Application Note

"Smarter Timing Solutions"

A P P L I C A T I O N N O T E

Best Practices to Secure Your Time Server

Network Time Servers are not typical multi-user appliances or servers. Time Servers have a very special-
ized function - to serve reliable and accurate time. No user data is stored on a Time Server.

We believe that we have the most secure Time Server available. This is partly due to a philosophy of
simplicity. We use a streamlined operating system and no unnecessary protocols. All convenience protocols,
like httpd, snmpd, telnetd and even sshd can be disabled. System settings are not modifiable via snmp or
http.

Following are the steps we recommend to further secure a Sonoma Time Server on a private network, be-
hind a firewall. For installations on a public network there should be additional safeguards such as changing
User Accounts. These additional safeguards are not described in this paper.

NOTE: Although this paper is written for Sonoma, basic steps are the same for EndRuns other products such as Tempus LX, Unison,
Meridian, Meridian II and Tycho II.

CHANGE DEFAULT PASSWORDS

Time Servers ship from the factory with two default passwords. The passwords should be
changed as soon as possible using the passwd command. There is usually no need for
anyone other than the network administrator to log in to the time server. Therefore, only one
or two persons should know the new passwords.

passwd changes the root user password (privileged user)

passwd ntpuser changes the ntpuser password (unprivileged user)

DISABLE UNNEEDED PROTOCOLS

Time Servers are shipped from the factory with the following services running on the specified
ports:

NTP (UDP 123)

TELNET (TCP 23)
Daytime (TCP/UDP 13)
Time (TCP/UDP 37)
SSH (TCP 22)
SNMP (UDP 161 and 162)
HTTP (TCP 443)
Optional Precision Time Protocol (UDP 319 and UDP 320)

Do NOT disable the Network TIme Protocol (NTP) as this will negatively affect system operation. Disable all the other protocols that you
do not need. To do that, see your User Manual, Chapter 5 - Security, Disable Protocols. Here are links to the User Manuals:

Sonoma D12 (GPS): http://www.endruntechnologies.com/pdf/USM3027-0000-000.pdf

Sonoma D12 (CDMA): http://www.endruntechnologies.com/pdf/USM3026-0000-000.pdf
Sonoma N12 (GPS): http://www.endruntechnologies.com/pdf/USM3029-0000-000.pdf
Sonoma N12 (CDMA): http://www.endruntechnologies.com/pdf/USM3028-0000-000.pdf
RESTRICT ACCESS MITIGATE VULNERABILITIES
The Time Server should be one of the most secure boxes in your system. Many Sonoma uses a monolithic Linux kernel. There are no insertable modules which
users may have access via one of the timing protocols (such as NTP). But the eliminates many vulnerabilities.
network administrator is the only one who should have direct access. Therefore,
access should be limited to specific hosts and one or two users. Some of the potential vulnerabilities found during a security scan are only a threat
under conditions that do not exist in a Time Server. Most security scans just look
To restrict access see your User Manual, Chapter 5 - Security, Restrict Access. at open ports and protocol versions. For example, your scan may list a vulner-
ability that exists in the SSH version resident on Sonoma. However, it is likely
For the most sensitive situations, you can eliminate all protocols (with the excep- that Sonomas SSH is not configured in such a way as to expose this vulnerability.
tion of NTP and any other timing protocol you need) and use the local RS-232 Since a Time Server is not a multi-user work station, many vulnerabilities listed on
console port to configure and monitor the Time Server. your scan are not a problem in Sonoma.

Other potential vulnerabilities can be mitigated by applying the workarounds

ENCRYPT SESSIONS mentioned in the advisories.
Logging in to the system should always be done using SSH (secure shell). There-
fore, Telnet should be disabled (see above). (The default SSH keys are uniquely
configured for each Sonoma shipped from the factory.) FIRMWARE UPGRADES
Time Servers are not multi-user computer systems. They are embedded appliances
with a very specialized function. In the embedded environment, the benefit of
USE AUTHENTICATION applying patches or frequently rebuilding new versions of the Linux open source
You should require that your NTP clients use MD5 authentication and disable NTP binaries is questionable, just to have the illusion that the new build wont have
access to any host not using authentication. As shipped from the factory, the Time vulnerabilities. It wont have the listed vulnerabilities but it will probably have
Server is configured to respond to NTP requests from clients that may or may not new ones. And it may also have new bugs that were not present in the previous
be using MD5 authentication. We recommend you modify the factory-default MD5 version.
keys and then configure your clients to use the same MD5 authentication keys.
Any serious vulnerabilities that cannot be mitigated with a reasonable workaround
For instructions see your User Manual, Chapter 3 - NTP, Configuring the NTP Server will be addressed as soon as possible with a firmware change. For remaining
and Unix-like Platforms: MD5 Authenticated NTP Client Setup or vulnerabilities, we recommend you apply the safeguards listed above and mitigate
Windows: MD5 Authenticated NTP Client Setup. per the workarounds mentioned in the advisories.

EndRun releases new versions of firmware from time-to-time to address serious

LOCKOUT KEYPAD ACCESS vulnerabilities, to enhance the product, and to correct known bugs. These can be
For the Sonoma D12 model, run the lockoutkp and kplockstat utilities found at:
as described in the User Manual, Chapter 9 - Console Port Control & Status, Sonoma GPS:
Detailed Command Descriptions. This will prevent unauthorized tampering with http://www.endruntechnologies.com/upgradesonomaG.htm
the unit. Sonoma CDMA:
http://www.endruntechnologies.com/upgradesonomaC.htm

KEEP LOG FILES

System logs are critical in performing troubleshooting. They also play a key role NTP CLIENTS
in performing forensics on a compromised machine. The Sonoma is capable of Keep your NTP clients updated with the latest software. Configure all your clients
sending logs to a remote collector using syslog. We recommend you consider to use MD5 authentication as described in the paragraph above - Use Authentica-
doing this. One benefit is that any time someone tries to break into the unit, this tion.
occurrence will be logged including their IP address.

Consult the relevant syslog documentation for instructions on how to set up the HELP
associated .conf file. Remember to copy it to the /boot/etc directory which will If you need help or have questions then contact EndRun technical support. Its free.
retain the settings during a reboot. 1-877-749-3878 (U.S. & Canada)
707-573-8633 (International)
[email protected]

Santa Rosa, CA
CA, USA
TEL 1-877-749-3878
FAX 707-573-8619
"Smarter Timing Solutions" www.endruntechnologies.com 151106