Slashdot Mirror
Tunnelling NTP Through a Firewall?
Franklin_DeMatto asks: "My ISP keeps my server behind a tight firewall, only allowing outgoing HTTP(S) and SMTP. I would like to sync the system's clock using NTP. Does anyone know of any public time servers that can do some type of NTP over HTTP, to get through the firewall? What about the software (preferably open source) to do it? (No, the ISP will not change the firewall rules.)"
How about finding another ISP (and telling them WHY you are changing to someone else too).
D.
You can tell how powerful someone is by the magnitude of the crime they can commit and be able to get away with.
I wouldn't pay for that kind of service... There's no reason that they shouldn't be able to put in a firewall rule that permits NTP to one or two public time servers. If your ISP isn't going to serve you, go elsewhere.
If Happy Fun Ball begins to smoke, get away immediately. Seek shelter and cover head.
Do you have a shell account on the box? I assume so otherwise you wouldn't be able to install NTP even without a firewall. If you have a shell account, they probably allow ssh through the firewall and so you can tunnel the NTP ports over SSH. This assumes you have another machine outside the firewall that has access to NTP and an 'always-on' connection.
Rich
I forget where I learned this tip, but it's useful and doesn't seem widely known: many routers provide NTP service. So you can do a traceroute from your server out to anywhere (say google.com) and get a list of upstream routers. Don't forget to try the "-I" option (or whatever the equiv is in your version of traceroute) to use ICMP instead of the default UDP datagrams if your firewall is blocking those.
If/once you have a list of routers, try time syncing against them. It's worth a shot.
-h3
go to another ISP?
/.ed
If his area is anything like where I live (near Denver, Colorado), he can't hope to find another ISP that is reasonable.
Well, at least not one that can handle the amount of traffic he might expect.
Around here, there are 2 ISP's that I (an average Joe computer nerd) can run a sturdy server through. One of them is probably as strict as his and the other couldn't even handle enough traffic to let me get
Of all the Universal Constants, here's one I know: Nice guys finish last
I am sorry, but the only reasonable advice I can give you is to change your ISP if they do not open more ports. You have only outgoing HTTP and SMTP? What about SSH? What about FTP? What about Telnet? What about IRC? Are you also going to tunnel them through HTTP? HTTP is a stateless and sessionless protocol. It is extremely bad idea to tunnel anything which uses long and interactive two-way TCP traffic (like IRC, SSH, FTP, Telnet, ...) using HTTP.
Not only it is technically bad idea,
you also compromise the firewall security if you use covert channels to hide all the forbidden traffic. The firewall rules to not allow
insecure (in the opinion of firewall management team) protocols traffic are ruined when their
users want to consciously
compromise the security.
We all know that using SSH or NTP is not insecure in itself, but when everyone tunnels everything bastardizing HTTP protocol, no one will ever notice when some day there is Back Orifice traffic hidden there between NTP, SSH, Telnet, FTP, IRC, et cetera.
So my advice is: talk to your ISP.
Tell them why you need NTP for security reasons (to have your logs useful).
Tell them what do you want them to change.
It is you,
who are paying them,
for the love of God, not the other way around.
Nothing will ever change unless people start
saying what do they want to be changed.
~Christopher Doopov
Someone told me a time ago that Tardis can do ntp-over-http.
Jump boats.
If at first you don't succeed, skydiving is not for you
Read Why TCP Over TCP Is A Bad Idea by Olaf Titz:
Very interesting read.
root@aio:~# nmap -sX -iR -p1- # Ho, ho, ho! Merry Xmas, everyone!
Just use 'netcat' to port forward? Assuming you can also control the remote NTP server and have it listen on the HTTP port (just because you are using the "http" port, doesn't mean you /have/ to talk in HTTP).
It's 10 PM. Do you know if you're un-American?
You can plug a GPS handset into the serial port and get the time off that.
All things in moderation; including moderation
so, assuming for some reason you can't just find an isp that doesn't suck, why not just write a script that will pull / parse the time from some website and setup a cron job to run it?
Gabriel Ricard
If I was stuck, behind a firewall that blocked NTP, I would look into using clockspeed to keep the time accurate without constantly resetting to an external source.
You would have to get clockspeed 3 or 4 deltas from another clock over the first few months you use it, but you might be able to borrow a laptop, sync it with a good clock, and use it as a local ntp server to obtain these few deltas to calibrate your system. (with a very short time between when the laptop was synced, and when clockspeed gets it's delta from the laptop).
depending on their proxy of course, but I've had very good luck escaping corporate fire walls with the HTTP CONNECT method.
( echo CONNECT 127.0.0.1:13 HTTP/1.0; echo ) | nc firewall 8000
will print out the time on firewall. Using a similar method and maybe a couple fifos, you should be able to put anything through that firewall.
This is the method that I use to layer VNC over SSH over SSL/HTTP through the firewall back to my home office from all my client locations.
Joe
Joe Batt Solid Design
That is, what about their own internal servers? What about the rest of the servers they host? Do they not have ANY of them that are syncing up to an NTP source somewhere?
/can't switch ISPs, this alternative may be (somewhat) practical -- it depends on how much you trust your ISP to have their NTP server set up properly...
Try asking the ISP if they have an internal NTP server you could sync against, one that itself is properly synced to a reliable source. If you don't want to
As an ISP Asst Admin, I would have to agree with the others. There is no legitimate reason they should block the NTP port from you. I understand why they are so strict though, it's probably to help keep the P2P down from within their network. Move to another ISP, or you can do this. Get a buddy with a *nix machine on the outside to setup an SSH server on port 80, then run the ssh client to connect to the server on port 80 or 25 or 110. Then have your NTP loopback to itself and SSH will forward it to the other machine, and have him run NTPserv, then you can do it..... ---but, it would just be easier to move to a different ISP.
You could also purchase a GPS clock like one on this list.
The last option is to find another ISP who will offer time services, or one that will let you find them where you want.
No, the ISP will not change the firewall rules.
Not to state the obvious answer here, but get a new ISP and be done with it.
None of those are UDP (which is what you really want in order to run NTP), otherwise I'd suggest just running your own ntpd on a non-standard port somewhere. Maybe the ISP can be persuaded to operate their own timeserver behind the firewall (which they may be persuaded to do, since it's much better for security/audit purposes if all machines have accurate clocks), or allow access to one specific host. GPS has already been mentioned, though possibly it would be difficult to get a reliable signal in some server rooms without an external antenna. Other radio-based options are available, for example MSF in the UK, DCF in much of W.Europe, or WWVB in N.America, all of which are a bit more likely to penetrate a server room than GPS. Failing that, you could periodically connect to a webpage you trust to have fairly reliable time (obviously this is a much less accurate method, you probably wouldn't want to use this if you need accuracy better than a couple of seconds). Or assuming the firewall only looks at port numbers and doesn't inspect traffic, you could ssh out on e.g. the https port, and forward onto a normal time server.
NTP tunnels through YOU!
You can use a GPS receiver which has a serial port and use that. But that's kind of an expensive clock.
Does anybody know of one of the Shortwave clocks (that use WWV) that output the time?
I agree with the folks who say your ISP sucks.
That said, you can do something like the following:
Use wget to grab the correct time zone from www.time.gov.
Use sed or perl or whatever to pull out the time using a regexp.
Reformat that and pass it to 'date'.
Make this a nightly cron job and you're all set. (Of course, you should be careful about the interaction between cron and changing the system time!)
that it's you ISP and not your company trying to keep it's employees from doing things they're not supposed to? Cyberbite Web Hosting http://www.cyberbite.com Like PHP? Check out PHP|architect magazine. www.phparch.com
Cyberbite Networks - Web Hosting, Dedicated Servers & Colocati
If you can run perl scripts on the server, grab http://nist.time.gov/timezone.cgi?/d/0, where the 0 is the timezone offset (-5 for Eastern US time), then parse the time and date out of that. Once you have those values, use the date and clock functions to set your system time.
Loophole
For pets sake, can't you people here read between the lines. This guy is not "paying" someone anything. He is most likely set some shit up behind a company firewall and is having a hard time getting his way around security set to to keep him from doing crap like this.
Ask slashdot has become the defacto "help me breach security for my own means" howto stop of choice. Yes I know how he can get around it, but I am sure as hell not going to tell him. Alas he is not asking for an elegant hack, he is asking for what amounts to a script kiddie hack to tunnel his ntp or anything else he wants.
Do your own homework if your going to do stuff like this, otherwise if I am wrong, change ISP's. An ISP that does not do what the customer asks is not longer providing a service.
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
This seems like a good idea to me. However, both of my web hosts don't keep the time on their own servers current. I've never explored why.
It seems logical that the ISP is using NTP to synch their server times. Why not ask them to provide you with access to a server of theirs running NTP. Seems simple enough.
Regards,
Ryan Pritchard
Fun Extends All Basic Life Expectancies
More fool them. If they have over-tight firewall rules, more and more people will do what you are doing - tunnel through the firewall using HTTP. OK, for NTP, that doean't matter, because it is safe. But suppose some over-clver idion builds a Telnet-over-HTTP client? Your entire security system has just gone out the window.
There is such a thing as too much security. Imagina a physical security system where you could only withdraw documents after having a full body search, fingerprint, retina print, and lie-detector test. What would happen? People wouldn't put things into the repositiry because of the problems of getting them out - so net security would fall.
If everybody started using HTTP tunnelling, firewalls would have no value at all. Of course, you have to install a tunnel-friendly client on the safe side - but if they become routine, people will do it without thinking.
Consciousness is an illusion caused by an excess of self consciousness.
Some firewalls also run NTP. I know Raptor does. They use it so their firewall logs are accurate. Their firewall policies sound like they are good to me. Maybe open up SSH though. After all, it should be deny everything, then allow only what is explicitly needed.
Tell your ISP to provide an NTP server on your side of the firewall.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
check out httport which allows you to run TCP over HTTP (over TCP over IP). You can go right out over port 80, or anything else that's open. There are some public servers, but you can also run your own server elsewhere to tunnel out - you can encrpyt the traffic between you and your own server too. Great for getting web and email from work - setup one browser to be your personal encrypted web connection and use another as your "work" browser.
I wish I had mod points and a good -1 (Moron) for this post.
GPS signals have enough trouble going through trees. How do you propose that his GPS handset gets a signal through the roof of his hosting center? Do you really thing that ANY hosting provider is going to let someone run an antenna cable or serial cable to the outside roof?
I agree with everyone else on the solution in your case - Get a new ISP.
But to rephrase your question a bit and make it more applicable:
I'm behind a corporate firewall that only allows outgoing HTTP(S) via proxy. Any solutions for NTP from within my company?
retrorocket.o not found, launch anyway?
I've seen at least two people suggest GPS receivers, and one suggest a WWV receiver.
These both aren't going to work - Most likely his machines are in a place where he is NOT going to be allowed to run a serial or antenna cable up to the roof of the building. GPS signals can NOT pass through the roof of a building (they have trouble even passing through trees), and most structures that hosting companies use use quite a bit of metal in their construction, so even WWV isn't going to get inside.
Using a GPS receiver is a good solution for a home user - NMEA-capable receivers are cheap (As little as $35 for the old Rand-McNally StreetFinder units for Palm IIIs on eBay, if they're still available) and accurate to within a second at least. But it's not a solution for anyone who doesn't own the building their server is located in.
retrorocket.o not found, launch anyway?
Maybe academically it is, but in the real world, TCP/TCP works fine. I develop an appliance product that tunnels a TCP protocol over SSH, and we have several dozen customers on all kinds of network using the product several times a day to move gigabytes of data. Data rates are limited by the network pipe, nothing more, using GHz celerons to do the encryption and compression.
The biggest problem is that the NAT boxes at customer sites keep changing NAT addresses, so run the SSH tunnel out of inittab.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Most likely you ISP has an NTP Server...why not just sync to that?
How about finding another ISP (and telling them WHY you are changing to someone else too).
Often, only one company provides high-speed Internet access to residential customers in a given geographic area. This is often the telephone company or the cable television company. So in effect, you may have instructed Franklin_DeMatto to either 1. downgrade to dial-up or ISDN, 2. buy a ridiculously expensive T1 line, or 3. sell one's house and move.
Will I retire or break 10K?
I don't know why this is marked as a troll, it is the truth.
I've never understood why people can't get comfortable with dial-up. At the moment, I'm using a pretty high-speed 10Mbps connection to the Internet. Next week, I'll be on a 56k connection. I transition pretty seamlessly.
There's a bit more latency on the modem, which I could see as an issue if you ssh a lot (thought ISDN wipes that out and you don't seem to go for ISDN), but web browsing on a 56k modem is *fine*. You *do* need to have multiple windows loading while you're browsing instead of click-wait-load but I do that anyway...
May we never see th
I totally agree that I should move to a more competent web host company. However, in three days of looking I was not able to find a better one. Any suggestions?
Id demand better services or move on..
Safety is one thing, but they are being stupid..
---- Booth was a patriot ----
Apparantly this script corrects for drift via the use of Voodoo(tm).
People, there is a reason there is an entire protocol designed for syncing time sources. Using the script above for setting your clock for the purposes of having the correct time in your logs, is about as useful as manually setting it every week using the talking clock (by phone). Hell the later probably has a better chance of being accurate with a bit of practice.
I'm a PHP n00b but..
Something like that, I know the passthrough function executes a command locally, then spits the output back through http. So basically you would write a php script like the one above, name it"time.php" or something like that.
To synch, you could just use wget.
wget http://yourtimeserver.com/time.php
Then a little perl magic (i'm lost with the chompin and stuff, don't ask me)
and voila, psuedo NTP over http.