From owner-freebsd-security@FreeBSD.ORG Tue Sep 9 16:46:11 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CCEC8106566B for ; Tue, 9 Sep 2008 16:46:11 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from QMTA01.westchester.pa.mail.comcast.net (qmta01.westchester.pa.mail.comcast.net [76.96.62.16]) by mx1.freebsd.org (Postfix) with ESMTP id 76C528FC08 for ; Tue, 9 Sep 2008 16:46:10 +0000 (UTC) (envelope-from jdc@koitsu.dyndns.org) Received: from OMTA09.westchester.pa.mail.comcast.net ([76.96.62.20]) by QMTA01.westchester.pa.mail.comcast.net with comcast id CfGy1a0020SCNGk51gm9lx; Tue, 09 Sep 2008 16:46:09 +0000 Received: from koitsu.dyndns.org ([67.180.253.227]) by OMTA09.westchester.pa.mail.comcast.net with comcast id Cgm81a00Y4v8bD73Vgm8Eh; Tue, 09 Sep 2008 16:46:09 +0000 X-Authority-Analysis: v=1.0 c=1 a=85N1-lAfAAAA:8 a=6I5d2MoRAAAA:8 a=QycZ5dHgAAAA:8 a=Ew5RnUc98ei0Kv8EBRoA:9 a=5F-1-IZVYub69kpmINoA:7 a=uaImXV0SJOzPsBl1XHLTQ4ZnqV8A:4 a=EoioJ0NPDVgA:10 a=LY0hPdMaydYA:10 Received: by icarus.home.lan (Postfix, from userid 1000) id 19CF117B84E; Tue, 9 Sep 2008 09:46:08 -0700 (PDT) Date: Tue, 9 Sep 2008 09:46:08 -0700 From: Jeremy Chadwick To: gahn Message-ID: <20080909164608.GA2448@icarus.home.lan> References: <20080909153559.GD10842@nemesis.frida.mouhaha.de> <104708.43710.qm@web52108.mail.re2.yahoo.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <104708.43710.qm@web52108.mail.re2.yahoo.com> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd security , Oliver Peter Subject: Re: jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Sep 2008 16:46:11 -0000 On Tue, Sep 09, 2008 at 08:45:33AM -0700, gahn wrote: > Hello: > > I don't know what you were referring to. but the date and time of the machine was set correctly. > > #date Tue Sep 9 11:40:04 EDT 2008 > > best Is your system clock skewing a lot? Are you running ntpd? (I hope you're not using ntpdate from a cronjob, that would pretty much guarantee what you're seeing.) You can't easily tell clock skew with userland utilities, but the result often manifests itself in the way you're seeing. I can provide some advice on how to use ntpd/ntpq/ntpdc if need be. If you're not using ntpd, you should be! Here's a decent/proper ntp.conf (you should visit the use.html document and pick servers that are appropriate for your region). Do not add "iburst" to all of the servers; just the first one. # north-america.pool.ntp.org # http://www.pool.ntp.org/use.html # # maxpoll 9 is used to work around PLL/FLL flipping, which # happens at exactly 1024 seconds (the default maxpoll value). # Another FreeBSD member recommended using 9 instead. # http://lists.freebsd.org/pipermail/freebsd-stable/2006-December/031512.html # server 0.north-america.pool.ntp.org maxpoll 9 iburst server 1.north-america.pool.ntp.org maxpoll 9 server 2.north-america.pool.ntp.org maxpoll 9 # Default: ignore all ntp queries from all other hosts. Packets # to/from "server" lines are still respected. restrict default noquery nomodify nopeer # Allow queries to/from localhost, used for ntpdc and other utils # Allow queries to/from the local private network (read-only) restrict 127.0.0.0 mask 255.0.0.0 restrict 192.168.1.0 mask 255.255.255.0 nomodify nopeer notrap After, run "ntpdate ", where server is the first server in your list. ntpdate should update the clock for you, and provide you an idea of just how skewed it was compared to the remote NTP server's clock. Then you can run ntpd safely. Just place the below into /etc/rc.conf and run /etc/rc.d/ntpd start. (ntpd_sync_on_start is primarily for when you reboot the box; don't let the name mislead you) ntpd_enable="yes" ntpd_sync_on_start="yes" Hope this helps, or at least educates. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |