Tunnelling NTP Through a Firewall? 76
Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"
Another ISP (Score:3, Insightful)
D.
Monopoly (Score:1)
How about finding another ISP (and telling them WHY you are changing to someone else too).
Often, only one company provides high-speed Internet access to residential customers in a given geographic area. This is often the telephone company or the cable television company. So in effect, you may have instructed Franklin_DeMatto to either 1. downgrade to dial-up or ISDN, 2. buy a ridiculously expensive T1 line, or 3. sell one's house and move.
Dial-up is fine (Score:2)
There's a bit more latency on the modem, which I could see as an issue if you ssh a lot (thought ISDN wipes that out and you don't seem to go for ISDN), but web browsing on a 56k modem is *fine*. You *do* need to have multiple windows loading while you're browsing instead of click-wait-load but I do that anyway...
Re:Dial-up is fine (Score:2, Informative)
but web browsing on a 56k modem is *fine*.
Downloading 10 MB of binaries from Mozilla.org, Windows Update, or apt-get upgrade is not fun on 56K in geographical areas where local calls to your ISP are toll calls at 10c/min.
You *do* need to have multiple windows loading while you're browsing instead of click-wait-load but I do that anyway...
You're right about tab browsing.
You're the customer (Score:1)
What if he can't (Score:1)
If his area is anything like where I live (near Denver, Colorado), he can't hope to find another ISP that is reasonable.
Well, at least not one that can handle the amount of traffic he might expect.
Around here, there are 2 ISP's that I (an average Joe computer nerd) can run a sturdy server through. One of them is probably as strict as his and the other couldn't even handle enough traffic to let me get
Re:What if he can't (Score:1)
With only three ports (25, 80, 443) open for outgoing traffic I don't think the original poster wants to "run a sturdy server."
Re:What if he can't (Score:2, Insightful)
Besides, the issue really is that this guy pays money for an ISP to host his webserver... NTP is a completely legitimate service to run, but the "service" provider won't open the necessary firewall rules in order to permit the traffic. It should be up to them to comply with his requests, not find arbitrary ways to limit how he can use the service.
SSH? (Score:3, Insightful)
TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:5, Informative)
Read Why TCP Over TCP Is A Bad Idea [sites.inka.de] by Olaf Titz:
Very interesting read.
Re:TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:2)
it's very possible to be behind a firewall, forward a port on outside of the firewall computer with ssh to the computers thats behind the firewall port 21, and serve ftp while being behind the firewall that doesnt allow incoming connections.(note that the transfers don't 'proxy', but rather go straight, pasv doesnt work though.). there is no problems with this tcp-over-tcp solution, the connections aren't unreliable or like that, granted i haven't tried it with sh** connections like 14kbps modems or so. it does work as a solution to arrange ssh from 'the wild' to computers behind firewall, for example if your cablemodem/adsl/whatever isp is retarded in their pricing schemes... there's even a nifty hack to tunnel stuff through http proxy..
Re:TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:2)
You've probably never used it when that happens. Try using TCP-over-TCP in a congested network, and watch it grind to a halt.
TCP-over-UDP approximates TCP-over-layer-2 well enough to ensure everything works during congestion.
Re:TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:2)
anyways, tcp-over-tcp is 99.99% problem free in 'normal' conditions, i don't count that optical link with 10% to 20% ploss 'normal conditions'. and you need only to have that (relatively)quick, reliable link to that outer side forward-machine. if you can't have that, it's pretty futile anyways.
(anyways, the computer i used for outer-side-forward machine was my brothers computer several hundred km's away behind not so shabby adsl, no connections ever dropped or crawled to halt, unless there was other problems, like power outages&etc..).
Re:TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:2)
I'm using ppp-over-ssh in a few sites now, including one where I have to open an inbound terminal session over the top of a 2-hour daily rsync job that completely saturates the 128K line in question.
Keyboard echo is slow during that time, but not any more than I'd expect across a fully-congested slow line halfway around the planet. And the rsync job proceeds at the expected rate.
Possibly more importantly for my applications, though, ppp-over-ssh can be implemented in about 2 minutes using ubiquitous components - no fiddling around or building of complex software is required. In a few minutes I can explain over the phone or via IM to anyone, regardless of partial language barriers, how to set up their end of the link.
I went to the CIPE site and they don't even have documentation online (downloadable texinfo format doesn't count, any more than if it were available in Sumerian on a stone tablet under a camel somewhere) so I can't get a sense of the scale of the installation process. But when they're talking about kernel patches on the main page, I can pretty much guess it's not going to be 2 minutes and fiddle-free.
Re:TCP Over TCP Is A Bad Idea (Re:SSH?) (Score:2)
In the real world, it works quite well. Occasionally, you might have problems. In those rare cases I've had problems, the raw SSH was also having problems. I don't believe the problems are nearly as dire as Olaf says, unless your on a really bad network (like the 10-20% packet loss network he talks about).
not actually true (Score:2)
The biggest problem is that the NAT boxes at customer sites keep changing NAT addresses, so run the SSH tunnel out of inittab.
Try the routers... (Score:5, Informative)
If/once you have a list of routers, try time syncing against them. It's worth a shot.
-h3
Re:Try the routers... (Score:1)
Routers typically run the ntp service on their control CPUs so having lots of hosts getting ntp service off a router means that its wasting cpu cycles serving this rather then doing the work that it was meant to do.
Re:Try the routers... (Score:1)
The next question is, "Where does the router get the time, and how often does it sync?" I imagine that routers have to be very accurate with regards to time, but I don't have access to any documents.
Re:Try the routers... (Score:1)
watching your peers using ntpq also gives you the timesource of the server youre getting the time from. If you add more than one source, youll notice inaccurate timeservers quite obviously.
This is not a solution (Score:5, Insightful)
I am sorry, but the only reasonable advice I can give you is to change your ISP if they do not open more ports. You have only outgoing HTTP and SMTP? What about SSH? What about FTP? What about Telnet? What about IRC? Are you also going to tunnel them through HTTP? HTTP is a stateless and sessionless protocol. It is extremely bad idea to tunnel anything which uses long and interactive two-way TCP traffic (like IRC, SSH, FTP, Telnet, ...) using HTTP.
Not only it is technically bad idea,
you also compromise the firewall security if you use covert channels to hide all the forbidden traffic. The firewall rules to not allow
insecure (in the opinion of firewall management team) protocols traffic are ruined when their
users want to consciously
compromise the security.
We all know that using SSH or NTP is not insecure in itself, but when everyone tunnels everything bastardizing HTTP protocol, no one will ever notice when some day there is Back Orifice traffic hidden there between NTP, SSH, Telnet, FTP, IRC, et cetera.
So my advice is: talk to your ISP.
Tell them why you need NTP for security reasons (to have your logs useful).
Tell them what do you want them to change.
It is you,
who are paying them,
for the love of God, not the other way around.
Nothing will ever change unless people start
saying what do they want to be changed.
Re:This is not a solution (Score:2)
see: the 'established' state of tcp connections.
we have a rule saying that *anything* can get out, and *nothing* can get in, unless it is part of an established connection. this allows anyone to connect to any services they want safely, and not be attacked on any open ports. our web servers run on a seperate network with 80 and 443 open.
anyway, change your isp or get a job there so you can fix it. in any event, complain your ass off.
Re:This is not a solution (Score:4, Informative)
Firewalling outgoing traffic can be useful in case some of the hosts on your network were compromised (e.g. by an email worm, which can go through even in the case every incoming connections are blocked) and you want to lessen the harm which can be done using this host. For example The HoneyNet Project uses a limit of 5 outgoing connections from every compromised host, because they don't want their hosts attacking the outside world. Of course, in the case of HoneyNet it is easy, because every outgoing connection is made by a successful intruder, however my point is that outgoing traffic can do some harm and this may be a reason people block some of it.
Here I absolutely agree.
Re:This is not a solution (Score:1)
Nope. Having mostly WinXX systems giving Users the possibility to install soft, spy or whateverware in the internal network, filtering outbound traffic is important.
I have found some Virii/Malware just by wondering about unusual traffic from the inside and I strongly beleive this situation not only applies for me.
Re:This is not a solution (Score:1)
i also use a bit bucket for the windows boxes, makes things so much tidier on my network
Re:This is not a solution (Score:1)
Re:This is not a solution (Score:2, Informative)
Now, there are a few solutions to this problem:
1. Tunnel ntp through ssh (not recommended on a regular basis)
2. Use the routers as NTP servers (please ask the isp in question before using their routers as NTP servers)
3. Check or ask the isp to broadcast NTP updates on the subnet in question. That's relatively easy to do, and would be a recommended solution. I believe it does require multicast turned on though, but don't quote me on that! You'd then set up your ntp client to accept broadcasted updated, and wala, your clients have pretty darn accurate time, without the isp having to open up firewalls, or use their routers as NTP servers.
Hope this helps,
Ricardo
Tardis does it. (Score:4, Interesting)
Switch ISP (Score:2)
Jump boats.
Re:Switch ISP (Score:1)
So when it comes down to it, the ISP has adopted a firewall policy that requires more management than they're willing to perform... If they don't want to manage firewall rules for every customer, then their going to have to write an outbound ip any any rule and deal with the increased exposure. Otherwise, they will have to identifiy and write firewall rules for every service on every server that a customer wants to run... It's a pain in the ass, but the ISP made their own decision about how to manage their firewalls.
How about (Score:2)
Supposing your host was not a butthead... (Score:3, Informative)
Who modded this up??? (Score:2)
GPS signals have enough trouble going through trees. How do you propose that his GPS handset gets a signal through the roof of his hosting center? Do you really thing that ANY hosting provider is going to let someone run an antenna cable or serial cable to the outside roof?
I agree with everyone else on the solution in your case - Get a new ISP.
But to rephrase your question a bit and make it more applicable:
I'm behind a corporate firewall that only allows outgoing HTTP(S) via proxy. Any solutions for NTP from within my company?
Re:Who modded this up??? (Score:1, Flamebait)
Re:Who modded this up??? (Score:2)
First off, I disagree somewhat with the opinion that this ISP is neglecting their goal of providing service. I'm sure if this guy wants to pay he can get his own segment behind (or in front of) the firewall, and he'll have whatever ports protocols he wants open. But the reality is that most hosting providers must offer competitive prices, and that means reducing administrative overhead, and providing some "no frills" service packages. This usually means some customers share the same switched segment (in essence the same security domain), have restricted bandwith, and limited ports to communicate on. So, it's in the collective best interests of these customers that security precautions be taken across the board.
Tha said, suggesting using an NTP reciever is a genuinely helpful comment, and a good idea. Even if he can't get gps reception in his particular rack, he may be able to persuade the ISP to offer ntp service from a GPS reciever/ntp server that they buy and manage (i'd pay an extra $2/month for that, and $2*month*customer*server is a pretty good source of income. Generally a business would be more receptive to an idea that leads to more revenue. I'm sure the ISP would find a way to run an antenna for that....
cron job & http (Score:2, Informative)
Re:cron job & http (Score:2, Interesting)
Clockspeed? (Score:4, Interesting)
You would have to get clockspeed 3 or 4 deltas from another clock over the first few months you use it, but you might be able to borrow a laptop, sync it with a good clock, and use it as a local ntp server to obtain these few deltas to calibrate your system. (with a very short time between when the laptop was synced, and when clockspeed gets it's delta from the laptop).
Re:Clockspeed? (Score:1)
CONNECT (Score:4, Interesting)
( echo CONNECT 127.0.0.1:13 HTTP/1.0; echo ) | nc firewall 8000
will print out the time on firewall. Using a similar method and maybe a couple fifos, you should be able to put anything through that firewall.
This is the method that I use to layer VNC over SSH over SSL/HTTP through the firewall back to my home office from all my client locations.
Joe
Re:CONNECT (Score:1)
nc worked great. cool idea!
vnc -> local ssh port is easy, but i have not idea on the ssh -> nc |proxy port. Do you have a example?
Re:CONNECT (Score:2)
I use MindTerm, the applet ssh client.
Joe
#!/bin/sh
if [ "$#" != "5" ]
then
echo Usage: $0 user host tmp_port proxy_host proxy_port
exit -1
fi
USER=$1
HOST=$2
TMP=/tmp/bo$$
F1=$TMP.1
F2=$TMP.2
PORT=$3
P
PROXY_PORT=$5
mkfifo $F1
mkfifo $F2
(
echo CONNECT $HOST:22 HTTP/1.0 >> $F2
echo >> $F2
nc $PROXY $PROXY_PORT ) $F1 &
nc -l -p $PORT > $F2 $F1 &
ssh -p $PORT $USER@localhost
rm $F1 $F2
Re:CONNECT (Score:2)
#!/bin/sh
if [ "$#" != "5" ]
then
echo Usage: $0 user host tmp_port proxy_host proxy_port
exit -1
fi
USER=$1
HOST=$2
TMP=/tmp/bo$$
F1=$T MP.1
F2=$TMP.2
PORT=$3
PROXY=$4
PROXY_PORT=$5
mkfifo $F1
mkfifo $F2
(
echo CONNECT $HOST:22 HTTP/1.0 >> $F2
echo >> $F2
nc $PROXY $PROXY_PORT ) < $F2 > $F1 &
nc -l -p $PORT > $F2 < $F1 &
ssh -p $PORT $USER@localhost
rm $F1 $F2
What about the ISP's servers? (Score:3, Insightful)
Try asking the ISP if they have an internal NTP server you could sync against, one that itself is properly synced to a reliable source. If you don't want to
Good idea. (Score:2)
Re:Good idea. (Score:1)
What?!? An ISP who doesn't know about IDS, or using authenticated NTP to sync everything? Expecially their own routers to prevent sync problems?? Maybe they don't know what they are doing, and you do need to move to a more competent provider.
The Wicked Panda
Suggestions for a more competent web host company? (Score:2)
I totally agree that I should move to a more competent web host company. However, in three days of looking I was not able to find a better one. Any suggestions?
Firewall (Score:1)
As an ISP Admin (Score:3, Informative)
Use theirs, get your own, or go elsewhere. (Score:4, Informative)
You could also purchase a GPS clock like one on this list [udel.edu].
The last option is to find another ISP who will offer time services, or one that will let you find them where you want.
NTP over TCP (Score:4, Interesting)
Re:GPS (Score:2)
A little scripting... (Score:2)
That said, you can do something like the following:
Use wget to grab the correct time zone from www.time.gov.
Use sed or perl or whatever to pull out the time using a regexp.
Reformat that and pass it to 'date'.
Make this a nightly cron job and you're all set. (Of course, you should be careful about the interaction between cron and changing the system time!)
Re:A little scripting... (Score:2, Informative)
# Get UTC (GMT) time from NIST
wget -O- http://www.time.gov/timezone.cgi?UTC 2>&1 |
sed -n -e 's/.*size="[75]".*>\(.*\)<br>$/\1/p'
Are you sure (Score:1)
Pretty simple solution... (Score:4, Interesting)
Loophole (Score:2)
I read all of the above. (Score:2)
For pets sake, can't you people here read between the lines. This guy is not "paying" someone anything. He is most likely set some shit up behind a company firewall and is having a hard time getting his way around security set to to keep him from doing crap like this.
Ask slashdot has become the defacto "help me breach security for my own means" howto stop of choice. Yes I know how he can get around it, but I am sure as hell not going to tell him. Alas he is not asking for an elegant hack, he is asking for what amounts to a script kiddie hack to tunnel his ntp or anything else he wants.
Do your own homework if your going to do stuff like this, otherwise if I am wrong, change ISP's. An ISP that does not do what the customer asks is not longer providing a service.
Re:I read all of the above. (Score:1)
Why not ask the ISP for an NTP server to be setup (Score:1)
Too much security (Score:2)
More fool them. If they have over-tight firewall rules, more and more people will do what you are doing - tunnel through the firewall using HTTP. OK, for NTP, that doean't matter, because it is safe. But suppose some over-clver idion builds a Telnet-over-HTTP client? Your entire security system has just gone out the window.
There is such a thing as too much security. Imagina a physical security system where you could only withdraw documents after having a full body search, fingerprint, retina print, and lie-detector test. What would happen? People wouldn't put things into the repositiry because of the problems of getting them out - so net security would fall.
If everybody started using HTTP tunnelling, firewalls would have no value at all. Of course, you have to install a tunnel-friendly client on the safe side - but if they become routine, people will do it without thinking.
Your ISP Should Provide Time Service (Score:2)
httPort (Score:1)
Why GPS receivers are out of the question (Score:2)
These both aren't going to work - Most likely his machines are in a place where he is NOT going to be allowed to run a serial or antenna cable up to the roof of the building. GPS signals can NOT pass through the roof of a building (they have trouble even passing through trees), and most structures that hosting companies use use quite a bit of metal in their construction, so even WWV isn't going to get inside.
Using a GPS receiver is a good solution for a home user - NMEA-capable receivers are cheap (As little as $35 for the old Rand-McNally StreetFinder units for Palm IIIs on eBay, if they're still available) and accurate to within a second at least. But it's not a solution for anyone who doesn't own the building their server is located in.
Your ISP NTP Server... (Score:1)
Thats barely useable at best (Score:2)
Safety is one thing, but they are being stupid..
Couldn't it be done with some php script fu? (Score:2)
Something like that, I know the passthrough function executes a command locally, then spits the output back through http. So basically you would write a php script like the one above, name it"time.php" or something like that.
To synch, you could just use wget.
wget http://yourtimeserver.com/time.php
Then a little perl magic (i'm lost with the chompin and stuff, don't ask me)
and voila, psuedo NTP over http.