Secure EndRun Tempus LX CDMA Network Time Server Template

The configuration shown here assumes that the server is acting as an anonymous NTP stratum-1 server to distribute time. Other time services such as the Daytime protocol (IETF RFC 867), the Time Protocol (IETF RFC 868) or the Precision Time Protocol (IEEE 1588) are disabled by this template by default. While the Tempus LX makes use of the NTP.org software reference implementation, enabling it to use numerous security mechanisms (e.g. MD5 authentication) and distribution features (e.g. broadcast or multicast mode), we do not consider them here. Refer to the product manual and NTP reference documentation for further details if those features are of interest or required.

The Tempus LX runs an embedded Linux distribution, which provides a functional, but limited capability to customize the system. We do not recommend installing or heavily modifying the distribution, but we do make configuration changes that make use of the available editor called e3. It can operate in a mode compatible with other popular editors including emacs and vi. See the e3 documentation for help in using the editor.

EndRun Technologies Tempus LX CDMA Network Time Server

This setup and configuration template configuration should work for most sites, but pay attention to the comments and notes. We recommend applying these configuration statements before you connect the Tempus LX to the network. The Tempus LX ships with a default configuration that could allow a malicious, remote attacker to gain complete control over the system.

User Account Setup

Change the root and cntpuser passwords by running the cntppasswd utility as detailed in the product documentation. Note, running the command without any parameters changes the root password. Running the command with the cntpuser argument changes the cntpuser password.

To create a new user account that you can use as a remote login name for SSH instead of the default cntpuser or root, as root edit /etc/passwd to include a line such as this, be sure to change the jsmith username to your own custom desired user name.

jsmith:x:2000:100:,,,:/home/jsmith:/bin/bash

Copy the updated /etc/passwd to the /boot/etc directory. You need to create a password entry in the /etc/shadow file. You need to generate a shadow-style entry. Perhaps the easiest way to do this is using openssl. The following should commands could be used generate a suitably random 16 hex character password (be sure to remember the password):

PASS=`head /dev/urandom | openssl md5 | cut -c1-16 -` ;
echo "password: $PASS" ;
echo -n "shadow password: " ;
openssl passwd -1 $PASS

Using the shadow password you generated, update the /etc/shadow file and copy it to the /boot/etc directory.

If you created a new account, you need to ensure that the user's directories and SSH key files are retained during a system restart. You also need to ensure the user has write access to /dev/null in order to use the scp utility for secure remote file copy. Create the user's .ssh directory directory under /boot/home, so for example:

mkdir /boot/home/jsmith/.ssh

Put the appropriate authorized_keys file in the .ssh directory above. Be sure formatting is correct. Then be sure it is owned by the user and has the proper permissions. For example:

chown -R jsmith:users /boot/home/jsmith
chmod 400 /boot/home/jsmith/.ssh/authorized_keys
chmod 500 /boot/home/jsmith/.ssh

Now we need to update the boot process so the newly created user and login credentials will be made available upon a system restart. Edit /etc/rc.d/rc.local and put the following commands at the end of that script:

cp -pr /boot/home /
chmod go+w /dev/null

Copy /etc/rc.d/rc.local to the /boot/etc directory.

Application Listeners

By default, the Tempus LX has the following services running and listening on the specified port:

  • TELNET (TCP 23)
  • Daytime (TCP/UDP 13)
  • Time (TCP/UDP 37)
  • Precision Time Protocol (UDP 319 and UDP 320)
  • SSH (TCP 22)

All but SSH will be disabled. Further, in this template we will move the SSH listener to another, random TCP port.

/etc/inetd.conf

Obtain root access. Comment out the lines that enable the daytime, time and telnet services by prefixing those lines with a hash (#) character. There should be no listeners active in inetd.conf. Now run as root:

cp -p /etc/inetd.conf /boot/etc

/etc/ntp.conf

Obtain root access. Update the default restrict options and enable another subset of hosts or networks that you wish to have access to extended NTP commands. See the our Secure NTP Template for a full set of UNIX NTP configuration guidelines, but unless you know you special needs, we recommend the following:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1

Copy /etc/ntp.conf to the /boot/etc directory so it will be retained after a system restart.

/etc/rc.d/rc.local

In this file there are calls to start the ptpd and snmpd daemons. Edit this file, find those sections and disable them by prefixing each line in that section with a hash comment character (#). You can find each section by looking for the text 'Start the ptp daemon' or 'Start the SNMP daemon' descriptive text respectively. Copy this file to the /boot/etc/rc.d directory.

/etc/sshd_config

Altering the SSH listener isn't absolutely necessary, though you may want to even disable it. This section shows how to change some of the default behavior such as disabling remote root login and using public key authentication with a user account name of your choosing. The critical part is to ensure the default root and cntpuser accounts are not left accessible with their default settings since the unit ships with them both enabled and set to well known passwords. IMPORTANT, set the Port (between 1 and 65535 inclusive) and the AllowUsers options (a user name we'll create later) if you use those options. As root, edit the /etc/sshd_config file:

# You may wish to change the Port value to an odd port.  To choose one
# at random, at the shell you can type: expr $RANDOM + $RANDOM
# Port 22
#
# It would be best to disable remote root login and just use su from
# an unprivileged account.
PermitRootLogin no
#
# If you even need remote SSH access, public key authentication would
# be far more preferable than password authentication.  Be sure not to
# log off and restart the SSH listener until you are sure public key
# authentication works!  Setting up the public key will be shown below.
PasswordAuthentication no
#
# Add another bit of protection would be to setup a new account name
# that only you know.  Both root and cntpuser are default system
# account names.  We will show you how to setup your own custom user
# account name below.
# AllowUsers jsmith

Copy the /etc/sshd_config file to the /boot/etc directory.

Keypad EDIT Lockout

Run the lockoutkp utility as described in the production documentation.

Server SSH keys

The Tempus LX ships with an installed setup of SSH server keys. It is not imperative that you change them, but doing so will ensure your server does not share the same keys with another server, which can pose potential risks for remote login authentication and system identification. Generate a set of passwordless SSH server keys on another machine using the OpenSSH ssh-keygen utility like this:

ssh-keygen -t rsa1 -f ssh_host_key      -N ''
ssh-keygen -t rsa  -f ssh_host_rsa_key  -N ''
ssh-keygen -t dsa  -f ssh_host_dsa_key  -N ''

Copy the resulting ssh_host_* key files to /boot/etc

Logging

The Tempus LX is capable of sending logs to a remote collector using the stock syslog daemon or a more fully featured logging daemon called syslog-ng. We recommend that you consider sending logs to a remote collector. Consult the relevant logging daemon documentation for instructions on how to setup the associated .conf file, but remember to copy it to the /boot/etc directory so it will be used and retained during a reboot. If you choose to use syslog-ng, simply copying the syslog-ng.conf file to the /boot/etc directory will be enough to cause it to be used instead of the stock logging daemon. Just keep in mind that logging resources on the platform are limited and you may need to tune the logging configuration so as to not overwhelm the device's capability. Consult the ntpd documentation on the logconfig option to send NTP-related logs to a log file or syslog.

References