Advertisement

NTP installation on Debian Wheezy

Fob Watch

This is a very quick guide, intention is to help entry-level Linux users to build an NTP server. Note: This article assumes you are working in a VMware environment.

You also need to have NTP available to an internal network and secured from the Monlist attack.

Before you begin

Check VMware version compatibility. Note that NTP reflection attacks need to be mitigated on NTP servers prior to version 4.2.7.

To disable "monlist" functionality on a public-facing NTP server that cannot be updated to version 4.2.7, add the noquery directive to the restrict default line in the system’s /etc/ntp.conf as shown below:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Server build

I've installed the base OS from a netinstall CD ISO. The ISO is small and the Base/Core OS can be installed without needing Internet access.

During the installation, I created the system with a local user ntpmgr, you can call it what you want just substitute the name where required below.

Building behind a proxy, no worries, edit the apt.conf file with the proxy connection string:

vi /etc/apt/apt.conf

Acquire::http::Proxy "http://192.168.1.238:3128";

You can add proxy credentials in this file too!

I'm going to amend /etc/apt/sources.list to use the http.debian.net redirector:

vi /etc/apt/sources.list

deb http://http.debian.net/debian/ wheezy main
deb-src http://http.debian.net/debian/ wheezy main

deb http://security.debian.org/ wheezy/updates main
deb-src http://security.debian.org/ wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb http://http.debian.net/debian/ wheezy-updates main
deb-src http://http.debian.net/debian/ wheezy-updates main

:wq!

Now let's configure the server so we can manage it from the comfort of your desk using a ssh client:

vi /etc/ssh/sshd_config

AllowUsers ntpmgr

:wq!

hostname -f

Installation

Install the VMware tools and the ntp, vim, apticron and logwatch packages:

aptitude update

aptitude install less open-vm-tools ntp vim apticron logwatch

Edit the NTP configuration (I'm using the pool zone for Australia):

vi /etc/ntp.conf

server 0.au.pool.ntp.org iburst
server 1.au.pool.ntp.org iburst
server 2.au.pool.ntp.org iburst
server 3.au.pool.ntp.org iburst

Restrict access to your local subnet:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Restart NTP:

service ntp restart

See if it is working (assuming you have got any enterprise firewall rules configured):

ntpq -p

Alerting

Now for some email alerting:

aptitude install postfix

You will be met with:

The following actions will resolve these dependencies:

Remove the following packages:
1) exim4
2) exim4-base
3) exim4-config
4) exim4-daemon-light

Accept this solution? [Y/n/q/?] Y

Now to configure SMTP relay in Postfix:

vi /etc/postfix/main.cf

Look for the section masquerade_domains:

masquerade_domains = yourdomain.com

Now to add the email address to receive email alerts from this server:

vi /etc/aliases

root: alerts@yourdomain.com

:wq!

We need to compile the "aliases" file to "aliases.db" with this command:

newaliases

Now it is time to let the mail flow:

service postfix restart

Clean-up

Change passwords, log in and sudo -i:

passwd ntpmgr

passwd root

About the author

Paul Angus

Paul is a security and infrastructure professional with over 13 years of experience in the Information Technology sector.

Before transitioning to the IT sector, the knowledge gained working along side senior management, civil engineers, surveyors, town planners and graphic designers helped to shape his unique perspective.
Last updated: 
2015-07-05 20:31
Tags: 
Share: 
Advertisement

Add new comment