본문 바로가기
2014.12.07 17:38

Analysing NTPd logs

조회 수 1669 추천 수 0 댓글 0
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print Files
?

단축키

Prev이전 문서

Next다음 문서

+ - Up Down Comment Print Files
1. set local timezone to Singapore
[root@sglab log]# ln -sf /usr/share/zoneinfo/Asia/Singapore /etc/localtime

2. check current system time which is wrong
[root@sglab log]# date
Tue Jul 15 12:29:27 SGT 2014

3. install ntp and start the service
[root@sglab log]# yum install ntp
[root@sglab log]# chkconfig ntpd on
[root@sglab log]# service ntpd start

4. check system logs
[root@sglab log]# tail -f /var/log/messages
------------------8<--------------------
Jul 15 12:32:53 sglab ntpd[1391]: ntpd 4.2.6p5@1.2349-o Sat Nov 23 18:21:48 UTC 2013 (1)
Jul 15 12:32:53 sglab ntpd[1392]: proto: precision = 0.046 usec
Jul 15 12:32:53 sglab ntpd[1392]: 0.0.0.0 c01d 0d kern kernel time sync enabled
Jul 15 12:32:53 sglab ntpd[1392]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: Listen and drop on 1 v6wildcard :: UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: Listen normally on 2 lo 127.0.0.1 UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: Listen normally on 3 eth0 192.168.122.167 UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: Listen normally on 4 lo ::1 UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: Listen normally on 5 eth0 fe80::20c:29ff:fe08:b367 UDP 123
Jul 15 12:32:53 sglab ntpd[1392]: peers refreshed
Jul 15 12:32:53 sglab ntpd[1392]: Listening on routing socket on fd #22 for interface updates
Jul 15 12:32:56 sglab ntpd[1392]: 0.0.0.0 c016 06 restart
Jul 15 12:32:56 sglab ntpd[1392]: 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
Jul 15 12:32:56 sglab ntpd[1392]: 0.0.0.0 c011 01 freq_not_set
Dec  7 16:07:48 sglab ntpd[1392]: 0.0.0.0 c61c 0c clock_step +12540885.501161 s <------- About 4.8 months
Dec  7 16:07:48 sglab ntpd[1392]: 0.0.0.0 c614 04 freq_mode
Dec  7 16:07:49 sglab ntpd[1392]: 0.0.0.0 c618 08 no_sys_peer
------------------8<--------------------

5. check system time synced with NTP server
[root@sglab log]# date
Sun Dec  7 16:07:52 SGT 2014

Note: NTP traffic analysis
01.png

- check IP address from address resolution info
$ sudo ngrep -I ntp_only.pcap | perl -wlne 'print $1 if /U (.*?):/' | sort -u | grep -v 192.168
103.224.117.98 <------- ntp server from /etc/ntp.conf
128.199.169.185 <------- ntp server from /etc/ntp.conf
202.73.36.32 <------- ntp server from /etc/ntp.conf
203.211.149.87 <------- ntp server from /etc/ntp.conf

- ntp server list from /etc/ntp.conf
$ cat /etc/ntp.conf
------------------8<--------------------
[...]
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
[...]
------------------8<--------------------

$ host 0.centos.pool.ntp.org
0.centos.pool.ntp.org has address 128.199.169.185
0.centos.pool.ntp.org has address 103.11.143.248
0.centos.pool.ntp.org has address 103.224.117.98

$ host 1.centos.pool.ntp.org
1.centos.pool.ntp.org has address 128.199.253.156
1.centos.pool.ntp.org has address 103.233.240.1
1.centos.pool.ntp.org has address 203.123.49.200

$ host 2.centos.pool.ntp.org
2.centos.pool.ntp.org has address 202.73.36.32
2.centos.pool.ntp.org has address 203.123.48.219
2.centos.pool.ntp.org has address 103.233.241.1
2.centos.pool.ntp.org has IPv6 address 2001:df0:24f:218::2
2.centos.pool.ntp.org has IPv6 address 2001:470:36:220::10
2.centos.pool.ntp.org has IPv6 address 2400:6180:0:d0::39:7001
2.centos.pool.ntp.org has IPv6 address 2400:6180:0:d0::12:6001

$ host 3.centos.pool.ntp.org
3.centos.pool.ntp.org has address 210.23.18.205
3.centos.pool.ntp.org has address 203.211.149.87
3.centos.pool.ntp.org has address 128.199.150.55


Title
List of Articles
번호 제목 글쓴이 날짜 조회 수
20 How to Decrypt SSL and TLS Traffic using Wireshark (test with sample file) file Hojung 2015.01.23 2692
19 자바스크립트 난독화 기법 / 분석 방법론 (정리예정) Hojung 2015.01.05 1697
18 Base64 encode/decode with OpenSSL Hojung 2015.01.04 1538
17 Convert ascii to hex and vice versa (hexdump, od, xxd, echo -e) Hojung 2015.01.04 1274
16 Simple ruby script to de-obfuscate with XOR string Hojung 2015.01.01 886
15 Installing yara on CentOS and test with Ruby script Hojung 2014.12.31 2210
14 Installing Yara for ruby on Mac Hojung 2014.12.31 954
13 How to find the original email sender (check X-Originating-IP or Received headers) Hojung 2014.12.29 1067
12 Links for FireEye Deployment Check Hojung 2014.12.11 2912
11 Get timezone info from system logs which is /var/log/messages Hojung 2014.12.07 1001
» Analysing NTPd logs file Hojung 2014.12.07 1669
9 Sguil with tcpreplay (Security Onion) file Hojung 2014.12.01 2591
8 Wireshark settings for traffic analysis file Hojung 2014.11.29 1289
7 Security Onion with Snort and Snorby (pulledpork and snort with offline pcap included) file Hojung 2014.11.24 3914
6 Snort on Ubuntu 14 (Barnyard2, PulledPork, BASE, Snort with pcap) file Hojung 2014.11.22 3715
5 How to install Snorby in Kali (snort) file Hojung 2014.11.21 12031
4 install geoiplookup on Mac Hojung 2014.08.06 3268
3 DDoS 공격대응 가이드 Hojung 2014.07.29 4383
2 DDoS 분석도구 설치 및 분석 (tcpdstat, ngrep, httpry) Hojung 2014.07.25 3708
1 Perl script to push samples to Virustotal Hojung 2014.02.20 1457
Board Pagination ‹ Prev 1 Next ›
/ 1

Designed by sketchbooks.co.kr / sketchbook5 board skin

나눔글꼴 설치 안내


이 PC에는 나눔글꼴이 설치되어 있지 않습니다.

이 사이트를 나눔글꼴로 보기 위해서는
나눔글꼴을 설치해야 합니다.

설치 취소

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5

Sketchbook5, 스케치북5