Make log analysis easier by keeping the time on your systems in sync.
Correlating events that have occurred on multiple servers can be a chore if there are discrepancies between the machines’ clocks. Keeping the clocks on your systems synchronized can save valuable time when analyzing router, firewall, and host logs after a compromise, or when debugging everyday networking issues. Luckily, doing this isn’t hard, with a little help from the Network Time Protocol (NTP).
NTP is a peer-to-peer protocol designed to provide subsecond precision and accuracy between host clocks. To get it going, all you need is the NTP distribution (http://www.ntp.org/downloads.html), which contains a daemon for performing clock synchronization, plus other supporting tools. Though NTP might not be installed on your system, it usually comes with the various Linux distributions, FreeBSD, and OpenBSD as an optional package or port, so poke around your installation media or the ports tree if it’s not already installed. If it isn’t available with your OS of choice, you can still download and compile it yourself.
Configuring ntpd as a client is a fairly simple process, but first you’ll need to find out whether you have a local time server, either on your network or at your ISP. If you don’t, you’ll have to locate an NTP server that will let you query from it. You’ll want to find servers that are as geographically close to you as possible. Don’t worry, though; a list of all the publicly accessible time servers is available at http://www.eecis.udel.edu/~mills/ntp/servers.html.
One new term you will encounter when looking for a server is stratum (e.g., stratum 1 or stratum 2). This refers to the hierarchy of the server within the public NTP infrastructure. A stratum 1 server will usually have a direct time-sync source, such as a GPS or atomic clock signal that provides updates to the daemon running on that machine. Stratum 2 servers obtain their time sync from stratum 1 servers. Using stratum 2 servers helps to reduce the load on stratum 1 servers, and they’re accurate enough for this hack’s purposes.
With this in mind, let’s look for some NTP servers that we can use (using more than one is generally a good idea, in case one fails). I live in Colorado, so after following the link to the stratum 2 server list (http://www.eecis.udel.edu/~mills/ntp/clock2a.html), I found two entries:
# US CO ntp1.linuxmedialabs.com Location: Linux Media Labs LLC, Colorado Springs, CO Service Area: US Synchronization: NTP Secondary (stratum 2), i686/Linux Access Policy: open access Contact: ntp@linuxmedialabs.com Note: ntp1 is an alias and the IP address may change, please use DNS # US CO ntp1.tummy.com Location: tummy.com, ltd., Fort Collins, CO Service Area: US Synchronization: NTP Secondary (stratum 2), i686/Linux Access Policy: open access. Contact: ntp@tummy.com Note: ntp1 is an alias and the IP address may change, please use DNS.
Because they’re both listed as open access, I can just add them to my /etc/ntp.conf:
server ntp1.linuxmedialabs.com server ntp1.tummy.com
Alternatively, you can simplify your configuration by using pool.ntp.org, which is a round-robin DNS scheme to resolve to multiple time servers. You’ll find these servers on the published lists of NTP servers, but they have also elected to become a part of the pool. For instance:
server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org
The following zones resolve to a pool of NTP servers that are located within a given geographical region: asia.pool.ntp.org, europe.pool.ntp.org, north-america.pool.ntp.org, oceania.pool.ntp.org, and south-america.pool.ntp.org. Using these will cut down on Internet traffic and latency.
There are also zones that resolve to NTP servers in specific countries (e.g., us.pool.ntp.org); you can get a complete list of them at http://ntp.isc.org/bin/view/Servers/NTPPoolServers.
In addition, ntpd can automatically correct for the specific clock frequency drift of your machine. It does this by learning the average drift over time as it receives sync messages. Just add a line like this to your ntp.conf file to enable this feature:
driftfile /etc/ntp.drift
Of course, if you’re keeping all of your ntpd configuration files in /etc/ntp, you’ll want to use a directory similar to /etc/ntp/ntp.drift instead.
That’s it. Simply add ntpd to your startup scripts, start it up, and you’re ready to go.