.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
NetWitness SA Server configuration to be NTP server for other hosts
Issue
Best practices suggest that the SA Server should be configured to act as NTP server for all other hosts within a Security Analytics environment.This ensures that hosts within a site are in sync time-wise
Resolution
On the SA Server:
- Make sure you have the following Firewall rule:
-A INPUT -p udp -m udp -m multiport --dports 123 -m comment --comment "ntp" -m conntrack --ctstate NEW -j ACCEPT
- This can be checked by running the following command on SA Admin Server CLI:
#iptables -L --line-numbers | grep -i ntp
- If it is not added by default, please follow these steps to add the NTP firewall rules:
- SSH into the SA Server
- Backup the existing iptables configuration
#cp /etc/sysconfig/iptables /etc/sysconfig/iptables.backup.$(date +"%Y%m%d_%H%M")
- Add an NTP entry for the INPUT chain:
A) Iptables: To list out the rules with line numbers:
#iptables -L --line-numbers
B) Save the current iptables configuration:
Note: In my example I am adding them before line 23, which is my final Input Chain DROP, so line 22
#service iptables save
C) Take note of the line number for the final Input Chain DROP, because we'll need to input the allow rule before that line:
#iptables -L --line-numbers | grep DROP
Chain INPUT (policy DROP)
23 DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
1 DROP all -- anywhere anywhere
D) Add the new iptables logic to allow for
input NTP Traffic.
Chain INPUT (policy DROP)
23 DROP all -- anywhere anywhere
Chain FORWARD (policy DROP)
1 DROP all -- anywhere anywhere
Note: In my example I am adding them before line 23, which is my final Input Chain DROP, so line 22
iptables -I INPUT 22 -p udp -m state --state NEW -m udp --dport 123 -j ACCEPT
E) Add the new iptables logic to allow for
output NTP Traffic.
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT
- Save & Restart iptables if modified:
A) Save iptables:
#service iptables save
B) Restart iptables
#service iptables restart
C) Verify the changes:
#iptables -L --line-numbers | grep -i ntp
22 ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
2 ACCEPT udp -- anywhere anywhere udp spt:ntp
22 ACCEPT udp -- anywhere anywhere state NEW udp dpt:ntp
2 ACCEPT udp -- anywhere anywhere udp spt:ntp
- To verify NTP setting on all hosts:
Run this command from SA Admin Server CLI:
salt '*' cmd.run 'hostname; cat /etc/ntp.conf | grep -i upstream -a2 | tail -n2'
Output example:
b3fd7da3-83e6-44cd-aa33-bc98c05af753:
NW11-ESAPRIMARY
server nw-node-zero iburst maxpoll 10
6c1ffd76-a79c-4b7e-866a-43d1474f083c:
NW11-EP-BROKER
server nw-node-zero iburst maxpoll 10
7923c28f-225a-46ba-972c-ce3925b0b061:
NEW-N11-ENDPOINT
server nw-node-zero iburst maxpoll 10
fa65b8d0-66b0-4373-93c1-661c822f1b69:
NW11-DEDICATED-BROKER
server nw-node-zero iburst maxpoll 10
06a69dd3-6faa-44a8-9d4c-104532436909:
NW12-ARCHIVER
server nw-node-zero iburst maxpoll 10
NW11-ESAPRIMARY
server nw-node-zero iburst maxpoll 10
6c1ffd76-a79c-4b7e-866a-43d1474f083c:
NW11-EP-BROKER
server nw-node-zero iburst maxpoll 10
7923c28f-225a-46ba-972c-ce3925b0b061:
NEW-N11-ENDPOINT
server nw-node-zero iburst maxpoll 10
fa65b8d0-66b0-4373-93c1-661c822f1b69:
NW11-DEDICATED-BROKER
server nw-node-zero iburst maxpoll 10
06a69dd3-6faa-44a8-9d4c-104532436909:
NW12-ARCHIVER
server nw-node-zero iburst maxpoll 10
- To verify that all host are synced with SA admin Server:
Run this command from SA Admin Server CLI:
salt '*' cmd.run 'ntpstat'
- You can run this command on any host to sync it in time with SA admin Server:
- SSH to NetWitness host.
- Run the following commands:
#systemctl stop ntpd
#ntpdate nw-node-zero
#systemctl start ntpd
#ntpdate nw-node-zero
#systemctl start ntpd
Product Details
NetWitness Product Set: NetWitness PlatformNetWitnessService Type: Node-Zero (Admin Server), Node-X
NetWitness Version/Condition: 11.x, 12.x
Platform: CentOS
O/S Version: EL7
Approval Reviewer Queue
Technical approval queue