6

Do I need ntpd daemon / service on an LAMP server running Linux Debian 8.3?

I have already disabled some obvious services, but I am not sure about this one.

Vlastimil Burián
  • 499
  • 6
  • 20

1 Answers1

6

A typical single LAMP doesn't usually need a full-blown NTP server - to keep your time accurate add a ntpd -q job to run every day.

You need an NTP server when more accurate time synchronization is required (like in a case of cloud-based service, distributed along a number of instances) or when your software have issues with jumping clocks (since ntpdate (which actually is deprecated in favor of ntpd -q) will directly set the time instead of slowly adjusting it).

If you choose to run ntpd, make sure you add a firewall rule to block incoming connections, since it is a widely-known target for NTP Amplification DDoS attack - having it open to the wild will cause high traffic usage and abuse letters to your hosting company. Run ntpd -q once at startup before starting ntpd to get the benefits of the better tool.

Anubioz
  • 3,677
  • 18
  • 23
  • 1
    I'd run `ntpdate` daily or hourly. Computer clocks drift and being confidant in the times in your logs is nice. – chicks Apr 03 '16 at 14:57
  • Yeah, running it regularry after boot is probably a wise thing to do. – Anubioz Apr 03 '16 at 15:22
  • 2
    You can just set a firewall rule to prevent `ntpd` becoming a target for this. Also, `ntpdate` will be less accurate, it will not discipline the clock to minimize skew and for errors greater then 0.5 seconds, it will directly set the time instead of slowly adjusting it, which can cause issues with some software that doesn't like jumping clocks. Run `ntpdate` once at startup before starting `ntpd` and then get the benefits of the better tool. Oh, and `ntpdate` is deprecated and will go away at some point and `ntpd -q` will do it's job. – Sven Apr 03 '16 at 15:25
  • Your comment is actually better than my answer, should I add it? – Anubioz Apr 03 '16 at 15:31
  • Is NTP amplification actually an issue? I would assume most distributions by default configure `ntpd` to only accept queries from localhost. I think for an amplification attack to be possible, `ntpd` would first have to be reconfigured to allow incoming queries in the first place. – kasperd Apr 03 '16 at 21:09
  • While this is true for newer distributions, firewalling services that are not meant to be publicially accessed is still a good practice. Any particular service version you're running might be found vulnerable some day and allowing public access to it might lead to many problems (from DoS to Remote Code Execution)... – Anubioz Apr 03 '16 at 21:30
  • 3
    ntpdate (or equivalent) on a cron is not a good solution. Please do more research before doing that. The NTP reflection issue has been fixed in any sort of modern version of ntpd. The relevant function (monlist) has been removed, so that's not really a concern. – devicenull Apr 03 '16 at 22:49
  • 4
    Periodic time jumps are _bad_. Keep ntpd running to get rid of that drift. You'll be grateful for it later when all your timestamps aren't wrong and you're trying to diagnose something. – Lightness Races in Orbit Apr 04 '16 at 00:56
  • NTP amplification is only a problem if you set up your server in the stupidest way possible.... – Lightness Races in Orbit Apr 04 '16 at 00:56
  • The other reason to avoid the use of ```ntpdate``` or ```ntpd -q``` is that you are fully trusting a single upstream source for accurate time (and allowing arbitrarily large time jumps). This can allow for replay attacks on services protected by TOTP if the attacker can capture and modify the NTP response going to the server. With normal ```ntpd``` running, such large time jumps would be ignored. – tgharold Apr 04 '16 at 11:19