1

I was reviewing VPC flow-logs of my EC2 instance (standard AWS Linux image), where I stumbled upon an entry with port 123 (NTP) with destination as 107.170.0.6 (kapu.ruselabs.com)

Being new to this, i digged further and found more strange looking NTP Servers being used by my VM.

[ec2-user@ip-... ~]$ ntpq -p
remote           refid     
 -------------------------
+time.mclarkdev. 167.114.204.238
-aprihop.cdknnjl 173.162.192.156
*chl.la          216.218.254.202
+kapu.ruselabs.c 200.98.196.212

I understand that this is most likely a standard practice, but I dont feel comfortable when my box is talking to strangers. In this case I am unable to find which person/organisation runs kapu.ruselabs.com

So the question is, what are best-practices around using NTP servers when running VMs in AWS.

dy10
  • 41
  • 5

3 Answers3

3

According to AWS documentation the servers defined in /etc/ntp.conf are:

The n.amazon.pool.ntp.org DNS records are intended to load balance NTP traffic from AWS. However, these are public NTP servers in the pool.ntp.org project, and they are not owned or managed by AWS. There is no guarantee that they are geographically located near your instances, or even within the AWS network.

Given AWS has set these as default in Amazon Linux I have to assume the risk is low. I wouldn't bother, personally.

You can manually set them to the documented NTP servers if you like, either specific servers or using their aliases which probably load balance. Click the links top right to find the URLs. Just edit the file /etc/ntp.conf to specify them.

Update 1 Dec 2017

The AWS Time Sync service is now available. Read the docs here.

Tim
  • 31,888
  • 7
  • 52
  • 78
  • Thanks. The top right links still point to pools (e..g *.north-america.pool.ntp.org), so it is still random servers which I would get. After some more search and I found alternative time.google.com which I can trust. I guess i was expecting something like that from AWS itself! – dy10 Aug 03 '17 at 20:11
  • I see your point, however AWS running their own NTP servers doesn't give them any competitive advantage and there's an existing trustworthy network of NTP servers. Using Google NTP servers seems like a good option if you're more comfortable with them. – Tim Aug 03 '17 at 20:34
  • When using Google NTP, be aware of leap smear if you care about sub-second resolution. https://developers.google.com/time/smear – John Mahowald Aug 04 '17 at 03:16
2

Well I know this is old but I just found it! I run kapu.ruselabs.com, it is part of the ntp pool project www.ntppool.org to provide free ntp/time services to servers! Most of the ubuntu/linux images talk to public ntp servers and many of us volunteer our time, money, bandwidth so folks can have an accurate time. Hope this helps!

0

https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/

AWS just launched their own NTP service and VMs dont need Internet-Gateway just to sync time!

dy10
  • 41
  • 5
  • How does this answer the question (oeps: that's yours ...) which is "***What are best-practices around using NTP servers when running VMs in AWS***" (and in which a "?" is missing also)? – Pierre.Vriens Nov 30 '17 at 10:16