NTP internal server? - NTP

This is a discussion on NTP internal server? - NTP ; I am looking to implement an 'internal' NTP server (preferably freeware) on a Win 2003 server so that I can broadcast NTP across Windows, Unix and S400 servers. Has anyone been successful in doing this and can recommend a utility ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 28

Thread: NTP internal server?

  1. NTP internal server?

    I am looking to implement an 'internal' NTP server (preferably freeware)
    on a Win 2003 server so that I can broadcast NTP across Windows, Unix and
    S400 servers.
    Has anyone been successful in doing this and can recommend a utility to me
    please?
    Access to NTP externally is not permitted.
    Thank you in advance.

  2. Re: NTP internal server?

    Many thanks for your response, I appreciate your thoughts.

    I should have said, I am using an HTTP utility on the server to
    synchronise with the Internet given that NTP is blocked. I can sync
    Windows systems easiliy enough with this but I'm really after the ability
    to broadcast to the UNIX and AS400 systems.

  3. Re: NTP internal server?

    wrote in message
    news:QVi0h.7$3n2.2@newreader.ukcore.bt.net...

    > I should have said, I am using an HTTP utility on the server to
    > synchronise with the Internet given that NTP is blocked.


    Talk about shooting yourself in the foot. Getting your time
    from HTTP responses is _vastly_ inferior to NTP.

    I'm also not quite sure what good they think they're doing. I'd
    say that HTTP is the more dangerous of the two.

    If they're worried about punching holes in their firewall, they
    could limit it to (NTP) traffic to and from an ISP NTP server.
    Presumably they trust their ISP for that, given that they trust
    everybody and his dog HTTP-wise.

    Groetjes,
    Maarten Wiltink



  4. Re: NTP internal server?

    metogroup@group.com wrote:

    > I should have said, I am using an HTTP utility on the server to
    > synchronise with the Internet given that NTP is blocked.


    ntp allows for using the local system clock as a reference, which
    fits your case. However, my guess is that the utility that you
    use makes step adjustments to the local clock, making ntp's life
    somewhat miserable. But, in a way, it should work.

    N

  5. Re: NTP internal server?

    metogroup@group.com wrote:

    > Many thanks for your response, I appreciate your thoughts.
    >
    > I should have said, I am using an HTTP utility on the server to
    > synchronise with the Internet given that NTP is blocked. I can sync
    > Windows systems easiliy enough with this but I'm really after the ability
    > to broadcast to the UNIX and AS400 systems.


    All right. I give up!! There are many sites that are not allowed to
    have an internet connection but I think yours is the first I've heard of
    where the NTP protocol is specifically forbidden.

    What is the rationale for this? As far as anyone here knows there are
    no "exploits" associated with NTP.

  6. Re: NTP internal server?

    "Richard B. Gilbert" wrote in message
    news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com. ..

    > As far as anyone here knows there are no "exploits" associated with NTP.


    After a short look-around on SecurityFocus, I would like to exclude
    myself from that 'anyone' group.

    Groetjes,
    Maarten Wiltink



  7. Re: NTP internal server?


    >The problem is not so much the software; that's readily available and
    >free, but the time source. The typical computer does not keep time very
    >well; most systems gain or lose several seconds a day. Using such a
    >clock as a time source means that, while all your systems are more or
    >less in synchronization none of them have the correct time. In a really
    >bad case, all the systems could gain or lose twenty to thirty minutes a
    >month.


    I'd expect you could get to a few seconds a week by hand tuning
    the drift. That assumes your system is running in a reasonably
    stable temperature.

    Has anybody done the experiment recently?

    --
    The suespammers.org mail server is located in California. So are all my
    other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
    commercial e-mail to my suespammers.org address or any of my other addresses.
    These are my opinions, not necessarily my employer's. I hate spam.


  8. Re: NTP internal server?

    Maarten Wiltink wrote:

    > "Richard B. Gilbert" wrote in message
    > news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com. ..
    >
    >
    >>As far as anyone here knows there are no "exploits" associated with NTP.

    >
    >
    > After a short look-around on SecurityFocus, I would like to exclude
    > myself from that 'anyone' group.
    >
    > Groetjes,
    > Maarten Wiltink
    >
    >


    All right, there are, or were, fifteen reported exploits. None is dated
    more recently than 2004 and some seem to be complaining about ten year
    old software distributed by companies such as Sun, Redhat, Debian, etc.

    Other reports concerned Microsoft's attempts to implement the protocol.

    None of these exploits has been mentioned here in the 2-1/2 to 3 years
    that I've been reading this newsgroup.

    Does anyone know of exploits available in the reference implementations
    released since 1-JAN-2004?

    I'd say that the proper response is not to forbid the use of the NTP
    protocol but rather to avoid running defective implementations thereof!

  9. Re: NTP internal server?

    In article <-7SdnWIhbMBktN_YnZ2dnUVZ_oidnZ2d@megapath.net>,
    hmurray@suespammers.org (Hal Murray) wrote:

    > I'd expect you could get to a few seconds a week by hand tuning
    > the drift. That assumes your system is running in a reasonably
    > stable temperature.


    My home system manages better than a second a week, and that is with
    the temperature only controlled during part of the day in winter, and
    not at all in summer! This is without frequency correction after the
    initial calibration.

    The last time I tried it with a system in the office (some years ago),
    about 30 seconds a year would have been achieved if the air conditioning
    hadn't broken down. This is without either frequency or phase correction
    after the initial calibration.

    However, I agree with others that the actual current problem is a
    human factors problem. The wrong solution is being sought because
    of an irrational rejection of the right one.

  10. Re: NTP internal server?

    >>> In article <454202e7$0$323$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" writes:

    >> As far as anyone here knows there are no "exploits" associated with NTP.


    Maarten> After a short look-around on SecurityFocus, I would like to exclude
    Maarten> myself from that 'anyone' group.

    OK, I see nothing there that was not fixed several years ago. And while I
    saw claims of a root exploit, I was unable to duplicate that expoit in my
    testing (I tried it a few times).

    Do you see anything current, or even more recent?

    H

  11. Re: NTP internal server?

    Harlan,

    Watch the from address; I may have fixed the problem.

    I think you are referring to a CDRT advisory severak years ago that
    claimed a stack vulnerability. There was at that time a possible stack
    vulnerability, quickly corrected, but the CERT-supplied code was itself
    defective and could not work in any configuration. I also tried several
    machines; none were affected.

    Dave

    Harlan Stenn wrote:
    >>>>In article <454202e7$0$323$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" writes:

    >
    >
    >>>As far as anyone here knows there are no "exploits" associated with NTP.

    >
    >
    > Maarten> After a short look-around on SecurityFocus, I would like to exclude
    > Maarten> myself from that 'anyone' group.
    >
    > OK, I see nothing there that was not fixed several years ago. And while I
    > saw claims of a root exploit, I was unable to duplicate that expoit in my
    > testing (I tried it a few times).
    >
    > Do you see anything current, or even more recent?
    >
    > H


  12. Re: NTP internal server?

    On Fri, 27 Oct 2006, Maarten Wiltink wrote:

    > wrote in message
    > news:QVi0h.7$3n2.2@newreader.ukcore.bt.net...
    >
    >> I should have said, I am using an HTTP utility on the server to
    >> synchronise with the Internet given that NTP is blocked.

    >
    > Talk about shooting yourself in the foot. Getting your time
    > from HTTP responses is _vastly_ inferior to NTP.
    >
    > I'm also not quite sure what good they think they're doing. I'd
    > say that HTTP is the more dangerous of the two.


    Maybe the people who set the policy did a risk benefit analysis where
    "benefit of HTTP" was thought to be BIGNUM*"benefit of NTP" while
    "risk of HTTP" was only several times "risk of NTP".

    > If they're worried about punching holes in their firewall, they
    > could limit it to (NTP) traffic to and from an ISP NTP server.
    > Presumably they trust their ISP for that, given that they trust
    > everybody and his dog HTTP-wise.


    Where I work, we do have holes in firewalls limited to particular machines
    and external IP's, but they are high maintenance -- the holes tend to
    close whenever the configuration is tweaked, external sites reconfigure,
    etc.

    c.t.p.ntp gets many requests for people looking for tools to deal with
    situations that are outside ntp's mandate:

    1. cheap and easy ntp service for an isolated network

    2. quickly sync a machine that runs intermittently or has
    intermittent/sporadic network connection but performs a time-critical task
    such as pointing a high-gain antenna at a satellite in a low orbit

    It should be noted that it is often cheaper and easier to stick with bog
    standard configurations even if the result is overkill. Many people
    assume a GPS time source will be hard/expensive.

    --
    George N. White III


  13. Re: NTP internal server?

    "Richard B. Gilbert" wrote in message
    news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d@comcast.com. ..
    > Maarten Wiltink wrote:
    >> "Richard B. Gilbert" wrote in message
    >> news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com. ..


    >>> As far as anyone here knows there are no "exploits" associated with
    >>> NTP.


    >> After a short look-around on SecurityFocus, I would like to exclude
    >> myself from that 'anyone' group.


    > All right, there are, or were, fifteen reported exploits. None is dated
    > more recently than 2004 and some seem to be complaining about ten year
    > old software distributed by companies such as Sun, Redhat, Debian, etc.


    Still distributed right now, yes. For all those people who aren't allowed
    to run something not backed by RFCs, and then come here with questions
    about something called xntp. Sound familiar?


    [...]
    > I'd say that the proper response is not to forbid the use of the NTP
    > protocol but rather to avoid running defective implementations thereof!


    That would be nice. However, letting your guard down is _never_ a
    secure response. I will work on the assumption that there are exploits
    in the current NTP until you _prove_ to me it's safe, and I'm not
    holding my breath.

    Which doesn't stop me from running it. But I keep it on a short leash.

    Groetjes,
    Maarten Wiltink



  14. Re: NTP internal server?

    Maarten Wiltink wrote:

    > "Richard B. Gilbert" wrote in message
    > news:_eWdna3k2Zfvpd_YnZ2dnUVZ_uqdnZ2d@comcast.com. ..
    >
    >>Maarten Wiltink wrote:
    >>
    >>>"Richard B. Gilbert" wrote in message
    >>>news:9dqdndo838CLatzYnZ2dnUVZ_uqdnZ2d@comcast.com. ..

    >
    >
    >>>>As far as anyone here knows there are no "exploits" associated with
    >>>>NTP.

    >
    >
    >>>After a short look-around on SecurityFocus, I would like to exclude
    >>>myself from that 'anyone' group.

    >
    >
    >>All right, there are, or were, fifteen reported exploits. None is dated
    >>more recently than 2004 and some seem to be complaining about ten year
    >>old software distributed by companies such as Sun, Redhat, Debian, etc.

    >
    >
    > Still distributed right now, yes. For all those people who aren't allowed
    > to run something not backed by RFCs, and then come here with questions
    > about something called xntp. Sound familiar?
    >
    >
    > [...]
    >
    >>I'd say that the proper response is not to forbid the use of the NTP
    >>protocol but rather to avoid running defective implementations thereof!

    >
    >
    > That would be nice. However, letting your guard down is _never_ a
    > secure response. I will work on the assumption that there are exploits
    > in the current NTP until you _prove_ to me it's safe, and I'm not
    > holding my breath.


    If you want "proof" that ANY piece of software is free from bugs or
    exploits, you may have a very long wait!

    Ever wonder why half the world failed to handle the last leap second
    properly??? A large number of servers were running software with a bug.

  15. Re: NTP internal server?

    >>> In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" writes:

    >> All right, there are, or were, fifteen reported exploits. None is dated
    >> more recently than 2004 and some seem to be complaining about ten year
    >> old software distributed by companies such as Sun, Redhat, Debian, etc.


    Maarten> Still distributed right now, yes. For all those people who aren't
    Maarten> allowed to run something not backed by RFCs, and then come here
    Maarten> with questions about something called xntp. Sound familiar?

    What's your point? I don't see how what you just said applies to the
    thread.

    Maarten> I will work on the assumption that there are exploits in the
    Maarten> current NTP until you _prove_ to me it's safe, and I'm not holding
    Maarten> my breath.

    Are you volunteering to perform or pay for a code audit?

    H

  16. Re: NTP internal server?

    "Harlan Stenn" wrote in message
    news:ywn9ac3eipyd.fsf@ntp1.isc.org...
    >>>> In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink"

    writes:

    >>> All right, there are, or were, fifteen reported exploits. None is
    >>> dated more recently than 2004 and some seem to be complaining about
    >>> ten year old software distributed by companies such as Sun, Redhat,
    >>> Debian, etc.

    >
    > Maarten> Still distributed right now, yes. For all those people who
    > Maarten> aren't allowed to run something not backed by RFCs, and then
    > Maarten> come here with questions about something called xntp. Sound
    > Maarten> familiar?
    >
    > What's your point? I don't see how what you just said applies to the
    > thread.


    I object to Richard's statement that old vulnerabilities are irrelevant
    and no cause for concern. More than most other software, NTP is haunted
    by users of old versions.


    > Maarten> I will work on the assumption that there are exploits in the
    > Maarten> current NTP until you _prove_ to me it's safe, and I'm not
    > Maarten> holding my breath.
    >
    > Are you volunteering to perform or pay for a code audit?


    Don't be silly. I'll just teach my firewall to block access from
    untrusted sources to my NTP server, as I do for every service on every
    host.

    Richard says not to worry, there are no recent vulnerabilities known.
    I say never to stop worrying, there are too many unknowns.

    Groetjes,
    Maarten Wiltink



  17. Re: NTP internal server?

    Harlan Stenn wrote:
    >>>>In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink" writes:

    >
    >
    >>>All right, there are, or were, fifteen reported exploits. None is dated
    >>>more recently than 2004 and some seem to be complaining about ten year
    >>>old software distributed by companies such as Sun, Redhat, Debian, etc.

    >
    >
    > Maarten> Still distributed right now, yes. For all those people who aren't
    > Maarten> allowed to run something not backed by RFCs, and then come here
    > Maarten> with questions about something called xntp. Sound familiar?
    >
    > What's your point? I don't see how what you just said applies to the
    > thread.
    >
    > Maarten> I will work on the assumption that there are exploits in the
    > Maarten> current NTP until you _prove_ to me it's safe, and I'm not holding
    > Maarten> my breath.
    >
    > Are you volunteering to perform or pay for a code audit?
    >
    > H

    Should one try to shove ntpq sources to coverity?
    They do a "for free" scan for a bunch of OSS ( of varying licenses ) stuff
    like Python, perl, tcl*, apache, linux-kernel, some of the bsds.

    * we found some usefull things that way and had some false positives. ymmv

    uwe



  18. Re: NTP internal server?

    Maarten Wiltink wrote:

    > "Harlan Stenn" wrote in message
    > news:ywn9ac3eipyd.fsf@ntp1.isc.org...
    >
    >>>>>In article <4544ed4b$0$331$e4fe514c@news.xs4all.nl>, "Maarten Wiltink"

    >
    > writes:
    >
    >
    >>>>All right, there are, or were, fifteen reported exploits. None is
    >>>>dated more recently than 2004 and some seem to be complaining about
    >>>>ten year old software distributed by companies such as Sun, Redhat,
    >>>>Debian, etc.

    >>
    >>Maarten> Still distributed right now, yes. For all those people who
    >>Maarten> aren't allowed to run something not backed by RFCs, and then
    >>Maarten> come here with questions about something called xntp. Sound
    >>Maarten> familiar?
    >>
    >>What's your point? I don't see how what you just said applies to the
    >>thread.

    >
    >
    > I object to Richard's statement that old vulnerabilities are irrelevant
    > and no cause for concern. More than most other software, NTP is haunted
    > by users of old versions.
    >


    Old vulnerabilities that have been fixed are not a problem of much
    concern to me. I run a recent version of ntpd that does not exhibit
    these vulnerabilities. If people chose, for whatever reason, to run a
    ten year old version of ntpd they must accept the associated risks and
    inferior performance. Since the modern, improved and fixed version is
    freely available to all I don't see any reason why anyone who needs NTP
    and is concerned about security should not run it.


  19. Re: NTP internal server?

    >Old vulnerabilities that have been fixed are not a problem of much
    >concern to me. I run a recent version of ntpd that does not exhibit
    >these vulnerabilities. If people chose, for whatever reason, to run a
    >ten year old version of ntpd they must accept the associated risks and
    >inferior performance. Since the modern, improved and fixed version is
    >freely available to all I don't see any reason why anyone who needs NTP
    >and is concerned about security should not run it.


    How about:
    If it ain't broke, don't fix it.

    Lots of people get their version of (x)ntp from their hardware
    vendor. Most of them are not time geeks, they just need something
    that's good enough. They depend on their vendor to fix security
    problems in packages like ntp.

    --
    The suespammers.org mail server is located in California. So are all my
    other mailboxes. Please do not send unsolicited bulk e-mail or unsolicited
    commercial e-mail to my suespammers.org address or any of my other addresses.
    These are my opinions, not necessarily my employer's. I hate spam.


  20. Re: NTP internal server?

    >>> In article , Uwe Klein writes:

    Uwe> Should one try to shove ntpq sources to coverity? They do a "for free"
    Uwe> scan for a bunch of OSS ( of varying licenses ) stuff like Python,
    Uwe> perl, tcl, apache, linux-kernel, some of the bsds.

    Already done. I think we are even listed on their project page.

    Both ntp-4.2.2 and ntp-dev are clean (1 false positive an one minor issue
    with a utility program that is about to be replaced).

    H

+ Reply to Thread
Page 1 of 2 1 2 LastLast