The point of no return

Chrooted NTP Server on CentOS 6

27th July 2013 by Ali Erdinç Köroğlu

What is NTP? Network Time Protocol (NTP) is used to automatically sync system time with a remote reference time server. Why time synchronization is important? Because every aspect of managing, securing, planning, and debugging a network involves determining when events happen. Think about time-based AAA authentication and authorization, billing services, financial services, fault analysis.. Time management is a crucial component of healthy and secure network.

Why chroot? Security precaution :)

Scenario

We’ll create a ntp server for 2 different LAN (192.168.100 & 192.168.101) sync via pool.ntp.org and Turkish Academic Network and Information Center time servers.

Installation

Since NTP package is in the base repository there is no need to add extra repository.

yum install ntp
chkconfig ntpd on

Chroot Structure

There is no chroot-ntp package, we should prepare chroot environment.

mkdir /chroot
mkdir /chroot/ntp
mkdir /chroot/ntp/dev
mknod -m 666 /chroot/ntp/dev/null c 1 3
mknod -m 666 /chroot/ntp/dev/zero c 1 5
mknod -m 444 /chroot/ntp/dev/random c 1 8
mkdir /chroot/ntp/etc
mkdir /chroot/ntp/proc
mkdir /chroot/ntp/var
mkdir /chroot/ntp/var/lib
mkdir /chroot/ntp/var/lib/ntp
mv /var/lib/ntp/drift /chroot/ntp/var/lib/ntp/
chown -R ntp:ntp /chroot/ntp/var/lib/ntp
mkdir /chroot/ntp/var/log
mkdir /chroot/ntp/var/log/ntpstats
chown -R ntp:ntp /chroot/ntp/var/log/ntpstats
mv /etc/ntp.conf /chroot/ntp/etc
ln -s /chroot/ntp/etc/ntp.conf /etc/ntp.conf

Structure looks like this..

[root@firewall ~]# tree /chroot/ntp/
/chroot/ntp/
├── dev
│   ├── null
│   ├── random
│   └── zero
├── etc
│   └── ntp.conf
├── proc
└── var
    ├── lib
    │   └── ntp
    │       └── drift
    └── log
        └── ntpstats

Configuration

/chroot/ntp/etc/ntp.conf
server 0.tr.pool.ntp.org
server ntp.ulakbim.gov.tr
server 127.127.1.0
fudge 127.127.1.0 stratum 10
 
restrict 192.168.100.0 mask 255.255.255.0 nomodify notrap
restrict 192.168.101.0 mask 255.255.255.0 nomodify notrap
restrict 127.0.0.1
 
driftfile /var/lib/ntp/drift
logfile /var/log/ntp.log
/etc/sysconfig/ntpd
OPTIONS="-i /chroot/ntp -u ntp:ntp -p /var/run/ntpd.pid -g"

NTP requires proc file system in chroot environment, you could mount manually but I modified ntpd initscript.

diff -u /etc/init.d/ntpd.org /etc/init.d/ntpd
--- /etc/init.d/ntpd.org	2013-07-22 18:33:23.553385624 +0300
+++ /etc/init.d/ntpd	2013-07-24 11:22:47.594735735 +0300
@@ -30,6 +30,27 @@
 
 prog=ntpd
 lockfile=/var/lock/subsys/$prog
+chroot=/chroot/ntp
+
+mount_proc() {
+        echo -n $"Binding proc to chroot environment: "
+        ret=0
+        mount --bind /proc $chroot/proc
+        let ret+=$?;
+        [ $ret -eq 0 ] && success || failure
+        echo
+        return $ret
+}
+
+umount_proc (){
+        echo -n $"Unmounting proc from chroot environment: "
+        ret=0
+       umount $chroot/proc
+        let ret+=$?;
+        [ $ret -eq 0 ] && success || failure
+        echo
+        return $ret
+}
 
 start() {
        [ "$EUID" != "0" ] && exit 4
@@ -38,6 +59,9 @@
        [ -f /etc/sysconfig/ntpd ] || exit 6
        . /etc/sysconfig/ntpd
 
+       # Mounting proc into chroot
+       mount_proc
+
         # Start daemons.
         echo -n $"Starting $prog: "
         daemon $prog $OPTIONS
@@ -54,6 +78,10 @@
        RETVAL=$?
         echo
        [ $RETVAL -eq 0 ] && rm -f $lockfile
+
+       #Unmount proc from chroot
+       umount_proc
+
        return $RETVAL
 }

Let’s start the server..

[root@firewall ntp]# /etc/init.d/ntpd start
Binding proc to chroot environment:                        [  OK  ]
Starting ntpd:                                             [  OK  ]

Just to make sure everything is ok or not :)

[root@firewall ntpstats]# ps aux | grep ntpd
root     23824  0.0  0.0 103236   852 pts/0    S+   13:15   0:00 grep ntpd
ntp      25301  0.0  0.0  30164  1628 ?        Ss   Jul24   0:01 ntpd -i /chroot/ntp -u ntp:ntp -p /var/run/ntpd.pid -g[root@firewall ntpstats]# cat /proc/mounts 
rootfs / rootfs rw 0 0
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
devtmpfs /dev devtmpfs rw,relatime,size=1953976k,nr_inodes=488494,mode=755 0 0
devpts /dev/pts devpts rw,relatime,gid=5,mode=620,ptmxmode=000 0 0
tmpfs /dev/shm tmpfs rw,relatime 0 0
/dev/sda1 / ext4 rw,noatime,barrier=1,data=ordered 0 0
/proc/bus/usb /proc/bus/usb usbfs rw,relatime 0 0
none /proc/sys/fs/binfmt_misc binfmt_misc rw,relatime 0 0
proc /chroot/ntp/proc proc rw,relatime 0 0

NTP query result and network time synchronisation status

[root@firewall ntp]# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*195.50.171.101  145.253.2.212    2 u  420 1024  377   69.880   -0.031   0.006
+samur.ulak.net. 131.188.3.221    2 u  352 1024  377   30.842   -2.137   3.257
 LOCAL(0)        .LOCL.          10 l   27   64  377    0.000    0.000   0.000
[root@firewall ntp]# ntpstat 
synchronised to NTP server (195.50.171.101) at stratum 3 
   time correct to within 84 ms
   polling server every 1024 s