How to: FreeBSD Setup Time / Clock Synchronization with NTP server and ntpdate command

Posted on in Categories FreeBSD, Howto, Sys admin, Tips, UNIX last updated January 25, 2006

FreeBSD use the Network Time Protocol (NTP) for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123. If you have one computer or single server then you can easily synchronization time with other NTP servers. All you need is ntp client called ntpdate. It is use to set the date and time via NTP servers.

FreeBSD: Install NTP Client

Use any one of the following command to install NTP:

# pkg_add -rv  ntp

OR

# cd /usr/ports/net/ntp
# make; make install

Pick appropriate NTP Servers

Visit public ntp timeserver list to pick up your NTP server.

Open UDP port 123 at firewall

If you are running FreeBSD ipfilter firewall, you need to open the UDP port 123. Just add following rule to your firewall script:

pass out quick on lnc0 proto udp from YOUR-SERVER to any port = 123
keep state

OR

pass out quick on lnc0 proto udp from YOUR-SERVER to
TIME-SERVER-IP port = 123 keep state

For example, my FreeBSD workstation IP is 192.168.1.16 and 61.246.176.131 is IP of NTP server then my rule is in ipf.conf file as follows:

pass out quick on lnc0 proto udp from 192.168.1.16
to 61.246.176.131 port = 123 keep state

FreeBSD test clock synchronization

Just run ntpdate command as follows to see you can set date and clock via NTP:
Set wrong date (Mon Dec 13 4:27 pm):

# date 0412131627

Now set correct date with ntp client:

# ntpdate -v -b in.pool.ntp.org

13 Dec 16:27:50 ntpdate[997]: ntpdate 4.2.0-a Thu Nov 3 07:34:22 UTC 2005 (1)
25 Jan 12:35:47 ntpdate[997]: step time server 61.246.176.131 offset 35237275.965726 sec

You can verify that correct data is setup:

# date

Output:

Wed Jan 25 12:36:21 IST 2006

Enable date and time/ clock Synchronization at boot time

You need to set ntpdate via /etc/rc.local file.

# vi /etc/rc.conf

Append following line to it:
ntpdate_enable="YES"
ntpdate_hosts="asia.pool.ntp.org"

Save and close the file. Make sure you have correct ntpdate_hosts server entry.

See also:

Updated for accuracy.

FreeBSD keep ports collection up to date in two easy steps

Posted on in Categories FreeBSD, Howto last updated January 8, 2006

The FreeBSD ports collection offers a simple way for users and administrators to install applications. The ports made FreeBSD quite popular. Keeping ports up to date is an essential task.

FreeBSD Install cvsup

If you never upgraded freebsd ports collection then first step is required; otherwise skip this step and goto step # 2

# pkg_add -r cvsup-without-gui
# mkdir /usr/ports

CVSup is a software package for distributing and updating collections of files (ports) across a network.

Update ports collection/tree

# cvsup -L 2 -h cvsup9.FreeBSD.org
/usr/share/examples/cvsup/ports-supfile

Above step will take some to fetch files and it will update your ports collection.

Note if you got an error as follows:

Rejected by server: Access limit exceeded; try again later
Will retry at 01:36:41

Then replace cvsup9.FreeBSD.org with cvs8.freebsd.org, cvs7.freebsd.org etc. You are done. Install packages from updated tree, before that consider installing security auditing port to avoid vulnerabilities warning. Now you can install application via ports.

Running the cvsup command later agian will download and apply all the recent changes to your Ports Collection, except actually rebuilding the ports for your own system. Next time you will see howto use the portupgrade utility to upgrade installed ports.

portsnap command

You can use portsnap command. It is an alternative system for distributing the Ports Collection. It was first included in FreeBSD 6.0. Install portsnap as follows:

# mkdir /usr/ports
# pkg_add -r portsnap
# portsnap fetch
# portsnap extract
# portsnap update

See FreeBSD handbook topic Using Portsnap more information.

FreeBSD Enable Security Port Auditing to Avoid Vulnerabilities With portaudit

Posted on in Categories FreeBSD, Howto, Security, Sys admin, Tip of the day, Tips last updated September 26, 2005

This is new nifty and long term demanded feature in FreeBSD. A port called portaudit provides a system to check if installed ports are listed in a database of published security vulnerabilities. After installation it will update this security database automatically and include its reports in the output of the daily security run. If you get message like as follows

Vulnerability check disabled, database not found

You need install small port called portaudit. From the man page:

portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories. Its intended audience is system administrators and individual users. portaudit checks installed packages for known vulnerabilities and generates reports including references to security advisories. Its intended audience is system administrators and individual users.

Install portaudit

1) Install port auditing (login as root)
# cd /usr/ports/ports-mgmt/portaudit
Please note that old portaudit port was located at /usr/ports/security/portaudit/.
2) Install portaudit:
# make install clean
Output:

===>  WARNING: Vulnerability database out of date, checking anyway
===>  Extracting for portaudit-0.5.12
===>  Patching for portaudit-0.5.12
===>  Configuring for portaudit-0.5.12
===>  Building for portaudit-0.5.12
===>  Installing for portaudit-0.5.12
===>   Generating temporary packing list
===>  Checking if ports-mgmt/portaudit already installed
===>   Compressing manual pages for portaudit-0.5.12
===>   Registering installation for portaudit-0.5.12
===>  Cleaning for portaudit-0.5.12

3) Fetch the database so that port auditing get activated immediately. By default it install a shell script ‘portaudit’ in /usr/local/etc/periodic/security/:
# /usr/local/sbin/portaudit -Fda
Output:

auditfile.tbz                                 100% of   47 kB  405 kBps
New database installed.
Database created: Wed Feb 27 06:10:01 CST 2008
0 problem(s) in your installed packages found.

Where,

  • -F: Fetch the current database from the FreeBSD servers.
  • -d: Print the creation date of the database.
  • -a: Print a vulnerability report for all installed packages

4) portaudit script automatically get called via FreeBSD’s periodic (cron job) facility. So your database get updated automatically everyday.

Let us assume you would like to install a port called sudo. If it has known vulnerabilities it will not install sudo:
# cd /usr/ports/security/sudo
# make install clean

===>  sudo-1.6.8.7 has known vulnerabilities:
=> sudo -- local race condition vulnerability.
   Reference: &tt;http://www.FreeBSD.org/ports/portaudit/3bf157fa-
e1c6-11d9-b875-0001020eed82.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/security/sudo.

For more information refer portaudit man page:
$ man portaudit

FreeBSD: Becoming Super User (su) or Enabling su Access For User Account

Posted on in Categories FreeBSD last updated February 23, 2005

The superuser is a privileged user with unrestricted access to all files and commands. The superuser has the special UID (user ID) 0. You need to become super user (root) only when tasks need root permissions. Here is how to become a super user:
Continue reading “FreeBSD: Becoming Super User (su) or Enabling su Access For User Account”