Category Archives: Daemons

Building GPS Clock on Pi w/ Debian Stretch

Start with Raspbian Stretch Lite

Install most current packages:
apt-get update
apt-get upgrade
apt-get dist-upgrade

Clean up packages:
aptitude search ‘~o’
apt-get autoremove

reboot

Test GPS Sentences:
cat /dev/ttyAMA0

Limit GPS Sentences:
#GPZDA
/bin/echo -e ‘$PMTK314,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0*29\r\n’ > /dev/ttyAMA0

#GPRMC
/bin/echo -e ‘$PMTK314,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0*29\r\n’ > /dev/ttyAMA0

Configure Pi:
raspi-config
configure local >> [*] en_US.UTF-8 UTF-8
timezone >> Chicago
advanced >> Expand filesystem

reboot

Get and Unpack NTP source:
wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p12.tar.gz
tar -zxvf ntp-4.2.8p12.tar.gz

Compile NTP:
apt-get install libcap-dev

./configure –disable-all-clocks –disable-parse-clocks –without-lineeditlibs –enable-NMEA –enable-LOCAL-CLOCK –enable-SHM –enable-linuxcaps –enable-ATOM –enable-pps –with-sntp=no –prefix=/usr

make
make install

Boot and Kernel Configuration:
Disable TTY on /dev/AMA0 in /boot/cmdline.txt:
dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

Configure /boot/config.txt:
init_uart_baud=9600
disable_pvt=1
dtoverlay=pps-gpio,gpiopin=24

/etc/modules:
echo pps-gpio >> /etc/modules

Add udev rules for gps:
root@GPS2 /etc/udev/rules.d # cat 09.gps.rules
KERNEL==”ttyAMA0″, SYMLINK+=”gps0″
KERNEL==”pps0″, OWNER=”root”, GROUP=”tty”, MODE=”0777″, SYMLINK+=”gpspps0″

reboot

Test pulse per second:
apt-get install pps-tools
ppstest /dev/pps0
ppstest /dev/gpspps0

ntp.conf:
driftfile /var/log/ntpstats/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

restrict default nomodify noquery
restrict 127.0.0.1
restrict 10.1.1.0 mask 255.255.255.0 nomodify

# NMEA serial port, 16 = 9600 baud, 8 = $GPZDA or $GPZDG
server 127.127.20.0 mode 24 minpoll 3 maxpoll 3 prefer iburst
fudge 127.127.20.0 flag1 1 flag3 1 time2 0.350 refid GPS

peer gps2.lan.side

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

At the height of the attack, from our perspective, we pushed 24GB (Byte not Bit) of NTP traffic in 24 hours (not much by all accounts, but enough to help with the damage the asshat was trying to cause).

One clock was misconfigured, noquery had been commented out (likely for initial testing). This has been fixed.

Email Server Attack

Type: Brute Force
Protocol: POP3
OS: Linux 3.6.11+ armv6l
Platform: Pi Rev. B
Memory: 512M
Daemon: Dovecot 2.1.7-7
Backend Daemon: MySQL 5.5
Backend OS: Linux 2.6.32-5-amd64
Backend Platform: Generic AMD A4-3400 APU Dual Core
Backend Memory: 3.5G
Total Attempts: 13356
Avg. Attempt/s: 2.71

Postmortem:
67.136.48.186 was *unable* to successfully authenticate to any valid user.
Attack was mitigated at the firewall (DROP).
abuse@integratelecom.com was contacted about this event.

Further Information:
Fail2ban did not detect the attack, research ongoing.
Fail2ban's ability to check logging may have been overwhelmed.
All logging is done remotely, no local logging occurs.
The RPI handled the traffic/load well, never swapped.

Log Excerpt:

Feb 22 18:14:05 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:12 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:15 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:24 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user
Feb 22 18:14:26 hcpi004 dovecot: auth-worker(8400): sql(help,67.136.48.186): unknown user
Feb 22 18:14:27 hcpi004 dovecot: auth-worker(8400): sql(info,67.136.48.186): unknown user
Feb 22 18:14:28 hcpi004 dovecot: auth-worker(8400): sql(spam,67.136.48.186): unknown user
Feb 22 18:14:40 hcpi004 dovecot: auth-worker(8400): sql(administrator,67.136.48.186): unknown user
Feb 22 18:14:43 hcpi004 dovecot: auth-worker(8400): sql(support,67.136.48.186): unknown user

*SNIP*

Feb 22 19:35:23 hcpi004 dovecot: auth-worker(25283): sql(bridgette,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(danielle,67.136.48.186): unknown user
Feb 22 19:35:25 hcpi004 dovecot: auth-worker(25283): sql(coach,67.136.48.186): unknown user
Feb 22 19:36:39 hcpi004 dovecot: auth-worker(26746): sql(chuck,67.136.48.186): unknown user
Feb 22 19:36:43 hcpi004 dovecot: auth-worker(26746): sql(bryson,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(denise,67.136.48.186): unknown user
Feb 22 19:36:45 hcpi004 dovecot: auth-worker(26746): sql(dev,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(bridget,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dominic,67.136.48.186): unknown user
Feb 22 19:36:46 hcpi004 dovecot: auth-worker(26746): sql(dakota,67.136.48.186): unknown user

Pi GPPS Clocks

Use Chris’ PPS kernel (until I have time or am compelled to compile my own).

Compile ntp 4.2.6p5 as follows (from aquarat):
But first: apt-get install libcap-dev

./configure --enable-ATOM --enable-NMEA --enable-linuxcaps; make; make install

Disable TTY on /dev/AMA0 in /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

Set baud rate in /boot/config.txt
init_uart_baud=9600

and
Disable GPU sdram pause
# Disable GPU sdram mem pause
disable_pvt=1

Comment out getty in /etc/inittab:

#Spawn a getty on Raspberry Pi serial line
#T0:23:respawn:/sbin/getty -L ttyAMA0 115200 vt100

Add pps-gpio to /etc/modules

Disable all but $GPRMC sentences (in rc.local in my case since I have no battery):

/bin/echo -e '$PMTK314,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0*29\r\n' > /dev/ttyAMA0
/etc/init.d/ntp restart

vi /etc/udev/rules.d/09.pps.rules

KERNEL=="ttyAMA0", SYMLINK+="gps0"
KERNEL=="pps0", OWNER="root", GROUP="tty", MODE="0777", SYMLINK+="gpspps0"

Be sure to restart ntp after reducing sentence output. Mine started drifting negative when I didn’t restart.

Here is my ntp.conf.
Some will argue about whether using stratum 1 sanity servers is necessary, noselect, on and on, yada yada.
This works for me and gets me pretty good stability.

I think the numbers speak for themselves. Bear in mind that I will have 2 different GPS clocks in the near future so I am less inclined to sync to an outside source. I keep some of the better known S1 clocks in there purely for my peace of mind. I’m part of the ntppool so I do not use them to sync in the event of a GPS failure. Again, opinions vary.

GPS1:
remote refid st t when poll reach delay offset jitter
==============================================================================
+tick.usno.navy. .IRIG. 1 u 28 64 377 63.014 -0.940 6.541
+ntp.okstate.edu .USNO. 1 u 23 64 377 49.207 -0.392 0.185
-navobs1.wustl.e .GPS. 1 u 14 64 377 49.768 -3.915 0.237
-tick.uh.edu .GPS. 1 u 16 64 377 56.676 5.286 0.388
oGPS_NMEA(0) .GPS1. 0 l 5 8 377 0.000 0.017 0.003
+hcpi002.lan.sid .GPS2. 1 u 8 64 377 0.850 0.157 0.126

GPS2:
remote refid st t when poll reach delay offset jitter
==============================================================================
+tick.usno.navy. .IRIG. 1 u 13 64 377 63.536 -0.624 0.249
+ntp.okstate.edu .USNO. 1 u 16 64 377 49.068 -0.524 0.161
-navobs1.wustl.e .GPS. 1 u 15 64 377 50.469 -4.109 0.163
-tick.uh.edu .GPS. 1 u 5 64 377 56.892 4.870 0.387
oGPS_NMEA(0) .GPS2. 0 l 2 8 377 0.000 -0.100 0.008
+hcpi001.lan.sid .GPS1. 1 u 13 64 377 0.809 -0.358 0.168

Note that the GPSes are still slewing since ntpd was recently restarted.

GPS1 ntp.conf:
driftfile /var/log/ntpstats/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Sanity Servers
server tick.usno.navy.mil iburst
server ntp.okstate.edu iburst
server navobs1.wustl.edu iburst
server tick.uh.edu iburst

restrict default nomodify noquery
restrict 127.0.0.1
restrict 10.1.1.0 mask 255.255.255.0 nomodify

server 127.127.20.0 mode 17 minpoll 3 prefer #use $GPRMC only!
fudge 127.127.20.0 flag1 1 time2 0.350 refid GPS1

peer gps2.lan.side

GPS2 ntp.conf:
driftfile /var/log/ntpstats/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Sanity Servers
server tick.usno.navy.mil iburst
server ntp.okstate.edu iburst
server navobs1.wustl.edu iburst
server tick.uh.edu iburst

restrict default nomodify noquery
restrict 127.0.0.1
restrict 10.1.1.0 mask 255.255.255.0 nomodify

server 127.127.20.0 mode 17 minpoll 3 prefer #use $GPRMC only!
fudge 127.127.20.0 flag1 1 time2 0.350 refid GPS2

peer gps1.lan.side