tlsdated doesn't appear to work well. Use a simpler cron based method

This commit is contained in:
Bob Mottram 2014-05-05 09:16:41 +01:00
parent eee5ee1fc2
commit 1f31f6f8b1
1 changed files with 13 additions and 173 deletions

View File

@ -916,186 +916,26 @@ make
make install
#+END_SRC
If you get errors during the /configure/ stage then you may need to reboot so that some of the installed dependencies take effect. Then create an init script.
If you get errors during the /configure/ stage then you may need to reboot so that some of the installed dependencies take effect.
#+BEGIN_SRC: bash
editor /etc/init.d/tlsdated
editor /etc/crontab
#+END_SRC
Add the following:
Add the following near the top of the list of tasks.
#+BEGIN_SRC: bash
#!/bin/sh
### BEGIN INIT INFO
# Provides: tlsdate
# Required-Start: $network $local_fs $remote_fs
# Required-Stop: $local_fs $remote_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: secure parasitic rdate replacement
# Description: tlsdate sets the local clock by securely connecting with
# TLS to remote servers and extracting the remote time out
# of the secure handshake. Unlike ntpdate, tlsdate uses
# TCP, for instance connecting to a remote HTTPS or TLS
# enabled service, and provides some protection against
# adversaries that try to feed you malicious time
# information.
#
### END INIT INFO
# Author: Jacob Appelbaum <jacob@appelbaum.net>
# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin
DESC="secure parasitic rdate replacement daemon"
NAME=tlsdated
DAEMON=/usr/local/sbin/tlsdated
DAEMON_ARGS=""
PIDFILE=/var/run/$NAME.pid
SCRIPTNAME=/etc/init.d/$NAME
# Exit if the package is not installed
[ -x $DAEMON ] || exit 0
# Read configuration variable file if it is present
[ -r /etc/default/$NAME ] && . /etc/default/$NAME
# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh
# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions
#
# Function that starts the daemon/service
#
do_start()
{
# Return
# 0 if daemon has been started
# 1 if daemon was already running
# 2 if daemon could not be started
start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
--exec $DAEMON --test > /dev/null \
|| return 1
start-stop-daemon --background --start --quiet --pidfile $PIDFILE \
--exec $DAEMON -- \
$DAEMON_ARGS \
|| return 2
# Add code here, if necessary, that waits for the process to be ready
# to handle requests from services started subsequently which depend
# on this one. As a last resort, sleep for some time.
}
#
# Function that stops the daemon/service
#
do_stop()
{
# Return
# 0 if daemon has been stopped
# 1 if daemon was already stopped
# 2 if daemon could not be stopped
# other if a failure occurred
start-stop-daemon --stop --quiet --retry=TERM/5/KILL/1 --pidfile $PIDFILE \
--name $NAME
RETVAL="$?"
[ "$RETVAL" = 2 ] && return 2
# Wait for children to finish too if this is a daemon that forks
# and if the daemon is only ever run from this initscript.
# If the above conditions are not satisfied then add some other code
# that waits for the process to drop all resources that could be
# needed by services started subsequently. A last resort is to
# sleep for some time.
start-stop-daemon --stop --quiet --oknodo --retry=0/5/KILL/5 --exec $DAEMON
[ "$?" = 2 ] && return 2
# Many daemons don't delete their pidfiles when they exit.
rm -f $PIDFILE
return "$RETVAL"
}
#
# Function that sends a SIGHUP to the daemon/service
#
do_reload() {
#
# If the daemon can reload its configuration without
# restarting (for example, when it is sent a SIGHUP),
# then implement that here.
#
start-stop-daemon --stop --signal 1 --quiet --pidfile $PIDFILE --name $NAME
return 0
}
case "$1" in
start)
[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC " "$NAME"
do_start
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
stop)
[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
do_stop
case "$?" in
0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
esac
;;
status)
status_of_proc "$DAEMON" "$NAME" && exit 0 || exit $?
;;
#reload|force-reload)
#
# If do_reload() is not implemented then leave this commented out
# and leave 'force-reload' as an alias for 'restart'.
#
#log_daemon_msg "Reloading $DESC" "$NAME"
#do_reload
#log_end_msg $?
#;;
restart|force-reload)
#
# If the "reload" option is implemented then remove the
# 'force-reload' alias
#
log_daemon_msg "Restarting $DESC" "$NAME"
do_stop
case "$?" in
0|1)
do_start
case "$?" in
0) log_end_msg 0 ;;
1) log_end_msg 1 ;; # Old process is still running
*) log_end_msg 1 ;; # Failed to start
esac
;;
*)
# Failed to stop
log_end_msg 1
;;
esac
;;
*)
echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
exit 3
;;
esac
:
*/15 * * * * root /usr/bin/timeout 20 tlsdate -v -V -l -t -H www.ptb.de -p 443
#+END_SRC
Save and exit, then start the daemon.
Save and exit.
#+BEGIN_SRC: bash
chmod +x /etc/init.d/tlsdated
update-rc.d tlsdated defaults
service tlsdated start
service cron restart
#+END_SRC
This should set the date and time from a known source (www.ptb.de) using a SSL/TLS secured connection every 15 minutes. Obviously if you wish to use a different source for the date and time then the cron entry can be edited accordingly.
** Install fail2ban
#+BEGIN_SRC: bash