Skip to content.

UPR HPCf

Sections
Personal tools
You are here: Home » Members » humberto's Home » Test ZWiki » TimeService
Log in


Forgot your password?
 
Views

TimeService

last edited 4 years ago by humberto

Time Service at the HPCf

We use NTP, the Network Time Protocol, to keep all the machine clocks synchronized with each other and with the world.

Information on NTP is available at it's home page:

http://www.eecis.udel.edu/~ntp/

There is a recent remote root expliot of ntp, make sure you have the latest version installed. Because of the exploit, I only allow ntp traffic to and from our time servers through the firewall.

Client Configuration

Please make sure your timezone is set correctly, Puerto Rico is in the GMT-04, AST, Puerto Rico, or Caracas/La Paz time zones, depending on your OS. We don't observe daylight savings either.

You can set your clock once with ndpdate, as root:

# ntpdate ntp1.hpcf.upr.edu ntp2.hpcf.upr.edu

To enable continuous syncronization, set up a /etc/ntp.conf file as follows, either point the ntp daemon to our time servers,

server ntp1.hpcf.upr.edu
server ntp2.hpcf.upr.edu

Make sure the ntp server is running, on linux

# chkconfig --level 345 xntpd on
# /etc/rc.d/init.d/xntpd start

On IRIX:

# chkconfig ntp on
# ln -s /etc/init.d/ntp /etc/rc2.d/S40ntp
# /etc/init.d/ntp on

Note that ntp "clients" run the ntp server, they just get the time from other other servers. NTP has a notion of strata, an atomic clock, or a computer tied to an atomic clock is a stratum 1 time server, servers that point to them are stratum 2, servers that point to stratum 2 are stratum 3 etc.

Server Configuration

NTP public servers are listed on the udel.edu site. The following have agreed to provide signal to us:

ntp0.cornell.edu
tick.cerias.purdue.edu
tock.cerias.purdue.edu
louie.udel.edu
ntp0.naic.edu
tick.mit.edu

We have two ntp servers ntp1.hpcf.upr.edu, and ntp2.hpcf.upr.edu, these are CNAMES in our DNS:

; Network time protocol servers
ntp1    CNAME   astraeus.hpcf.upr.edu.
ntp2    CNAME   alligator.hpcf.upr.edu.

Redhat 7.3 puts ntp in the ntp package. Configuration of new style ntp

# allow queries from anyone and replys from our servers
restrict default notrap nomodify


# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 




#


CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 136.145.54.0 mask 255.255.255.0 notrust nomodify notrap




# --- OUR TIMESERVERS ----- 


server ntp0.cornell.edu
server tick.cerias.purdue.edu
server pool.ntp.org


# --- NTP MULTICASTCLIENT ---
#multicastclient                                                                # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap


# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0       # local clock
#fudge  127.127.1.0 stratum 10


#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /etc/ntp/drift
broadcastdelay  0.008


#
# Authentication delay.  If you use, or plan to use someday, the
# authentication facility you should make the programs in the auth_stuff
# directory and figure out what this number should be on your machine.
#
authenticate yes


#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#

Firewall

Because of the ntp remote root exploit, we filter ntp packets at the router. Only ntp1 and ntp2 can receive ntp from outside:

access-list 101 remark NTP BUSTED FIXED TIME SERVERS
access-list 101 permit udp any host ntp1.hpcf.upr.edu eq ntp
access-list 101 permit udp any host ntp2.hpcf.upr.edu eq ntp
access-list 101 deny    udp any any eq ntp log

-- Main.HumbertoOrtiz - 10 Apr 2001

On astraeus we're running OpenNTP now. Configuration is much simpler:

# $OpenBSD: ntpd.conf,v 1.7 2004/07/20 17:38:35 henning Exp $
# sample ntpd configuration file, see ntpd.conf(5)


# Addresses to listen on (ntpd does not listen by default)
#listen on *
#listen on 127.0.0.1
#listen on ::1
listen on 136.145.54.23


# sync to a single server
#server ntp.example.org


# use a random selection of 8 public stratum 2 servers
# see http://twiki.ntp.org/bin/view/Servers/NTPPoolServers
servers pool.ntp.org


# These are stratum 1 signals I have permisison to use
servers tick.mit.edu
servers ntp0.naic.edu

HumbertoOrtiz - 2005/05/09
 
Powered by Plone

This site conforms to the following standards: