Do I need ntpd on every client? How to get rid of it?

Hi!

So every worksation running FreeBSD needs a correct time. When installing FreeBSD 13 I just tagged "ntpd" and "ntpdate at boot time" options. Looks weird to me that this combination is possible, as it makes no sense, but anyway....

So now I have open listening ports on every client on port 123 and I don't want that. I have studied the man pages but didn't find anything, except that this daemon is so complex that this is one more reason to get that open ports closed.

Anyone knowing how to do that? Or should I just use the client's firewall? Thanks!
 
I have it enabled on all my laptops but use pf firewall to block TCP and UDP port 123. No worries.

This is what I have on all my laptops:
/etc/rc.conf
Code:
ntp_sync_on_start="YES"
ntpdate_enable="YES"
ntpd_enable="YES"

pf_enable="YES"
pf_rules="/etc/pf.conf"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Here's my full ruleset on each laptop, to show how it works FYI:
/etc/pf.conf
Code:
### Macro name for external interface
ext_if = "em0"
netbios_tcp = "{ 22, 23, 25, 80, 110, 111, 123, 512, 513, 514, 515, 6000, 6010 }"
netbios_udp = "{ 123, 512, 513, 514, 515, 5353, 6000, 6010 }"

### Reassemble fragmented packets
scrub in on $ext_if all fragment reassemble

### Default deny everything
block log all

### Pass loopback
set skip on lo0

### Block spooks
antispoof for lo0
antispoof for $ext_if inet
block in from no-route to any
block in from urpf-failed to any
block in quick on $ext_if from any to 255.255.255.255
block in log quick on $ext_if from { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 255.255.255.255/32 } to any

### Block all IPv6
block in quick inet6 all
block out quick inet6 all

### Block to and from port 0
block quick proto { tcp, udp } from any port = 0 to any
block quick proto { tcp, udp } from any to any port = 0

### Block specific ports
block in quick log on $ext_if proto tcp from any to any port $netbios_tcp
block in quick log on $ext_if proto udp from any to any port $netbios_udp

### Keep and modulate state of outbound tcp, udp and icmp traffic
pass out on $ext_if proto { tcp, udp, icmp } from any to any modulate state

This shows it at work, and that it does. For the good of us all.
Code:
root@bakemono:/ # pfctl -s all
FILTER RULES:
scrub in on em0 all fragment reassemble
block drop log all
block drop in on ! lo0 inet from 127.0.0.0/8 to any
block drop in on ! em0 inet from 192.168.1.0/24 to any
block drop in inet from 192.168.1.74 to any
block drop in on ! lo0 inet6 from ::1 to any
block drop in from no-route to any
block drop in from urpf-failed to any
block drop in quick on em0 inet from any to 255.255.255.255
block drop in log quick on em0 inet from 10.0.0.0/8 to any
block drop in log quick on em0 inet from 172.16.0.0/12 to any
block drop in log quick on em0 inet from 192.168.0.0/16 to any
block drop in log quick on em0 inet from 255.255.255.255 to any
block drop in quick inet6 all
block drop out quick inet6 all
block drop quick proto tcp from any port = 0 to any
block drop quick proto tcp from any to any port = 0
block drop quick proto udp from any port = 0 to any
block drop quick proto udp from any to any port = 0
block drop in log quick on em0 proto tcp from any to any port = ssh
block drop in log quick on em0 proto tcp from any to any port = telnet
block drop in log quick on em0 proto tcp from any to any port = smtp
block drop in log quick on em0 proto tcp from any to any port = http
block drop in log quick on em0 proto tcp from any to any port = pop3
block drop in log quick on em0 proto tcp from any to any port = sunrpc
block drop in log quick on em0 proto tcp from any to any port = ntp
block drop in log quick on em0 proto tcp from any to any port = exec
block drop in log quick on em0 proto tcp from any to any port = login
block drop in log quick on em0 proto tcp from any to any port = shell
block drop in log quick on em0 proto tcp from any to any port = printer
block drop in log quick on em0 proto tcp from any to any port = x11
block drop in log quick on em0 proto tcp from any to any port = x11-ssh
block drop in log quick on em0 proto udp from any to any port = ntp
block drop in log quick on em0 proto udp from any to any port = biff
block drop in log quick on em0 proto udp from any to any port = who
block drop in log quick on em0 proto udp from any to any port = syslog
block drop in log quick on em0 proto udp from any to any port = printer
block drop in log quick on em0 proto udp from any to any port = mdns
block drop in log quick on em0 proto udp from any to any port = x11
block drop in log quick on em0 proto udp from any to any port = x11-ssh
pass out on em0 proto tcp all flags S/SA modulate state
pass out on em0 proto udp all keep state
pass out on em0 proto icmp all keep state

STATES:
all tcp 192.168.1.74:42959 -> 34.214.1.68:443       ESTABLISHED:ESTABLISHED
all tcp 192.168.1.74:52319 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT
all tcp 192.168.1.74:48612 -> 204.109.59.195:443       FIN_WAIT_2:FIN_WAIT_2
all tcp 192.168.1.74:30955 -> 204.109.59.195:443       TIME_WAIT:TIME_WAIT

INFO:
Status: Enabled for 49 days 03:59:43          Debug: Urgent

State Table                          Total             Rate
  current entries                        4               
  searches                        35744378            8.4/s
  inserts                           136549            0.0/s
  removals                          136545            0.0/s
Counters
  match                             306949            0.1/s
  bad-offset                             0            0.0/s
  fragment                               0            0.0/s
  short                                  0            0.0/s
  normalize                              0            0.0/s
  memory                                 0            0.0/s
  bad-timestamp                          0            0.0/s
  congestion                             0            0.0/s
  ip-option                              0            0.0/s
  proto-cksum                            0            0.0/s
  state-mismatch                         0            0.0/s
  state-insert                           0            0.0/s
  state-limit                            0            0.0/s
  src-limit                              0            0.0/s
  synproxy                               0            0.0/s
  map-failed                             0            0.0/s

TIMEOUTS:
tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start            60000 states
adaptive.end             120000 states
src.track                     0s

LIMITS:
states        hard limit   100000
src-nodes     hard limit    10000
frags         hard limit     5000
table-entries hard limit   200000

OS FINGERPRINTS:
762 fingerprints loaded
root@bakemono:/ #
 
I have now removed ntpd_enable and added a daily cron job for ntpdate.... dunno if that's the intended way to do it...
 
There's a bunch of hardware platforms around today that don't have a CMOS battery to keep the hardware time-of-day clock running when the power is off, e.g. the Raspberry Pi, and such hosts need to set ntpdate_enable="YES" in /etc/rc.conf.

The manual for ntpdate(8) says what you are doing with cron, needs to be done every hour or two (using a reliable internal time server) to prevent the need to step time. However it also says that there is "no substitute for the NTP daemon, which uses sophisticated algorithms to maximize accuracy and reliability while minimizing resource use".

If you are using ntpdate from cron to keep time, then I would use exactly the same timeserver(s) as used in the cron job to set system time on boot in /etc/rc.conf:
Code:
ntpdate_enable="YES"
ntpdate_hosts="timeserver(s)"
Doing this will, at least, maintain time in a consistent way. Sometimes consistency is more important than accuracy.

However, this setup also suggests to me that you may be allowing traffic to originate from your firewall into your internal network. I'd be very cautious about allowing that. It's one thing that I try really hard to avoid (because it facilitates spread of contagion if you get breached).

Finally, opening up port 123 and running ntpd on your firewall is pretty common, and not particularly dangerous. The NTP client always starts the conversation, and the response from the server can be permitted by saved state for the "established connection". There are examples in /etc/rc.firewall.
 
Finally, opening up port 123 and running ntpd on your firewall is pretty common, and not particularly dangerous. The NTP client always starts the conversation, and the response from the server can be permitted by saved state for the "established connection".
That's why my ruleset blocking port 123 works, because I iniate the traffic it goes through as often as it wants. No other traffic is allowed.
 
The default /etc/ntpd.conf has a few options that limits the access to localhost only:
Code:
# The following settings allow unrestricted access from the localhost
restrict 127.0.0.1
restrict ::1

Alternatively you could install net/openntpd, it can be configured not to listen on a network port at all. NTP doesn't need this, only if you want to use that system as an NTP server.
 
Another way is install the openntpd package/port. It's a lot lighter weight when you just need a client.
 
Finally, opening up port 123 and running ntpd on your firewall is pretty common, and not particularly dangerous.
On reading what I wrote, I think it needs clarification. The ntpd is unusual in that it acts as both a client and a server.
I was suggesting that outbound connections to UDP port 123 on Internet time servers are commonly allowed.
It's fairly normal to block inbound connections (though the default configuration for ntpd server, in /etc/ntp.conf, for FreeBSD closes all known attack surfaces).
 
I have now removed ntpd_enable and added a daily cron job for ntpdate.... dunno if that's the intended way to do it...
This just re-implements ntpd, poorly.

Ntpdate is meant to force your time to be correct at boot. It forcefully resets the system time to match the NTP time server you have configured. This is done at boot because it can cause time to go backwards. Many programs will reasonably not cope well with this relativistic impossibility and crash.

Programs like Ntpd and Openntpd will gradually adjust the time by slowing or speeding up the system clock using adjtime(2). More here: https://support.ntp.org/bin/view/Dev/DeprecatingNtpdate#History

I personally like to have good time, so I run both ntpdate at boot and ntpd thereafter on every machine.
 
I personally like to have good time, so I run both ntpdate at boot and ntpd thereafter on every machine.
So do I. I run an ntp server on the firewall, for use by the firewall itself, and internal clients.
I also have three internal physical ntp servers that use the ntp.org pools, plus each other, plus the firewall as time servers.
These physical time servers (aliased to ntp1, ntp2, and ntp3) provision time to the rest of the internal network.
Each is configured as an Undisciplined Local Clock time server at strata 10, 12, and 14 respectively.
So I can lose the Internet, the firewall, and two of the three local time servers and still keep consistent time on the network.
 
This is what I have on all my laptops:
/etc/rc.conf
Code:
ntp_sync_on_start="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
What's about ntpd user?
Is it better when ntpd runs as a user?
/boot/loader.conf.d/ntpd.conf
INI:
mac_ntpd_load="YES"
and
/etc/rc.conf.d/ntpd
INI:
ntpd_enable="YES"
ntpd_user="ntpd"
ntpd_sync_on_start="YES"
 
man ntp
Code:
-u string, --user=string
             Run as userid (or userid:groupid).

             Specify a user, and optionally a group, to switch to.  This
             option is only available if the OS supports adjusting the clock
             without full root privileges.  This option is supported under
             NetBSD (configure with --enable-clockctl) or Linux (configure
             with --enable-linuxcaps) or Solaris (configure with
             --enable-solarisprivs).
 
Back
Top