How to install OpenNTPD NTP server to synchronize
system clock on FreeBSD for better security
Lately I've been researching on
ntpd and wrote a two
articles on
how to install ntpd on CentOS, Fedora and
how to install ntpd on FreeBSD and during my research on ntpd,
I've come across
OpenNTPD and decided to give it a go on my
FreeBSD home router.
OpenBSD project is well known for it is high security
standards and historically has passed the test of time for being a
extraordinary secure UNIX like free operating system.
OpenBSD is developed in parallel with FreeBSD, however the
development model of the two free operating systems are way
different.
As a part of the OpenBSD to be independant in its basis of software
from other free operating systems like GNU / Linux and FreeBSD.
They develop the all around free software realm known
OpenSSH. Along with OpenSSH, one interesting project
developed for the main purpose of
OpenBSD is
OpenNTPD.
Here is how
openntpd.org describes OpenNTPD:
"a FREE, easy to use implementation of the Network Time
Protocol. It provides the ability to sync the local clock to remote
NTP servers and can act as NTP server itself, redistributing the
local clock."
OpenNTPD's accent just like OpenBSD's accent is security and
hence for FreeBSD installs which targets security
openntpd
might be a good choice. Besides that the so popular classical
ntpd has been well known for being historically "insecure",
remote exploits for it has been released already at numerous
times.
Another reason for someone to choose run
openntpd instead of
ntpd is its great simplicity.
openntpd configuration
is super simple.
Here are the steps I followed to have
openntpd time server
synchronize clock on my system using other public accessible
openntpd servers on the internet.
1. Install openntpd through pkg_add -vr openntpd or via ports
tree
a) For binar install with pkg_add issue:
freebsd# pkg_add -vr openntpd
...
b) if you prefer to compile it from source
freebsd# cd /usr/ports/net/openntpd
freebsd# make install clean
...
2. Enable OpenNTPD to start on system boot:
freebsd# echo 'openntpd_enable="YES"' >>
/etc/rc.conf
3. Create openntpd ntpd.conf configuration file
There is a default sample
ntpd.conf configuration which can
be straight use as a conf basis:
freebsd# cp -rpf /usr/local/share/examples/openntpd/ntpd.conf
/usr/local/etc/ntpd.conf
Default
ntpd.conf works just fine without any modifications,
if however there is a requirement the openntpd server to listen and
accept time synchronization requests from only certain hosts add to
conf something like:
listen on 192.168.1.2
listen on 192.168.1.3
listen on 2607:f0d0:3001:0009:0000:0000:0000:0001
listen on 127.0.0.1
This configuration will enable only
192.168.1.2 and
192.168.1.3 IPv4 addresses as well as the IPv6
2607:f0d0:3001:0009:0000:0000:0000:0001 IP to communicate
with openntpd.
4. Start OpenNTPD service
freebsd# /usr/local/etc/rc.d/openntpd
5. Verify if openntpd is up and running
freebsd# ps axuww|grep -i ntp
root 31695 0.0 0.1 3188 1060 ?? Ss 11:26PM 0:00.00 ntpd: [priv]
(ntpd)
_ntp 31696 0.0 0.1 3188 1140 ?? S 11:26PM 0:00.00 ntpd: ntp engine
(ntpd)
_ntp 31697 0.0 0.1 3188 1088 ?? S 11:26PM 0:00.00 ntpd: dns engine
(ntpd)
root 31700 0.0 0.1 3336 1192 p2 S+ 11:26PM 0:00.00 grep -i
ntp
Its also good idea to check if openntpd has succesfully established
connection with its peer remote openntpd time servers. This is
necessery to make sure
pf / ipfw firewall rules are not
preventing connection to
remote 123 UDP port:
freebsd# sockstat -4 -p 123
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
_ntp ntpd 31696 4 udp4 83.228.93.76:54555 212.70.148.15:123
_ntp ntpd 31696 6 udp4 83.228.93.76:56666 195.69.120.36:123
_ntp ntpd 31696 8 udp4 83.228.93.76:49976
217.75.140.188:123
By default
openntpd is also listening to IPv6 if IPv6
support is enabled in freebsd kernel.
6. Resolve openntpd firewall filtering issues
If there is a pf firewall blocking UDP requests to in/out port 123
within
/etc/pf.conf rule like:
block in log on $EXT_NIC proto udp all
Before the blocking rule you will have to add pf rules:
# Ipv4 Open outgoing port TCP 123 (NTP)
pass out on $EXT_NIC proto tcp to any port ntp
# Ipv6 Open outgoing port TCP 123 (NTP)
pass out on $EXT_NIC inet6 proto tcp to any port ntp
# Ipv4 Open outgoing port UDP 123 (NTP)
pass out on $EXT_NIC proto udp to any port ntp
# Ipv6 Open outgoing port UDP 123 (NTP)
pass out on $EXT_NIC inet6 proto udp to any port
ntp
where
$EXT_NIC is defined to be equal to the external lan
NIC interface, for example:
EXT_NIC="ml0"
Afterwards to load the new pf.conf rules firewall has to be flushed
and reloaded:
freebsd# /sbin/pfctl -f /etc/pf.conf -d
...
freebsd# /sbin/pfctl -f /etc/pf.conf -e
...
In conclusion
openntpd should be more secure than regular
ntpd and in many cases is probably a better choice.
Anyhow bear in mind on FreeBSD openntpd is not part of the freebsd
world and therefore security updates will not be issued directly by
the freebsd dev team, but you will have to regularly update with
the latest version provided from the bsd ports to make sure
openntpd is 100% secure.
For anyone looking for more precise system clock synchronization
and not so focused on security
ntpd might be still a better
choice. The OpenNTPD's official page states it is designed to reach
reasonable time accuracy, but is not after the last
microseconds.