Awhile back I wrote a blog article about “Everything you wanted to know about NTP” on the MTIn blog.
Cloudflare has announced its NTS service, which is open to everyone. If you have an NTS client, point it at time.cloudflare.com:1234. Otherwise, point your NTP client at time.cloudflare.com. More details on configuration are available in the developer docs.
So what are the drawbacks? Right now there are very few NTS clients. Secondly, you don’t want to put all your eggs in one basket. If your networks rely on NTP, which most modern networks *SHOULD* be, then you are trusting someone else for a critical piece of your infrastructure.
Thanks to Jan Dennis Bungart for posting this on his Facebook page. Centos has a Kernel vulnerability which can be exploited to take the machine offline. To read the gory details:
CVE-2019-11477: SACK Panic (Linux >= 2.6.29)
CVE-2019-11478: SACK Slowness (Linux < 4.15) or Excess Resource Usage (all Linux versions)
CVE-2019-11479: Excess Resource Consumption Due to Low MSS Values (all Linux versions)
If you want to take the time to download and run the detections script you can do so at the following link:
I copied this script. Created a file on the server named “detect.sh” did chmod 755 and chmod +x on it and then ran it. I did this on one system to see if I needed to do a reboot after the kernel patches were applied or not. You do need to do a reboot. After that, I just installed the updates on each machine and rebooted them.