Recommendations to use NTP pool


#1

Hi, we are planning to use “pool.ntp.org”, for Time Synchronization to our NTP clients. But, we are not sure how secure we would be, by using Time Synchronization using our hosted service. Since, it was a public pool hosted NTP Server globally.

Can someone suggest me, the best practices to use NTP service hosted on Pubic Network, which helps me to secure our Server environment from any possible attacks.


#2

Can you clarify your question some? I’m not sure exactly what you are trying to achieve, either secure time for your servers, or some clients? How many machines are we talking about? 2, 20, 200, 2000?

Depending on your hosting company, many of the larger ones (like Amazon for instance) offer in-house NTP servers for their customers to sync to if you don’t want to use the pool servers.

If your hosting company doesn’t offer that, and all you want to do is sync some of your servers then setting the various pool servers in your ntp.conf file (or whatever program you are using) should be sufficient. Note that if you are using a current version of NTP (and I believe Chrony) you can use the ‘pool’ directive instead of ‘server’.

https://www.eecis.udel.edu/~mills/ntp/html/confopt.html#pool

If you aren’t going to be serving time from these servers, then leave port 123 closed on your firewall (assuming you have a stateful firewall). Then there is no issue with someone trying to attack / abuse NTP on your servers. If you are going to be serving time from these servers, then there’s a few different ways to go about it.

If it’s time to anyone / everyone, then obviously you would need to open port 123 on your firewall, but you would need at minimum a line in your configuration that looks like:

restrict default kod limited nomodify notrap nopeer noquery
restrict -6 default kod limited nomodify notrap nopeer noquery

If you know the source IPs of the clients, you can always configure the firewall to only allow those to pass on port 123. Alternately you can specify in your ntp.conf similarly to only respond to those clients with time and ignore everyone else.

If you don’t know the source IPs of the clients and don’t want just anyone to query your NTP server, then you can setup authentication / encryption, so only authorized clients will be responded to.


#3

Hi, we would like to setup NTP client on Widows Server to sync time from NTP pool, using authentication / encryption to NTP Servers available in pool.

Please guide me, to setup my environment followed by requirement mentioned above.


#4

The NTP Pool does not provide servers with authentication / encryption. At least that I’m aware of.


#5

@littlejason99 is correct for the pool as a whole. Doing so properly would require a vast amount of effort to manage the infrastructure required to get coherent authentication across all the pool servers, or alternatively a secure replacement for the autokey mechanism.

Some individual servers may provide authenticated time service, but they can only do so properly for any alternate hostnames they answer to, not the pool hostnames.


#6

NIST does provide several servers supporting authenticated NTP requests, there is a link on their page for how to request info. It is free from what the page says.

https://tf.nist.gov/tf-cgi/servers.cgi


#7

Can you able to clarify your question some? I am now not positive exactly what you are attempting to attain.


#8

Isn’t this really a question of hard-coding a couple of Great trusted servers (NIST Boulder, USNO or Johns Hopkins) along with a couple of pool servers using the Pool service as backup to round out the disciplining of the trusted servers and as a failsafe in case they go haywire??

Pretty sure if one needs authenticated time, one would go to the national-lab-like orgs, but I am a total nube, so please feel free to comment on my assumptions here…