LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Debian
User Name
Password
Debian This forum is for the discussion of Debian Linux.

Notices

Reply
 
Search this Thread
Old 08-20-2007, 07:41 PM   #1
apachenew
Member
 
Registered: Jul 2007
Posts: 30

Rep: Reputation: 15
ntp not synchronizing with internet servers


My system is Debian Etch 4.0.
For some reason, the time is way off and it doesn't seem to be synching with the internet time servers. I did install ntp by apt-get install ntp.

Here's what I did:
In gnome:
Adjust date/time >
time and date settings:
checked off "sychronize clock w/ internet servers" >
select servers >
time server: checked off the ntp servers in my time zone >
close >
ok
(our time zone is pst so selected L.A. for the time zone).

Any suggestions?

Thanks!
 
Old 08-20-2007, 08:17 PM   #2
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
are you sitting behind a firewall that could be blocking ntp or does your system have a firewall on it. If your system has a firewall on it the i would disable it and see if it updates.
 
Old 08-21-2007, 12:22 AM   #3
dahveed3
Member
 
Registered: Mar 2007
Posts: 191

Rep: Reputation: 31
Hmm, ntp usually knows how to punch a hole through iptables. Turning off the Firewall isn't really recommended.

If you don't want to configure iptables manually you could install something like Firestarter and run through its wizard to get a good default setting. My ntp time servers work fine using that setup.

su -

aptitude update
aptitude install firestarter

Either update-menu or logoff and on and Firestarter will appear on your menu. It is not a firewall itself, just an easy way to configure the built in iptables firewall. So once you set it up you don't need it running unless you like to see where the attacks it is blocking are coming from.
 
Old 08-21-2007, 07:57 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Quote:
Originally Posted by dahveed3 View Post
Turning off the Firewall isn't really recommended.
Why is it not recommended? If you turn it off for 2-3 mins and manually pull an ntp update to test there is nothing wrong with that. I hope you dont rely on a firewall as your means of security. Plus as long as he keeps the system up-to-date then what is the problem? Rather then messing with configuration of the firewall if you turn it off and ntp still doesn't update the your can rule that out then turn it back on. Also how is the firewall setup? is it stateful or not? that will make a hugh difference.

Last edited by slimm609; 08-21-2007 at 08:00 AM.
 
Old 08-21-2007, 11:27 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
Quote:
Turning off the Firewall isn't really recommended.
I agree it isn't the best approach, punching a hole in the firewall manually to allow states related, established for `getent services ntp` is. Once the ruleset is listed it shouldn't be that difficult to add. No need to expose the whole box when a tiny hole should do and certainly not for longer than 30 secs. NTP needs way less time to sync. BTW, what do 'ntpstat' and 'ntptrace' return?
 
Old 08-21-2007, 01:41 PM   #6
dahveed3
Member
 
Registered: Mar 2007
Posts: 191

Rep: Reputation: 31
Maybe not fully on topic but in response to not depending on a firewall for security:

I still consider myself a newbie even though I've used a few distros and read just about every Linux book I thought related to the most popular distros and perused various forums. Plus just running and installing various things. I know enough to help others with certain things too at this point but 6 months do not make me an experienced Linux user. Plus I'm still a GUI lover.

That said, what should I be depending upon for security? When I used OpenSUSE I setup the Firewall with YaST and left AppArmour at whatever it does by default. On Debian Lenny I setup the Firewall with Firestarter and did the tricks to get it to load into my GUI at login just so I could feel comfortable that it is running all the time. I installed and cron (automatically, I didn't do it) regularly runs rkhunter. Once in a while I manually run its updater and run a full check with it myself. I've taken the advice of most that say that for a home desktop installing a virus scanner isn't really that necessary on Linux. The only change to the Firestarter settings was giving inbound permissions to the bit torrent ports so that ktorrent could run properly.

I never run in anything but my user account. I don't use sudo, so anything I need root for I just do su - from a terminal or for GUI apps do gksu or in KDE kdesu (using Gnome at the moment though).

I daily run aptitude update, aptitude safe-upgrade, and aptitude full-upgrade so I get the latest security updates from the Debian testing security repo and the software packages updated.

The stuff I put into my home folder is generally read-write for me alone and just read for others. I don't mess with permissions on stuff outside of my home folder (except for that one occasion when I did use vi to allow Firestarter to startup automatically with sudo status without pestering me. That way the autostart just loads it into the system tray at every login without bothering me for the root password).

I use McAfee SiteAdvisor as an IceWeasel plugin so I don't visit nasty websites they know about.

My Vista NTFS seperate hard drive is setup the old fashioned way with only read access while using Linux.

What else should I be doing?
 
Old 08-21-2007, 02:57 PM   #7
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
here is just a few examples of good security most people think it is overkill but i don't. I guess thats why i dont have a problem turning off the firewall if need be.

hardened kernel, stealth iptables, all network daemonds in hardened chroot jails, encypted swap, encrypted drive, randomized tcp stack, randomized process id's, 2 password auth for all users. first password standard unix shadow second password sha512 w/ 32 digit blowfish salt, entire system compiled by hand with PIC, PIE, and SSP enabled, ASLR, libsafe, and a few more but i can't think off the top of my head

Last edited by slimm609; 08-21-2007 at 02:59 PM.
 
Old 08-21-2007, 05:34 PM   #8
dahveed3
Member
 
Registered: Mar 2007
Posts: 191

Rep: Reputation: 31
Wow! Sounds pretty secure. Thanks for the list. I think I'll go on as usual but it's nice to know of the options available. I really don't use my home computer for much more than the usual multimedia fun, browsing, email, etc. I do occasionally purchase things on the net and access my bank account on the bank website to check out things. I suppose that if I were running a business or networking with more than my single computer and a Comcast cable ethernet connection some of those measures would become appropriate for me.

I've been pretty fortunate never to have been attacked successfully, even when I was using Windows for all those years. I just always kept everything updated to latest versions and used ZoneAlarm and McAfee, Spybot S&S, Ad-Aware, and scanned regularly. I also used mostly Netscape-Mozilla-Firefox/Thunderbird through the years with only occasional checking out how Internet Explorer was running just to check that nothing was broken in there. When Internet Explorer 7 came out I used it for a brief period to try it out before returning to the Firefox fold.

Like I said though, being new to Linux I wasn't sure. Of course I made sure to have the Firewall taken care of and then did some further reading to see how most folks protected their computers on Linux. You do a bunch more than most. Nothing wrong with that if that's what you're used to. A bit overkill for my situation though.
 
Old 08-22-2007, 03:12 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,470
Blog Entries: 54

Rep: Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901Reputation: 2901
First of all you've done more than the "average" user (even if there's nothing like an average user) and that's good to see.

Quote:
Originally Posted by slimm609 View Post
here is just a few examples of good security most people think it is overkill but i don't. I guess thats why i dont have a problem turning off the firewall if need be.
Try to view what I write below as positive concern and constructive criticism, not slagging people off. It's not the right day for doing that :-] FWIW, please note Slimm609 here refers to his personal situation and not to any "standard procedure". A lot of things mentioned here I don't find overkill at all, but then again not all are related to security in the context of running a hardened box with network accessable services (though I agree that may not have been his purpose posting this list). Ultimately turning off the firewall (again, unnecessary) will be your decision based on your situation.


hardened kernel
A hardened kernel means running one with activated GRSecurity, SELinux or LIDS patch (or running a distro like for example hardened Gentoo or Owl. Gentoo *must* be applauded for providing a standard GRSecurity-patched kernel). When you run one of those the "internal protection mechanisms" like for instance PaX and TPE in GRSecurity could stop a user from executing binaries he brought along, or cracker from elevating rights beyond that of the daemon she subverted. The fact you run one of those patches does not automagically mean your network-accessable daemons are protected from malicious network activity.


stealth iptables
"Stealth" (gasp!) refers to the box not returning certain ICMP and UDP replies (for instance Gibsons firewall test). While "stealth" (gasp!) sounds nice it does not prohibit discovery (nmap -P or other means) or enhance security because a) packets are still inspected by the kernel before being dropped and b) you can't have a accessable service running and stealth it and c) blocking ICMP might hurt network performance, ICMP wasn't conceived idly.


all network daemonds in hardened chroot jails
That's really nice. In some cases trial and error work. Can be defeated by misconfiguration like introducing sockets or mounts inside the chroot. In the best scenario doesn't stop a cracker from subverting the service but from elevating rights. Note that with the ongoing lamentable state of people running deprecated or unpatched PHP-based apps the cracker wouldn't even *need* to elevate rights to be able to do her job (send spam, infect ClippyOS machines).


encypted swap, encrypted drive
Doesn't stop anyone except you if you dropped your key and those who can't image the filesystem while the box is running.


randomized tcp stack, randomized process id's
Not a randomized network stack but randomized sequence numbers, right?
And only providing "full coverage" if combined with PaX and ASLR, right?


2 password auth for all users
All human users or *ALL* users including network accessable daemons?


first password standard unix shadow second password sha512 w/ 32 digit blowfish salt
How would this stop a cracker who uses a buffer or stack overflow to gain or elevate access?


entire system compiled by hand with PIC, PIE, and SSP enabled, ASLR, libsafe
Doesn't compiling PIC/PIE imply ASLR? I mean, PIC/PIE doesn't make sense without ASLR?
Isn't libsafe incompatible or defunkt on distro's running a 2.6 kernel?


and a few more but i can't think off the top of my head
All in all it's a nice list and it shows some people put more thought into hardening a system than others. The main "gripe" I have with this list is that it is not a structured approach and as such you don't get to focus on priorities nor achieve what's necessary: ensured integrity. Hardening relies on a structured approach which starts at O.S. installtime. Furthermore hardening doesn't only mean access control but it's a triplet which also also includes logging and auditing. Without those hardening doesn't mean zilch since you won't be able to continuously assess the security posture of the box in an objective way. Also there's measures one should take that don't fall under the "hardening" category like for instance having the discipline to follow news from your distro's SO and update when updates are released or for example not accepting or running unknown binaries from strangers. Then there's knowledge. Almost everything can be made vulnerable if misconfigured and those who don't read before configuring or use default settings will more often bite the dust. There's some good threads if you search the LQ Linux Security forum, and that would be the first place to post questions regardning security. There's more than a few documents from reputable sources that can help harden a box and you can find some at the LQ FAQ: Security references.


Please correct me if my assertions are wrong or if I've made mistakes.
 
Old 08-22-2007, 09:54 AM   #10
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
Very correct of most of the stuff.

Quote:
FWIW, please note Slimm609 here refers to his personal situation and not to any "standard procedure".
I have tried to included alot of these into my distro.(see signature block) The current things that are not included is the chroot jails and the PIC/PIE/SSP (working on this for next version) but almost everything else is included by default. (given the options at setup)

Quote:
hardened kernel
A hardened kernel means running one with activated GRSecurity, SELinux or LIDS patch (or running a distro like for example hardened Gentoo or Owl. Gentoo *must* be applauded for providing a standard GRSecurity-patched kernel). When you run one of those the "internal protection mechanisms" like for instance PaX and TPE in GRSecurity could stop a user from executing binaries he brought along, or cracker from elevating rights beyond that of the daemon she subverted. The fact you run one of those patches does not automagically mean your network-accessable daemons are protected from malicious network activity.
Grsecurity is the patch i use i dont like precompiled kernels though. I compile only what is needed and also disable all modules. everything must be built into the kernel if the system needs it.

Quote:
stealth iptables
"Stealth" (gasp!) refers to the box not returning certain ICMP and UDP replies (for instance Gibsons firewall test). While "stealth" (gasp!) sounds nice it does not prohibit discovery (nmap -P or other means) or enhance security because a) packets are still inspected by the kernel before being dropped and b) you can't have a accessable service running and stealth it and c) blocking ICMP might hurt network performance, ICMP wasn't conceived idly.
The grsecurity iptables stealth patch helps in hiding the ident. of the machine not the machine itself. You dont have to block icmp with stealth turned on.


Quote:
all network daemonds in hardened chroot jails
That's really nice. In some cases trial and error work. Can be defeated by misconfiguration like introducing sockets or mounts inside the chroot. In the best scenario doesn't stop a cracker from subverting the service but from elevating rights. Note that with the ongoing lamentable state of people running deprecated or unpatched PHP-based apps the cracker wouldn't even *need* to elevate rights to be able to do her job (send spam, infect ClippyOS machines).
Hardened chroot jail. grsecurity has great coverage of this with the deny mounts inside chroot, deny sockets, etc. As for the processes themselves php is patched with the hardened php patch, apache is running with mod_security apache acting as a http compliant apache firewall. only runs on 443 with a 2048-bit pre-shared key. also i have a script that does an sha1 hash one MOST of the files inside the jails that should not change and replaced them from a backup if needed.



Quote:
encypted swap, encrypted drive
Doesn't stop anyone except you if you dropped your key and those who can't image the filesystem while the box is running.
the swap if erased and rebuilt everytime the system starts and once it mounts it, it forgets the key. The drive is incase of power failure or reboot. I am working on a way to have the keys stored on the TPM on the machine and have grsecurity use the TPM also.


Quote:
randomized tcp stack, randomized process id's
Not a randomized network stack but randomized sequence numbers, right?
And only providing "full coverage" if combined with PaX and ASLR, right?
correct with the pax and aslr. here are the exacts of the network randomazation

Larger entropy pools
Truly random TCP ISN selection
Randomized IP IDs
Randomized TCP source ports
Randomized RPC XIDs
Socket restrictions


Randomized PIDs


Quote:
2 password auth for all users
All human users or *ALL* users including network accessable daemons?
this applies to any account trying the auth from the network that would recieve a shell. If the program handles the entire connection the they only use one but the daemons are in chroot jails so they have seperate password files anyway.

Quote:
first password standard unix shadow second password sha512 w/ 32 digit blowfish salt
How would this stop a cracker who uses a buffer or stack overflow to gain or elevate access?
the main point of this is if the password or shadow file get out and hashed the 2nd password if alot stronger encryption and can't match the first.


Quote:
entire system compiled by hand with PIC, PIE, and SSP enabled, ASLR, libsafe
Doesn't compiling PIC/PIE imply ASLR? I mean, PIC/PIE doesn't make sense without ASLR?
correct to fully take advantage of ASLR you need PIC/PIE and vice versa. SSP also helps with buffer overflows and return-to-libc

Quote:
Isn't libsafe incompatible or defunkt on distro's running a 2.6 kernel?
libsafe 1.3 is for 2.4 kern
libsafe 2.0 is for 2.6 kern


i have also removed the execute stack permissions from all libraries.

grsecurity has very good logging features and also each daemon's config is set to full logging. The logs are emailed everynight to a seperate machine.

as far as auditing i have a lovely collection of security checks that run daily, weekly and monthly with all result emailed to me.
ex. file perms, user accounts login times, rootkit results, etc.

Last edited by slimm609; 08-22-2007 at 10:02 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
NTP not synchronizing via wireless connection edwardp Mandriva 3 04-17-2007 05:51 PM
NTP time servers with Suse 10.2 sadiqdm Suse/Novell 0 03-17-2007 11:35 PM
NTP on servers and clocks still drifting apart humbletech99 Linux - Networking 4 10-30-2006 08:41 PM
Synchronizing Users Across Multiple Servers ghight Linux - Networking 4 08-22-2003 09:35 AM
Software for synchronizing files on web servers josephswagner Linux - Software 2 02-06-2003 12:13 AM


All times are GMT -5. The time now is 02:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration