Since the modern, improved and fixed version is
freely available to all I don't see any reason why anyone who needs NTP
and is concerned about security should not run it.
>Old vulnerabilities that have been fixed are not a problem of much[color=blue]
>concern to me. I run a recent version of ntpd that does not exhibit
>these vulnerabilities. If people chose, for whatever reason, to run a
>ten year old version of ntpd they must accept the associated risks and
>inferior performance. Since the modern, improved and fixed version is
>freely available to all I don't see any reason why anyone who needs NTP
>and is concerned about security should not run it.[/color]
How about:
If it ain't broke, don't fix it.
Lots of people get their version of (x)ntp from their hardware
vendor. Most of them are not time geeks, they just need something
that's good enough. They depend on their vendor to fix security
problems in packages like ntp.
--
The suespammers.org mail server is located in California. So are all my
other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
commercial e-mail to my suespammers.org address or any of my other addresses.
These are my opinions, not necessarily my employer's. I hate spam.
>>> In article <fhsg14-i0b.ln1@robert.houseofmax.de>, Uwe Klein <uwe_klein_habertwedt@t-online.de> writes:
Uwe> Should one try to shove ntpq sources to coverity? They do a "for free"
Uwe> scan for a bunch of OSS ( of varying licenses ) stuff like Python,
Uwe> perl, tcl, apache, linux-kernel, some of the bsds.
Already done. I think we are even listed on their project page.
Both ntp-4.2.2 and ntp-dev are clean (1 false positive an one minor issue
with a utility program that is about to be replaced).
H