Krusty Ruffle Babbles

Today I’m installing and configuring an NTP (Network Time Protocol) server, and configuring syslog to be able to log network stuff. NTP is needed to keep the workstations on the network synced up so that kerberos can work properly, kerberos will be used for network wide authentication and may, hopefully, allow me to achieve single sign on from the workstations. The syslog network capabilities are just useful for my current router logs and possibly to keep a centralized logging plan for those times that my children come crying “Dad! I can’t do this thing that I want to do so that I don’t have to go outside and have a real life….” For these steps I am now logging in through a SSH connection and switching to root with sudo -i it’s a lot easier this way…

NTP Server: This part is easy. Just do the following as root:

1. Install the ntp-server package:

   apt-get install ntp-server

2. open the port on the firewall, (unfortunately I don’t know the ip addresses of all the time servers I’ll be using so I opened the port to everything) with:

   ufw allow proto udp from any to any port 123

3. configure the ntp-server, I’ll post my config below for a reference, you may be able to use it as is, or you may be better off to change the servers to something closer to where you are located:

   vim /etc/ntp.conf

4. restart the server:

   /etc/init.d/ntp restart

The config I use looks like:

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org
server ntp.ubuntu.com
server time.nist.gov

# Use local system clock as fallback
server 127.127.1.0
fudge 127.127.1.0 stratum 13

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
# broadcast 192.168.1.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

To watch the server until it successfully syncs you can do:

watch 'sh -c "ntpq -p -c as && echo && ntptrace"'

and once the server is done syncing you can sync a workstation by opening a terminal on it and doing:

sudo ntpdate {ip of server}

If you get an error that says “the NTP socket is in use, exiting” then the ntp program is already running, a simple sudo "killall ntpd" on the command line will take care of it.

That should fix things up as far as NTP goes.

[EDIT] After reviewing a lot of log files I figured I’d try to comment out the broadcast line in /etc/ntp.conf, making it look like:

# broadcast 192.168.1.255

I was getting a lot of UFW blocked messages in the logs, I’ve tested it, and the server does still allow updating from clients that connect and that as to be updated, but it no longer bounces messages through the entire network every minute or two. [/EDIT]

Syslog Server: Enabling syslog to receive logs from the network is pretty simple, just do:

vim /etc/defaults/syslogd

You need to change SYSLOGD="" to SYSLOGD="-r" and then restart syslog with:

/etc/init.d/syslogd

Now, we need to open up another port on the firewall:

cat /etc/services | grep syslog

Returns:

syslog        514/udp

So, to open the correct port for syslog we need to do:

ufw allow proto udp from 192.168.1.0/24 to any port 514

That allows any ip on the local network, assuming you used that network range, to connect to the syslog server through port 514 on any interface.

There are other options that you may wish to enable try reading the syslog overview at precision-guesswork.com, and maybe How To Set Up A Debian Linux Syslog Server at aboutdebian.com. I’m leaving my syslog config alone for now, and all that remains is setting up things like my printer and gateway to use my new syslog server. I had hoped to get to kerberos today, but it’s not gonna happen, and I’m going to do some more reading on that subject before I decide what to do so I’m not sure what I’m going to do next, either kerberos, or Xen…