In this chapter, we will set up a time reference server on our internet, and have other servers receive time synchronization with the time server.
First, we will set up the time reference server. In real life, this server will be connected to a time source, for example, GPS, or a Rubidium time reference. These cost money, but if you want to set one up as a time reference in your network, there is a good reference here.
Most of the time, you will instead be using a public time reference server for synchronizing time on your network, so for our internet, we will just fake the time reference server.
First, clone Linux-Minimal.vdi to ntp-time-sam.vdi, and create a VM called "ntp.time.sam" using the cloned hard disk. In the Network settings, set Adapter 1 to the internal network "isp3-time", and set Adapter 2 to NAT. Start up the VM.
We've done this part a million times by now. Edit /etc/rc.conf and set the HOSTNAME to ntp.time.sam, set the IP address to 172.16.127.100 (also set the broadcast), and set the default gateway to 172.16.127.1
Next, bring up the temporary connection to the internet:
sudo dhcpcd -q eth1
Download the package for the NTP server:
sudo pacman -Sy ntp
Edit the configuration file at /etc/ntp.conf First, disable the server from going out and looking for other time references by commenting out the line
server pool.ntp.org
Next, since we're faking the time reference on this server, set the server to use its own time as its reference source, and fudge it to stratum 1. Add the following lines:
server 127.127.1.0 # this address indicates the local time fudge 127.127.1.0 stratum 1
Finally, edit /etc/rc.conf again and add ntpd to the DAEMONS list.
Now go ahead and shut down the VM, disable Adapter 2, and restart the VM.
If you do a ps ax you should see ntpd running. Issue a
ntpq -p
You should get an output that looks like:
remote refid st t when poll reach delay offset jitter =============================================================================== *LOCAL(0) .LOCL. 1 l 22 64 3 0.000 0.000 0.001
That's saying that the local time reference is valid and at stratum 1 (the st column).
That's it for our *ahem* fake time reference server. You wouldn't ever set up a server like this in real life, of course.
Next, we'll do what you'll most likely end up doing in real life - setting up a timeserver to synchronize time on the projreality.sam network, which gets a time reference from the time reference server we just set up.
It turns out that OpenBSD ships with an NTP server - OpenNTPD - which is developed by the OpenBSD team. Knowing the OpenBSD team's focus on security, it is not surprising that their NTP server does not allow you to fudge the stratum of a time source, which is why we didn't use it for our fake time reference server.
We'll use OpenBSD with OpenNTPD for projreality.sam's time server. This will be the server used to synchronize time on all of the computers in the projreality.sam network.
First, clone OpenBSD-Hardened.vdi to ntp-projreality-sam.vdi, and create a new VM called "ntp.projreality.sam" using the cloned hard disk. In the Network settings, set Adapter 1 to the internal network "projreality dmz", and then boot the VM from the command line:
VBoxSDL -norawr0 -vm [VM ID]
Recall that you can find a VM's ID using VBoxManage list vms
Once the VM has booted up, change the hostname in /etc/myname to ntp.projreality.sam Next, create /etc/hostname.em0 with the following:
inet 172.16.211.30 255.255.255.0 NONE
Next, create the file /etc/mygate. This file contains the default gateway for an OpenBSD machine. Note that we haven't needed this file up to now, since all of our OpenBSD machines obtained their routing information via BGP. Enter the following into the file:
172.16.211.1
Looking in /etc/rc.conf, we see that OpenNTPD is controlled by ntpd_flags. Go over to /etc/rc.conf.local (recall that we don't want to edit /etc/rc.conf, since that file is replaced every upgrade) and add:
ntpd_flags="-s"
The -s flag tells OpenNTPD to synchronize the computer's time on startup.
Next, edit /etc/ntpd.conf Comment out the servers line (it should be the only uncommented line), and add
server 172.16.127.100 listen on 172.16.211.30
This tells the NTP server to synchronize to the time reference server at 172.16.127.100 for its own time reference. Note that in real life, it is not considered good practice to specify an IP address in here, but rather the domain name of the time reference server. In our case, we would have to set up separate network for the time.sam domain, and also its own nameserver. That could be left as an exercise to the reader.
OpenNTPD will read the clock drift from /var/db/ntpd.drift on startup, and will update it occasionally. Create the file first:
sudo touch /var/db/ntpd.drift
Next, we'll edit the firewall rules to allow the timeserver to communicate over the ntp port through the firewall to the time reference server. Edit /etc/pf.conf In the # Servers section, add the following:
ntp = "172.16.211.30"
After the # Servers section, add the following:
# External servers
NTPServers = "{ 172.16.127.100 }"Finally, at the bottom, just before the block log quick all line, add
pass in quick on $DMZ inet proto udp from $ntp to $NTPServers port ntp pass out quick on $Ext inet proto udp from $ntp to $NTPServers port ntp
Reload the firewall rules with
sudo pfctl -F all -f /etc/pf.conf
Now, go back to ntp.projreality.sam and reboot the VM.
Looking in /var/log/daemon will give you an idea if what is going on. It should show messages saying that OpenNTPD connected with the remote NTP server, and occasional updates to the local clock. If you local clock is way off from the remote clock, OpenNTPD will slew the clock by changing it gradually, rather than taking one big step. What that means though is that if your local clock is off by, say, an hour, it will take quite a while to synchronize. In that case, issue:
sudo date YYYYMMDDhhmm.ss
where YYYYMMDDhhmm.ss is the four digit year, followed by the two digit month, followed by the two digit day-of-month, followed by the two digit hour (in 24-hour time), followed by the two digit minutes, followed by a period and the two digit seconds. For example, December 8, 2010 12:48:15AM becomes 201012080048.15 Use date on ntp.time.sam and try to time it so you come within a few seconds.
Now watch /var/log/daemon for updates and after a bit, you should see a line appear saying clock is now synced
That's all there is to getting OpenNTPD working and synchronizing to a remote NTP server. In real life, you would want to synchronize your network's timeserver to more than one outside timeserver (generally 3).
We'll do one more quick thing for the NTP server. Start up ns1.projreality.sam and edit /var/named/projreality.sam - after the entry for dns1, add:
ntp IN A 172.16.211.30
It is very useful for firewalls to have accurate time. For example, in forensic analysis, it would be important to know the exact time that attacking packets were sent. We will therefore synchronize firewall.projreality.sam with projreality.sam's NTP server.
Many of the changes we'll make here will be the same as what we did on ntp.projreality.sam
Open /etc/rc.conf.local and add:
ntpd_flags="-s"
Edit /etc/ntpd.conf Comment out the servers line (it should be the only uncommented line), and add
server ntp.projreality.sam
OpenNTPD will read the clock drift from /var/db/ntpd.drift on startup, and will update it occasionally. Create the file first:
sudo touch /var/db/ntpd.drift
Finally, we'll edit the firewall rules to allow the firewall to communicate over the ntp port to the network's NTP server. Edit /etc/pf.conf At the end, just before the block log quick all line, add
pass out quick on $DMZ inet proto udp from $DMZ to $ntp port ntp
Reload the firewall rules:
sudo pfctl -F all -f /etc/pf.conf
Finally, start up OpenNTPD:
sudo ntpd
Again, looking in /var/log/daemon will give you an idea if what is going on. You may need to manually set the time close to the NTP server's time again.
Now our firewall's time is synchronized to the NTP server's time.