Slashdot Mirror
Time Syncing Through a Firewall Without NTP?
dvdsmith asks: "Say are dealing with a Windows network that for internet access must pass through a firewall that you have no control over. Said firewall apparently blocks the known time protocols (NTP,daytime,etc) and you know from experience that those who control it will not allow any exceptions. If one sets up an internal NTP server (Windows XP or 2000 workstation) for all others to sync from, is there another reliable method for updating time on the server, like pulling from a Java website? See the time.gov website as an example. Any ideas?"
Of course, your most important ingredient is this baby right here: the external web service. You can get it in a can but to really do things right, you gotta strangle yourself a fresh one.
We're going to sync with our outside web service using a simple SOAP client, written in whatever language you prefer, and setting the time. (Your users will get their time from you via NTP still, of course.) This isn't required, but for that fresh BAM! taste, it's recommended. Mind the delay calculations if you're writing the client side of it yourself, the WWWait will have a little bit more effect here depending on your setup. If you want to make it quick and dirty, there's no reason to go through the SOAP/WSDL hoops, the point is having it on a known port and piggybacking across HTTP's fame and success, and then sleeping with its girlfriend, and stealing her wallet on the way out. BAM!
Ask the morons in charge of the firewall to please open the NTP port and take the time to explain why this is important.
Take it up with management if said morons disagree.
Set up a host outside the firewall, and tunnel the NTP data over some "allowed" port, so it gets through. Or set it up as NTP server on non-standard port (80?) outside the firewall.
If you want precise measurement, this is the way to go. NTP software will correct the latency errors, no matter if you have direct connection or if it goes through tunnels around the globe, so you have precise time. But if you go for methods like reading time from website applet, all the network latency problems get completely neglected and just add up to the error of the internal server. You could just as well sync it to your hand watch instead.
45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B2
you could build a device that gets the time via radio (LINK) or buy one that does this (like a gps receiver?).
or if any udp port is open in the firewall, set up a ntp server outside that answers on that port
The most common solution to a firewall blocking a particular port or service: tunnel it. SSH is probably the easiest form of tunneling and putty has a great command line utility for just that. But you can also tunnel over HTTP using some basic programming skills. Worst case: set up a port forwarder on the outside of the network that forwards requests on port 80 to time.gov (or some other trusted NTP server) then set your internal NTP server to sync with it on port 80. (This assumes, of course, port based filtering.)
How many roads must a man walk down? 42.
Use any of the windows scripting tools, or cygwin tools to provide wget, awk, etc. We use this for changing IP addresses, time, and firewall control. Just write a batch file or shell script to get the time from any website that shows the current time of refresh on a page.
man wget - will tell you how to get a single webpage and write to std out (yes, works on windows), use grep and awk to single out what you need, then pass it to date. You can also use command line PHP or PERL without much trouble.
2. Use HTP: HTTP Time Protocol
Find a new job that comes with the authority you need to do it.
Correct subsecond time is important.
If your boxes are hacked and you go into court and you can't demonstrate that your log timestamps have anything to do with reality, you might not be able to use them as evidence.
You also would like to be able to accurately judge HTTP cache timeouts and other time-sensitive things.
You also don't want your time to "step" (jump by more than one second) if you can help it. It screws up sensitive daemons and I've seen more than one box crash and burn and start spawning crap when the clock jumped backwards.
Have them open up the damn firewall, set up a reliable Unix-based NTP server on the inside that syncs to something outside, and have the workstations sync up with that.
You CANNOT tunnel NTP over SSH. NTP uses UDP.
You also don't want to just get the time from some web page and set the clock because your clock may jump, and you don't adjust for latency correctly either (NTP is *complicated* because there are a lot of edge cases and complex concepts here). Also you'd like to be able to select from multiple sources and throw out any outliers, in case one has been hacked.
If you can't do the sane thing, which is open up the firewall, you can just set up a local Unix NTP server and at least your boxes will all have the same time as that box, even if it's the "wrong" time.
You can also use GPS or a dialup modem to set the time on your NTP server.
To recap:
1) set up a centralized NTP server
2) sync to that NTP server
3) if possible, sync that NTP server to another external NTP server, OR a radio or modem signal.
It ain't rocket science folks.
You can run a local NTP server, and install an 'Atomic Clock' receiver in it, on a Card. Basically it's a 10 MHz WWV receiver that decodes the time info and reads it into the PC. They've been around a long time.
:~> curl --dump-header - -o /dev/null time.gov
HTTP/1.1 200 OK
Server: Netscape-Enterprise/4.1
Date: Sat, 30 Jul 2005 23:55:38 GMT
Content-type: text/html
Etag: "3f2f157-1-292b-41dc304b"
Last-modified: Wed, 05 Jan 2005 18:22:03 GMT
Content-length: 10539
Accept-ranges: bytes
You don't have milliseconds this way, but with a program smart enough you can collect them over time.
That site uses Javascript, not Java.
Furthermore, all the Javascript does is tick a clientside counter. A timestamp is supplied when the page is loaded, and a javascript increments it using ticks on your PC, not the server.
You could parse the HTML page to pull off the timestamp. It wouldn't be very precise, but might be good enough. NTP does lots more then just ask a server for a timestamp though, it does predictions of network latency and factors that in as well.
And set up your own "primary" NTP server. You can either hook a standard GPS receiver to a serial port, or buy a whole server-in-a-box.
Voila. No packets through the unfriendly firewall at all.
Do the systems need to be synced to the outside world, or merely consistent with each other?
If the silly firewall people won't help you (you might remind them that you do in fact work for the same company...), you need to set up your own NTP server. Either a real one with a GPS receiver, or a pretend one that everybody can follow and have the same time, regardless of what that time actually is (see initial question).
The occasional phone call to the NIST's dialup time server might be useful too.
...laura
http://www.clevervest.com/htp/intro.html
syncs time via http header info
p.s.: wow. actually the fist ask-slashdot-question i'm not too lazy to answer (perhaps because this time its a GOOD question...)
greetings
Companies make GPS-timeclock receivers that connect to your server with a serial cable and have software to do clock drift adjustment. If you can get a GPS signal, you're set.
This has got to be the easiest suggestion someone has said. Not only are you avoiding potential NTP exploits in the network, you are also not going head to head with your boss. The solution is likely extremely cost effective, easy to implement, and relatively pain free. It solves all of his problems and very elegantly too. Sir, you deserve to be modded up, but for some reason, I have not seen modpoints for months now. What's going on with that? I tried metamoderating 20 times in a row and still no modpoints. Oh well.
zosxavius photography
There's a perl implementation that will work on Windows machines.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
Other features include: DNS caching, programmable (delayable) prefetch by site including number of threads and depth, blocking of (simple) advertisements, site backgrounds, blinking text, pop-ups (while loading or entirely), UserAgent, Referrer, cookies, Javascripts, and sounds. All that can be set for default as well as on a site by site basis. My default is block everything which keeps the malware sites confused and limited ;-).
Other handy features include recording all headers in and out of the program and your system as well as building a site map (handy for programming web crawlers). And of course, given all those functions, it is a web proxy.
I've been using it some five odd years or more now and it goes on all my Windows systems. For *nix, which may be what we are discussing here, you'll have to hack your own.
If your are interested, Google will turn it up in the first few entries (PCWorld site in #1 but you may desire a different source). Enjoy.
"[I]t is a wise man who admits the limits of his knowledge or skill, and that pretending either causes harm." --Terry Go
If you can get by with keeping the same time, set up a master/secondary time server and keep time with those.
If you need accurate time, you start with a formal request to the group that maintains the firewall. State your case, list the time source(s) you'll be using. Assuming that request is turned down, you provide the quotes for setting up in house time synchronization services. Remember you'll need at least 2 units for redundancy (you do have a legitmate business requirement right?). You don't want a single point of failure.
If it turns into a policy struggle, you need to be the reasonable one who's trying to meet a business requirement. Let your management know early what the issues and costs will be.
Never let your manager be surprised. Let him make the waves. That's why he's management and you get to play with the cool toys.
Cisco routers (almost always...) have the ability to be an NTP server and client. Have them do that. Clean, simple solution.
Failing that, look at clockspeed from DJB. He's terribly clever.
--
lds
Most webservers return the date in the HTTP headers.
For example, try:
curl --head http://www.google.com/
Try NIST.pl
YOU'RE WINNER !
Another lame blog
> IT departments are there to provide services ...
In one college I teach in they have an internal time server, and that server is one hour off... The way they set it to daylight savings time is by adding one hour to UTC... (And by inspecting email headers I think that's the way most IT departments in Israel do it. Then of course they cannot sync to an external time server because then everything is one hour off what they think is correct. But it might be the common knowledge of all system admins in Israel that time syncing is "broken" and cannot be used at summertime...).
I'm in the UK and we sync from the Rugby time service, which broadcasts UTC time over radio. This is reliable, but not authenticated.
You can get a serial dongle and software that receives this for very little money.
http://tycho.usno.navy.mil/
Video Production Support
Buy a Delorme Tripmate on Ebay. Buy or build a power/serial cable. Connect pins 2&3 on the serial port so the Tripmate will self start. Parse the ASCII strings sent by the Tripmate. The string you need looks like this:
D IRECTION,DDMMYY,MAGNETIC,E/W*CHECKSUM
$GPRMC,HHMMSS,A,LATITUDE,N/S,LONGITUDE,E/W,SPEED,
A search on Google for "Delorme Tripmate" and/or "NMEA-0183" should turn up plenty of info.
I use a Tripmate in my car connected to a Microchip PIC and an LCD to display time, date, location, speed and direction.
Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
set up a port forwarder on the outside of the network that forwards requests on port 80 to time.gov (or some other trusted NTP server) then set your internal NTP server to sync with it on port 80
How exactly would this work? If they're blocking UDP/123, why wouldn't they also be blocking UDP/80?
Oh, that's right - you're an idiot who doesn't know the difference between UDP and TCP.
HTTP servers send a Date: modifier in their response. It doesn't get you millisecond resolution but it's better than nothing the way some machines' clocks drift.
$ telnet ntp.isc.org 80
Trying 204.152.184.138...
Connected to ntp.isc.org.
Escape character is '^]'.
HEAD / HTTP/1.0
HTTP/1.1 302 Found
Date: Sun, 31 Jul 2005 17:10:58 GMT
Server: Apache
Location: http://ntp.isc.org/bin/view/Main/WebHome
Connection: close
Content-Type: text/html; charset=iso-8859-1
Connection closed by foreign host.
Why not ask the firewall people if they have an NTP source you can use? If they don't, ask them to set one up for you that way they don't have to open their firewalls to your NTP needs.
Can anyone tell me why slashdot is strobing my machine?
/kernel: Connection attempt to TCP firewall:444 from 66.35.250.150:59340 flags:0x02 /kernel: Connection attempt to TCP firewall:1080 from 66.35.250.150:59368 flags:0x02 /kernel: Connection attempt to TCP firewall:3127 from 66.35.250.150:59389 flags:0x02 /kernel: Connection attempt to TCP firewall:3128 from 66.35.250.150:59413 flags:0x02 /kernel: Connection attempt to TCP firewall:6588 from 66.35.250.150:59428 flags:0x02 /kernel: Connection attempt to TCP firewall:8000 from 66.35.250.150:59450 flags:0x02 /kernel: Connection attempt to TCP firewall:8080 from 66.35.250.150:59478 flags:0x02 /kernel: Connection attempt to TCP firewall:81 from 66.35.250.150:59512 flags:0x02 /kernel: ipfw: 150 Deny TCP 66.35.250.150:59535 firewall:1026 in via rl0 /kernel: Connection attempt to TCP firewall:3124 from 66.35.250.150:59564 flags:0x02 /kernel: Connection attempt to TCP firewall:3382 from 66.35.250.150:59574 flags:0x02 /kernel: Connection attempt to TCP firewall:7032 from 66.35.250.150:59589 flags:0x02 /kernel: Connection attempt to TCP firewall:8002 from 66.35.250.150:59609 flags:0x02 /kernel: Connection attempt to TCP firewall:8090 from 66.35.250.150:59628 flags:0x02 /kernel: Connection attempt to TCP firewall:2578 from 66.35.250.150:59655 flags:0x02 /kernel: Connection attempt to TCP firewall:8081 from 66.35.250.150:59669 flags:0x02
Jul 31 01:05:08 firewall
Jul 31 01:05:09 firewall
Jul 31 01:05:10 firewall
Jul 31 01:05:11 firewall
Jul 31 01:05:12 firewall
Jul 31 01:05:13 firewall
Jul 31 01:05:14 firewall
Jul 31 01:05:15 firewall
Jul 31 01:05:16 firewall
Jul 31 01:05:17 firewall
Jul 31 01:05:18 firewall
Jul 31 01:05:19 firewall
Jul 31 01:05:20 firewall
Jul 31 01:05:21 firewall
Jul 31 01:05:22 firewall
Jul 31 01:05:23 firewall
I have a cheap Hauppauge WinTV card and I sometimes use alevt-date in linux to set clock. I've setup a script that sets clocks on 3 other computers aswell through ssh.
Sometimes having Linux-on-the-Brain makes you dumb...
I understand the extreme paranoia of a firewall admin, especially if there are large numbers of windoze machines on her network. There may be a touch of tin-foil hat syndrome from rumours that windoze machines report activation codes encoded in SNTP requests to time.windows.com. If you are on a government network, then some security dudes have already demo'd tunneling secret info over NTP UDP packets, resulting in your properly locked down windoze network. There really is no reason a windoze machine needs to get its time from the internet, when a local time server will do.
.05 seconds, and after a few weeks of running will probably settle down to .02 seconds with little drift. If you can spend more and get a GPS with a pulse per second output, you can get 1 microsecond accuracy. If your department has $500 extra in the budget, and you don't want the hassle of setting up a *nix box and GPS, there are GPS based NTP servers out there.
There probably is an NTP service on the internal network. Start by asking around if there is an alternative you can use on the inside of the firewall. Try pointing your NTP client at the default router on your segment, and see what happens. Do a traceroute towards the internet, and see if NTP is present on any of the hops before the firewall.
If one sets up an internal NTP server (Windows XP or 2000 workstation)
One note about XP or 2K machines as NTP servers. Windows clocks are accurate to only 10 milliSeconds, and no amount of tweaking will improve that. Save yourself the headache and set up a *nix machine, where clock increments are usually between 2 mSec and 500 nanoSec.
If you have no NTP inside the firewall, you can always pick up a cheap GPS unit with a serial NMEA connector, or if you are in the US, a CDMA timebase. Plug it into a *nix based machine, compile the latest NTPv4 code, and read the docs about setting up a generic NMEA driver. Now you've got a machine accurate to about
Its probably easier and cheaper to ask the network admins to enable an NTP server on a router.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Have you checked the obvious? Many routers and firewalls also serve NTP. Try polling NTP on the firewall. It just might work.
If that doesn't work, try polling the local router. Try polling a remote router that's still inside the firewall.
A customer of mine has several sites, and the sites are linked through frame relay (or is it T-1?). The firewall blocks port 123, so NTP with the outside world is (generally) out of the question. However, the frame provider is MCI, who also happens to manage the routers for the customer, and the routers poll NTP from MCI's network, and serve NTP to the local network. Rather handy.
Give me my freedom, and I'll take care of my own security, thank you.
You don't want to make a new SOAP service and have to do all the delay calculations.
If you have access to an external server, just tunnel NTP over HTTP. (http://htun.runslinux.net/docs.html)
Essentially no programming required.
It might be slighly less accurate than your way, but only if the time on the existing server really is hyperaccurate.
(That is, SOAP directly to an authoritative time server is probably more accurate than a tunneling proxy, but a tunneling proxy is probably more accurate than the two sets of drift calculations involved in syncing from a random server synced from somewhere else.)
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
Forget time syncing. If you absoultely can't get the time from outside -- get a GPS time piece. They hook up to your computer and provide accurate time signals from the GPS satelites which all carry atomic clocks. Use the computer this is connected to to run internal NTP.
Religion is a gateway psychosis. -- Dave Foley
If the firewall truly cannot be changed, then use your own NTP primary time source which syncs off of the GPS constellation. This is a more secure way of keeping accurate time and is used by telecoms to sync their networks.
http://www.truetime.net/nts200.html
Is there anything particularly wrong with getting a few UNIX boxen (for redundancy) with accurate clocks and setting their times manually?
This is not what the submitter wanted to know. However, for all of you who have proposed hardware GPS-based solutions, you might want to note that there are also companies making similar hardware which get their time signal from the CDMA cellphone signals.
CDMA in turn gets its time from GPS, but is far easier to receive in most locations - no need to run an antenna cable up to the roof. They also tend to be cheaper.
If you're not living on the edge, you're just taking up space!
Like the title says, do you really need to pull time from the outside world, or are you just looking for reasonable consistancy?
/set /y
If it's the latter (and assuming the servers support feeding time to clients, which they probably do), you can use a windows task on the client machines to run the following command:
net time \\server
You can put that into a batch file, put a "cls" at the end, set the task to run said batch file (as an account with admin priv's) and make it run whenever you feel like it. Logon, logoff, specific time, etc.
The usefulness of windows tasks is somewhat underrated.
There are some people that if they don't know, you can't tell 'em.
I have experience working in another country with a repressive paranoid regime (not Middle East; not North Korea) and until about three years ago every non-well-known port was blocked plus - I can't remember exactly here - at least one or likely all of the 'time' ports. I don't think Slashdot has ever been blocked but quite a few websites still are (including Google Groups and Geocities). That's my perspective on the situation. Something about the vague wording of the originl poster's situation made me suspect it was a case of 'country' blocking - it struck a chord.