I noticed ntp errors in my logs, and while searching I discovered that the ntp pool redirects us to blocked addresses
Is it normal for ntp pools to redirect to addresses in the TOR Blacklist?
Oct 9 04:32:45 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=45.88.109.107 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=61324 DF PROTO=UDP SPT=54549 DPT=123 LEN=56
Oct 9 04:32:46 ipfire ntpdate[5314]: sendto(45.88.109.107 (example.org)): Operation not permitted
Oct 9 04:32:48 ipfire ntpdate[5314]: sendto(45.88.109.107 (example.org)): Operation not permitted
Oct 9 04:32:48 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=45.88.109.107 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=62920 DF PROTO=UDP SPT=54549 DPT=123 LEN=56
Oct 9 04:32:50 ipfire ntpdate[5314]: sendto(45.88.109.107 (example.org)): Operation not permitted
Oct 9 04:32:50 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=45.88.109.107 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=64478 DF PROTO=UDP SPT=54549 DPT=123 LEN=56
Oct 9 04:32:52 ipfire ntpdate[5314]: sendto(45.88.109.107 (example.org)): Operation not permitted
Oct 9 04:32:52 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=45.88.109.107 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=818 DF PROTO=UDP SPT=54549 DPT=123 LEN=56
...
Oct 9 14:30:01 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=62.210.244.146 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=46516 DF PROTO=UDP SPT=59438 DPT=123 LEN=56
Oct 9 14:30:04 ipfire ntpdate[32260]: sendto(regar42.fr): Operation not permitted
Oct 9 14:30:06 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=62.210.244.146 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=49667 DF PROTO=UDP SPT=59438 DPT=123 LEN=56
Oct 9 14:30:06 ipfire ntpdate[32260]: sendto(regar42.fr): Operation not permitted
Oct 9 14:30:07 ipfire kernel: BLKLST_CIARMYIN=ppp0 OUT= MAC= SRC=180.101.56.56 DST=90.37.153.53 LEN=44 TOS=0x00 PREC=0x00 TTL=241 ID=3556 PROTO=TCP SPT=58914 DPT=3306 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 9 14:30:08 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=62.210.244.146 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=51240 DF PROTO=UDP SPT=59438 DPT=123 LEN=56
Oct 9 14:30:08 ipfire ntpdate[32260]: sendto(regar42.fr): Operation not permitted
Oct 9 14:30:10 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=62.210.244.146 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=51669 DF PROTO=UDP SPT=59438 DPT=123 LEN=56
Oct 9 14:30:10 ipfire ntpdate[32260]: sendto(regar42.fr): Operation not permitted
...
Oct 9 16:30:02 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=195.154.200.68 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=32651 DF PROTO=UDP SPT=37609 DPT=123 LEN=56
Oct 9 16:30:02 ipfire ntpdate[7765]: sendto(pakitow.fr): Operation not permitted
Oct 9 16:30:03 ipfire kernel: DROP_HOSTILE IN=ppp0 OUT= MAC= SRC=89.248.165.43 DST=90.37.153.53 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=62751 PROTO=TCP SPT=55947 DPT=13151 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 9 16:30:04 ipfire kernel: DROP_HOSTILE IN=ppp0 OUT= MAC= SRC=89.248.165.43 DST=90.37.153.53 LEN=40 TOS=0x00 PREC=0x00 TTL=245 ID=10451 PROTO=TCP SPT=55947 DPT=20871 WINDOW=1024 RES=0x00 SYN URGP=0
Oct 9 16:30:04 ipfire ntpdate[7765]: sendto(pakitow.fr): Operation not permitted
Oct 9 16:30:04 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=195.154.200.68 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=34496 DF PROTO=UDP SPT=37609 DPT=123 LEN=56
Oct 9 16:30:06 ipfire kernel: BLKLST_TOR_ALLIN= OUT=ppp0 SRC=90.37.153.53 DST=195.154.200.68 LEN=76 TOS=0x00 PREC=0x00 TTL=64 ID=36104 DF PROTO=UDP SPT=37609 DPT=123 LEN=56
Oct 9 16:30:06 ipfire ntpdate[7765]: sendto(pakitow.fr): Operation not permitted
It’s really confusing or hard to grasp. I have my Unifi Controller VM still switched off and also the option that ipfire synchronizes the time from external was inactive.
The VM is now turned off and the time server option on the ipfire again test active and that this is available to the network. Now the first hits in the log at TOR hit again. So it must have something to do with ipfire.
If you go to the Web User Interface /Logs/System Logs/NTP you can check which servers where used by IPFire to adjust its time and see if the pool includes that IP address present in the tor blacklist. If you want to do it from the console:
grep "ntpdate" /var/log/messages
to check ALL the logs, even the older ones:
zgrep "ntpdate" /var/log/messages*
If you want to see only when IPFire NTP server connected to a certain IP (e.g. 45.88.109.107)
Blockquote
|19:29:31|ntpd[8468]:|new interface(s) found: waking up resolver|
|—|—|—|
|19:29:31|ntpd[8468]:|Listen normally on 6 orange0 10.10.2.1:123|
|19:29:28|ntpd[8468]:|kernel reports TIME_ERROR: 0x41: Clock Unsynchronized|
|19:29:28|ntpd[8468]:|kernel reports TIME_ERROR: 0x41: Clock Unsynchronized|
|19:29:28|ntpd[8468]:|Listening on routing socket on fd #22 for interface updates|
|19:29:28|ntpd[8468]:|Listen normally on 5 tun0 10.10.5.1:123|
|19:29:28|ntpd[8468]:|Listen normally on 4 green0 10.10.1.1:123|
|19:29:28|ntpd[8468]:|Listen normally on 3 red0 192.168.178.30:123|
|19:29:28|ntpd[8468]:|Listen normally on 2 lo 127.0.0.1:123|
|19:29:28|ntpd[8468]:|Listen and drop on 1 v4wildcard 0.0.0.0:123|
|19:29:28|ntpd[8468]:|Listen and drop on 0 v6wildcard [::]:123|
|19:29:28|ntpd[8468]:|gps base set to 2020-07-05 (week 2113)|
|19:29:28|ntpd[8468]:|basedate set to 2020-07-02|
|19:29:28|ntpd[8468]:|proto: precision = 0.092 usec (-23)|
|19:29:28|ntpd[8466]:|----------------------------------------------------|
|19:29:28|ntpd[8466]:|available at https://www.nwtime.org/support|
|19:29:28|ntpd[8466]:|corporation. Support and training for ntp-4 are|
|19:29:28|ntpd[8466]:|Inc. (NTF), a non-profit 501(c)(3) public-benefit|
|19:29:28|ntpd[8466]:|ntp-4 is maintained by Network Time Foundation,|
|19:29:28|ntpd[8466]:|----------------------------------------------------|
|19:29:28|ntpd[8466]:|Command line: /usr/bin/ntpd -Ap /var/run/ntpd.pid|
|19:29:28|ntpd[8466]:|ntpd 4.2.8p15@1.3728-o Tue Jul 14 14:39:41 UTC 2020 (1): Starting|
|19:29:27|ntpdate[8418]:|adjust time server 141.64.5.250 offset +0.015602 sec|
|19:27:34|ntpd[26151]:|176.9.84.209 local addr 192.168.178.30 → |
|19:27:34|ntpd[26151]:|185.13.148.71 local addr 192.168.178.30 → |
|19:27:34|ntpd[26151]:|127.127.1.0 local addr 127.0.0.1 → |
|19:27:34|ntpd[26151]:|ntpd exiting on signal 15 (Terminated)|
|19:26:57|ntpd[26151]:|Deleting interface #5 orange0, 10.10.2.1#123, interface stats: received=0, sent= 0, dropped=0, active_time=889 secs|
|19:15:08|ntpdate[26682]:|adjust time server 79.133.44.140 offset +0.007650 sec|
|19:15:06|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:04|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:02|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:00|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:12:08|ntpd[26151]:|kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized|
|19:12:08|ntpd[26151]:|kernel reports TIME_ERROR: 0x2041: Clock Unsynchronized|
|19:12:08|ntpd[26151]:|Listening on routing socket on fd #23 for interface updates|
|19:12:08|ntpd[26151]:|Listen normally on 6 tun0 10.10.5.1:123|
|19:12:08|ntpd[26151]:|Listen normally on 5 orange0 10.10.2.1:123|
|19:12:08|ntpd[26151]:|Listen normally on 4 green0 10.10.1.1:123|
|19:12:08|ntpd[26151]:|Listen normally on 3 red0 192.168.178.30:123|
|19:12:08|ntpd[26151]:|Listen normally on 2 lo 127.0.0.1:123|
|19:12:08|ntpd[26151]:|Listen and drop on 1 v4wildcard 0.0.0.0:123|
|19:12:08|ntpd[26151]:|Listen and drop on 0 v6wildcard [::]:123|
|19:12:08|ntpd[26151]:|gps base set to 2020-07-05 (week 2113)|
|19:12:08|ntpd[26151]:|basedate set to 2020-07-02|
|19:12:08|ntpd[26151]:|proto: precision = 0.094 usec (-23)|
I will shut down all systems tonight so that only Ipfire is running. Let’s see tomorrow if there are still log entries. If there are entries in the log, they should only come from ipfire.
It’s not necessary. The logs are telling you that the tor IP blocked by the blocklist is what IPFire attempted to connect to:
|19:15:06|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:04|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:02|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
|19:15:00|ntpdate[26682]:|sendto(tor.nocabal.de): Operation not permitted|
178.63.52.50 is tor.nocabal.de. IPFire tried 4 times, gave up and changed to a server that allowed the sync to happen (79.133.44.140 ). Clearly, servers included in the tor blocklist are also part of IPFire NTP pool. I think you can ignore the issue. The block list will prevent the time sync for few seconds, until another member of the pool is connected and the sync will proceed normally. This will only have the consequence of spamming a bit your logs. I think you can live with that.
