preventing distant period attacks on the Veeam Hardened Repository
The Veeam Backup & amp, Replication Hardened Repository is in a good position to offer eternal updates, which are in high demand. People occasionally think that network time protocol( NTP ) remote time attacks on Veeam Hardened Repository are simple. That is incorrect! It’s challenging even with the default settings on contemporary NTP customer. The default settings either allow changes to a running system in small steps( chrony ) or they don’t allow large changes during runtime( NTPD ). The attacker must alter time by day, weeks, or sometimes months or years in order to attack Hardened Repository integrity retentions. Such attacks may take months or years to complete if these minute, progressive time changes were enabled by default settings. There is a danger with the definition settings, though, if an attacker can deliver incorrect time material during operating system boot or NTP client restart. Of course, the default settings may be changed to lessen incident vectors. Utilizing national time is the simplest method for avoiding distant time attacks. I’m only referring to immutability here, but the local time of physical server clocks is” good enough” for it. Days, weeks, months, or possibly longer are designated as integrity years. Keep in mind that GFS restore things( weekly, monthly, or yearly backups ) are safeguarded throughout the holding period. That indicates that there are few necessities for exact timing.
Continue reading if you’re interested in setting up channel time securely. While keeping in mind that NTP is a process that is vulnerable to man-in-the-middle threats, this article discusses how to” safe” its people” as well as possible.” A relatively new procedure called channel time protection( NTS ) addresses man-in-the-middle issues. On Ubuntu Linux, this story also explains how to set up an NTS network with chrony acting as both a client and server.
Use site hardware time time as a quick fix.
It’s acceptable to use the national a of a site as the time supplier for Veeam Hardened Repository, as was mentioned in the introduction. The clocks of” production-grade” servers are” good enough ,” so the time will err slightly over time, but this is irrelevant because the minimum immutable time is seven days. I’m not referring to exist that are 10 years old and have flimsy batteries that waste time with each shoe!
occasion process over the network
Local time is obviously not” good enough” for every customer. Synchronicity with predetermined time sources may be necessary for protection and compliance requirements. A secure time source( no protocol defined ) must be used by a customer in order to operate Veeam Hardened Repository with SEC 17a – 4( f ), FINRA 4511( c ), and CFTC 1.31( d ) compliance. The Ubuntu operating system must, for networked systems, at least once every 24 hours compare internal information system clocks with a server that is synchronized to one of the redundant United States Naval Observatory ( USNO ) time servers, or with one designated for the appropriate DoD network( NIPRNet / SIPRNET ), and / or the Global Positioning System( GPS ), according to the DISA STIG for Ubuntu 20.04. All of the machines listed in the STIG features are NTP machines. A Veeam superintendent may want to use internal NTP servers in some environments because they are the only domestic time protocol that are available and opening cheerful ports on corporate firewalls requires a lot of paperwork. For many clients, NTP is still the accepted procedure. On website, there is also a sizable list of public occasion servers. ntppool. nonprofit for various parts of the world, or one can just use pool. ntp. com as the origin. The NTP system, which uses Windows domain controllers, is a common time source for business networks. There are security issues with NTP, just like there are with few techniques from the previous century. Consider a situation where an attacker gained administrator or source access to all configured NTP machines, or if the attacker was able to launch man-in-the-middle attacks and control all network traffic. If the time difference between NTPD and local time is too great, the default settings just stop with a” time failure.” The default settings on chrony( a contemporary NTP execution, default on Red Hat, and dark Hat derivates ) are unaffected by this approach. Chrony just slightly accelerates the time, so it will have a very long time to notice any noticeable time changes.
Let’s say the perpetrator has enough time to wait for the chrony day program to restart or the Hardened Repository server to reboot. Because Chrony automatically sets the time” properly” during startup, the default settings won’t be helpful in this situation. How to set up the Chrony NTP purchaser to withstand this kind of attack is covered in the following sections.
With Chrome as a guest on Ubuntu, increase NTP stability.
Chrony is a popular NTP client and server application. It’s the default network time client on Red Hat derivates since version 8.0. On Ubuntu, the installation is done with one command. I also install gnutls-bin for checking the TLS connection later.
apt install chrony gnutls-bin
The installation of chrony removes systemd-timesyncd (the default NTP client on Ubuntu). The chrony website has many details regarding security-related options. There are two main settings; of which, one must be changed from its default state.Edit /etc/defaults/chrony and add the “-R” option. The result looks like this:
DAEMON_OPTS="-R -F -1"
The “-R” option prevents chrony from doing large time steps during a restart of the service or a server-wide reboot. The second option is the “makestep” directive, which is set to a good value per default. The “makestep” directive defines how and how often the largest step the clock progresses. If an attacker, for example, wants to change the clock to weeks in the future, it will take months or years before the clock will change to that wrong time.
makestep 1 3
An attack against a Hardened Repository with the configuration above ends with the time being out of sync between NTP server and Hardened Repository. With “chronyc tracking”, one can see the time difference between NTP server and client.
As well, messages about that problem exist in /var/log/syslog:
chronyd: System clock wrong by 85466.423485 seconds
Now, let’s solve the man-in-the-middle attack problem by using the NTS protocol. Remember that this does not protect against situations where the attacker owns all time servers. The “-R” setting is also valid for NTS.
On Red Hat and Ubuntu, chrony circle period security client
NTS is a secure version of NTP and uses TLS. It’s a relatively new protocol, described in RFC 8915. There are relatively few public NTS servers available today. Cloudflare is likely the largest provider; there are other, additional sources in Germany, The Netherlands, Sweden and United States (list).Chrony supports NTS beginning from version 4.0. That means Ubuntu 22.04 needs to be used for the following section. (CAUTION: Ubuntu 22.04 is only supported as Hardened Repository as of Veeam Backup & Replication v12.)NTS requires TCP port 4460 outgoing, additionally to UDP port 123 for NTP. The configuration in /etc/chrony/chrony.conf needs to be changed to a server that supports NTS, and the NTS keyword must be added:
server nts.justadomain.win iburst nts
Restart chrony with “systemctl restart chrony”. Check with “chronyc -N authdata”, whether the mode is NTS and KeyID, Type and KLen have non-zero values. If that’s not the case, /var/log/syslog has more information.
If you see certificate errors in the logs, gnutls-cli can help to get a view independent from chrony. The following command must return “Handshake was completed”:
gnutls-cli -p 4460 --alpn=ntske/1 --logfile /dev/stderr your.server.tld /dev/null
The configuration on Red Hat Enterprise Linux (RHEL) or other derivates is similar to Ubuntu. The configuration file is /etc/chrony.conf and “systemctl restart chronyd” is restarting chrony. Remember, RHEL 9 is only supported with Veeam Backup & Replication v12 as Hardened Repository.If you want to host your own NTS service, the next section explains how to do that with chrony as time server on Ubuntu 22.04.
Ubuntu circle time protection server with chrony
Before we begin the chrony server configuration, we need TLS certificates. In the example below, I use Let’s Encrypt certificates that are managed by certbot. The installation of certbot is again one command:
apt install certbot
Then a certificate gets requested and the challenge solved via DNS TXT record. You must have permissions on the public DNS server configuration.
certbot --manual --preferred-challenges dns certonly -d nts.justadomain.win --staple-ocsp -m email@example.com --agree-tosRequesting a certificate for nts.justadomain.win- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -Please deploy a DNS TXT record under the name:_acme-challenge.nts.justadomain.win.with the following value:ZI8HODh6B4n8naQGX4nRsHIqNu13KWjuBHIR5o6Ix7ECertificate is saved at: /etc/letsencrypt/live/nts.justadomain.win/fullchain.pemKey is saved at: /etc/letsencrypt/live/nts.justadomain.win/privkey.pem
Copy the certificate and private key file to a place where the “_chrony” user has access. I put them in /etc/chrony/certs/ and the permissions look like this:
root@ntpserver2204:/etc/chrony/certs# ls -la-r-------- 1 _chrony root 5603 Oct 5 17:23 fullchain.pem-r-------- 1 _chrony root 1704 Oct 5 17:26 privkey.pem
Finally, chrony needs to be configured to use the certificate and act as server. The configuration itself is done again in /etc/chrony/chony.conf:
ntsservercert /etc/chrony/certs/fullchain.pemntsserverkey /etc/chrony/certs/privkey.pemallow 192.168.0.0/16 #define your client networks here
Restart chrony with “systemct restart chrony”. If clients connect with NTS, that information is visible with the “chronyc serverstats” command.
It is necessary to open the incoming ports UDP 123 ( NTP ) and TCP 440 -( NTS – KE ) if the firewall is enabled on the NTS server.
Circle time threats against Veeam Hardened Repository can be easily avoided. Attacks on an up-and-running Hardened Repository site are avoided by common NTP clients’ default settings. By starting chrony with the”- R” flag and properly setting the makestep directive( use defaults or remove completely ), one can safeguard against potential attacks during operating system startup or restart of the time service. NTS is simple to set up if you want to use a router time protocol that is more stable.