Chrony Clients to the GPS Clocks

apt-get install chrony

systemctl enable chrony
systemctl start chrony
systemctl status chrony

/etc/chrony/chrony.conf
# Source servers
server gps1.my.side iburst
server gps2.my.side iburst
pool pool.ntp.org maxsources 3

# Act as an NTP server
#allow

# Only allow chronyc from the localhost
cmdallow 127.0.0.1

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Notify on error correction > 0.5 seconds
logchange 0.5

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Lock clock in to RAM
lock_all

# RTS
sched_priority 1

# Fudge Stratum if we cannot reach the internet
local stratum 10

# Save on exit
dumponexit
dumpdir /var/log/chrony

# Require 2 time sources before adjusting clock
minsources 2

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
log measurements statistics tracking

systemctl restart chrony

netstat -ant

watch “chronyc sources -v”

Hits: 10

Chrony+GPSD (PPS+GPS) on Pi

apt-get update; apt-get -y dist-upgrade; apt -y autoremove; apt clean; apt autoclean

root@gps1:~# cat /etc/apt/sources.list
deb http://approx.my.side/raspbian/ bullseye main contrib non-free rpi

apt clean; apt update; apt upgrade; apt dist-upgrade; apt autoremove

reboot

apt-get install snmpd
apt-get install lsof
Configure remote logging

ln -s /usr/share/zoneinfo/US/Central /etc/localtime

Set swap to 1G
vi /etc/dphys-swapfile
CONF_SWAPSIZE=1024
/etc/init.d/dphys-swapfile stop
/etc/init.d/dphys-swapfile start

/boot/cmdline.txt

dwc_otg.lpm_enable=0 console=tty1 root=PARTUUID=1d8091da-02 rootfstype=ext4 elevator=deadline fsck.repair=yes net.ifnames=0 rootwait

/boot/config.txt

#GPS Changes
enable_uart=1
init_uart_baud=57600
disable_pvt=1
dtoverlay=pps-gpio,gpiopin=21
dtoverlay=pi3-disable-bt

echo “pps-gpio” >> /etc/modules

apt-get install pps-tools

reboot

lsmod
vcgencmd measure_clock arm

apt-get install gpsd gpsd-clients

/etc/default/gpsd

DEVICES="/dev/gps0"
GPSD_OPTIONS="-n"
USBAUTO="false"


root@gps1:/etc/udev/rules.d# cat 09.gps.rules
KERNEL=="ttyAMA0", SYMLINK+="gps0"
KERNEL=="pps0", OWNER="root", GROUP="tty", MODE="0777", SYMLINK+="gpspps0"

systemctl enable gpsd

reboot

systemctl status gpsd
gpsmon /dev/gps0

ppstest /dev/pps0

reboot

systemctl disable systemd-resolved
systemctl stop systemd-resolved
systemctl status
systemctl disable dhcpcd.service
Configure /etc/network/interfaces

reboot (hope for the best)

apt-get install chrony

/etc/chrony/chrony.conf

# Source Clock
refclock PPS /dev/pps0 lock NMEA refid PPS1 prefer
refclock SHM 0 offset 0.5 refid NMEA noselect

# Internal peers
peer gps2.my.side iburst prefer

# Sanity Servers
server time1.google.com iburst
server time2.google.com iburst
server time3.google.com
server time4.google.com

# Act as an NTP server
allow XXX.XXX.XXX.XXX/XX

# Only allow chronyc from the localhost
cmdallow 127.0.0.1

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Allow the system clock to be stepped in the first three updates
# if its offset is larger than 1 second.
makestep 1.0 3

# Notify on error correction > 0.5 seconds
logchange 0.5

# Enable kernel synchronization of the real-time clock (RTC).
rtcsync

# Lock clock in to RAM
lock_all

# RTS
sched_priority 1

# Fudge Stratum if we cannot reach the internet
local stratum 10

# Get TAI-UTC offset and leap seconds from the system tz database.
leapsectz right/UTC
leapsecmode slew
maxslewrate 1000
smoothtime 400 0.001 leaponly

# Specify directory for log files.
logdir /var/log/chrony

# Select which information is logged.
log measurements statistics tracking

keyfile /etc/chrony/chrony.keys

systemctl enable chrony
systemctl status chrony
systemctl restart chrony
systemctl status chrony

watch “chronyc sources -v”

General OS Setup:
apt-get install libsasl2-modules postfix bsd-mailx deborphan
Create /root/.forward
/etc/postfix/main.cf: inet_interfaces = loopback-only

apt-get install bind9 dnsutils
named.conf.local

Fail2Ban
Install custom /etc/fail2ban/jail.local

apt-get install clamav
/etc/clamav/freshclam.conf
#NotifyClamd /etc/clamav/clamd.conf

Hits: 11

Building GPS Clock on Pi w/ Debian Stretch

Start with Raspbian Stretch Lite

Install most current packages:
apt-get update
apt-get upgrade
apt-get dist-upgrade

Clean up packages:
aptitude search ‘~o’
apt-get autoremove

reboot

Test GPS Sentences:
cat /dev/ttyAMA0

Limit GPS Sentences:
#GPZDA
/bin/echo -e ‘$PMTK314,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0*29\r\n’ > /dev/ttyAMA0

#GPRMC
/bin/echo -e ‘$PMTK314,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0*29\r\n’ > /dev/ttyAMA0

Configure Pi:
raspi-config
configure local >> [*] en_US.UTF-8 UTF-8
timezone >> Chicago
advanced >> Expand filesystem

reboot

Get and Unpack NTP source:
wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p12.tar.gz
tar -zxvf ntp-4.2.8p12.tar.gz

Compile NTP:
apt-get install libcap-dev

./configure –disable-all-clocks –disable-parse-clocks –without-lineeditlibs –enable-NMEA –enable-LOCAL-CLOCK –enable-SHM –enable-linuxcaps –enable-ATOM –enable-pps –with-sntp=no –prefix=/usr

make
make install

Boot and Kernel Configuration:
Disable TTY on /dev/AMA0 in /boot/cmdline.txt:
dwc_otg.lpm_enable=0 console=tty1 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

Configure /boot/config.txt:
init_uart_baud=9600
disable_pvt=1
dtoverlay=pps-gpio,gpiopin=24

/etc/modules:
echo pps-gpio >> /etc/modules

Add udev rules for gps:
root@GPS2 /etc/udev/rules.d # cat 09.gps.rules
KERNEL==”ttyAMA0″, SYMLINK+=”gps0″
KERNEL==”pps0″, OWNER=”root”, GROUP=”tty”, MODE=”0777″, SYMLINK+=”gpspps0″

reboot

Test pulse per second:
apt-get install pps-tools
ppstest /dev/pps0
ppstest /dev/gpspps0

ntp.conf:
driftfile /var/log/ntpstats/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

restrict default nomodify noquery
restrict 127.0.0.1
restrict 10.1.1.0 mask 255.255.255.0 nomodify

# NMEA serial port, 16 = 9600 baud, 8 = $GPZDA or $GPZDG
server 127.127.20.0 mode 24 minpoll 3 maxpoll 3 prefer iburst
fudge 127.127.20.0 flag1 1 flag3 1 time2 0.350 refid GPS

peer gps2.lan.side

Hits: 6

Restarting GPS Clocks

Need to change hostnames and IPs for both clocks before running the commands below:


mount 10.1.1.101:/NAS/common /common
mount 10.1.1.101:/NAS/backup /backup
mount 10.1.1.101:/NAS/log/hcpi003 /var/log
mount 10.1.1.101:/NAS/admin /admin
/etc/init.d/rsyslog restart

/etc/init.d/ntp stop
/usr/sbin/ntpdate 0.pool.ntp.org

/bin/echo -e '$PMTK314,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0*29\r\n' > /dev/ttyAMA0

/etc/init.d/ntp start
watch ntpq -p 127.0.0.1

Hits: 4

NTP Spoof Attacks

Apparently 2 out of 3 of our GPS clocks were being used in a spoof/DDOS attack.

The basic premise is that time requests are sent to the service with a spoofed IP for the response. Add in 100/1000/10000 clocks send results to a server/service that did not request them results in a denial of service attack.

Both clocks have been removed from the pool, scheduled for February 6th. Hickory.kulish.com has port 123 UDP closed at this time. The maintainer of Dickory.kulish.com has been notified.

At the height of the attack, from our perspective, we pushed 24GB (Byte not Bit) of NTP traffic in 24 hours (not much by all accounts, but enough to help with the damage the asshat was trying to cause).

One clock was misconfigured, noquery had been commented out (likely for initial testing). This has been fixed.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5211

https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

Recent ntp version apparently do NOT respond to “monlist” packets.  You can still get a monlist by issuing:

ntpq -c “mrulist” 127.0.0.1

Hits: 6