NTP Hardening on Ubuntu 26.04

ntpubuntusecurityhardeningchronyntslinuxcompliance

Bottom line

Ubuntu 26.04 LTS ("Resolute Raccoon") ships chrony 4.7+ as the default NTP daemon with Network Time Security (NTS) enabled out of the box - the first Ubuntu LTS to provide authenticated and encrypted time synchronization by default. This is a significant security improvement over Ubuntu 24.04, which defaulted to the unauthenticated systemd-timesyncd. The default configuration is secure for most deployments.

Hardening effort on 26.04 focuses on server-mode access control, rate limiting, systemd service sandboxing, and integration with compliance frameworks (CIS/USG/DISA-STIG). A future migration to the Rust-based ntpd-rs is planned for Ubuntu 26.10 or 27.04. Chrony remains the supported, feature-complete implementation for the full 26.04 LTS lifecycle (through 2036).

Key findings

  • Ubuntu 26.04 defaults to chrony with NTS: The release notes (source-stated) confirm chrony replaces systemd-timesyncd as the default, with NTS-enabled Ubuntu time servers preconfigured in /etc/chrony/sources.d/ubuntu-ntp-pools.sources. NTS provides cryptographic authentication via TLS 1.3 key exchange (TCP 4460) followed by authenticated NTPv4 packets (UDP 123), preventing man-in-the-middle time attacks.

  • ntpd-rs isn't the 26.04 default: Despite Canonical's March 2026 announcement of ntpd-rs adoption, Phoronix and Trifecta Tech (independently supported) confirm ntpd-rs is targeted for Ubuntu 26.10 availability with the default switch likely in 27.04. Ubuntu 26.04 LTS stays on chrony.

  • Chrony's security architecture is defense-in-depth: The chrony project's own comparison (primary source) documents that chrony drops root privileges, uses seccomp system call filtering (enabled by default on Ubuntu/Debian via /etc/default/chrony), randomizes source ports and transmit timestamps, disables the NTP server port by default, separates the management port from NTP traffic, and uses non-blocking response rate limiting - all mitigating amplification and exploitation risks.

  • Hardening is additive to strong defaults: The out-of-box configuration is client-only (port 0, no allow directives). Server-mode hardening requires explicit configuration: subnet-based access control (allow/deny all), per-client rate limiting (ratelimit interval 1 burst 8 leak 2), binding cmdport to localhost only (bindcmdaddress 127.0.0.1). Systemd service sandboxing (NoNewPrivileges=yes, ProtectSystem=strict, PrivateTmp=yes, RestrictAddressFamilies=AF_INET AF_INET6).

  • Compliance frameworks apply: Ubuntu Security Guide (USG) provides CIS Benchmark and DISA-STIG compliance tooling for Ubuntu, including time synchronization rules. DISA STIG for Ubuntu 24.04 (independently sourced) requires chrony for networked systems and mandates comparison of internal clocks with authoritative time sources - these requirements carry forward to 26.04.

Background

Network Time Protocol (NTP) synchronizes system clocks across networks. Historically, NTP had no built-in authentication, making it vulnerable to spoofing, man-in-the-middle attacks. Amplification DDoS (the monlist command in legacy ntpd <4.2.7 enabled 206x traffic amplification). NTS (RFC 8915, published October 2020) addresses this by adding TLS-based key exchange and authenticated NTP packets.

Ubuntu's NTP history: Ubuntu 16.04–24.04 defaulted to systemd-timesyncd (an SNTP-only client with no authentication, no server capability). Ubuntu 25.10 switched to chrony as default. Ubuntu 26.04 LTS cements this with NTS enabled by default.

Chrony was originally developed by Miroslav Lichvar (Red Hat) and is the default NTP implementation on RHEL, Fedora, CentOS, and Arch Linux. It offers faster convergence, better VM support, hardware timestamping, and NTS support (since v4.0).

Current state

Ubuntu 26.04 LTS was released April 2026 (codename "Resolute Raccoon"). Key facts about its NTP stack:

Item Detail
Default NTP daemon chrony 4.7 (upgraded from 4.5 in 24.04)
NTS Enabled by default to Ubuntu NTS pools
Configuration path /etc/chrony/sources.d/ubuntu-ntp-pools.sources
Default servers 1-4.ntp.ubuntu.com + ntp-bootstrap.ubuntu.com (all NTS)
Ports used UDP 123 (NTP), TCP 4460 (NTS key exchange)
systemd-timesyncd Removed on new installs; available as optional alternative
Seccomp filter Enabled by default in /etc/default/chrony
Chrony version at release 4.8 (per release notes referencing changelog through Aug 2025)
Future ntpd-rs planned for 26.10/27.04; not in 26.04

Technical or implementation details

Default NTS configuration

The out-of-box configuration in /etc/chrony/sources.d/ubuntu-ntp-pools.sources:

pool 1.ntp.ubuntu.com iburst maxsources 1 nts prefer
pool 2.ntp.ubuntu.com iburst maxsources 1 nts prefer
pool 3.ntp.ubuntu.com iburst maxsources 1 nts prefer
pool 4.ntp.ubuntu.com iburst maxsources 1 nts prefer
pool ntp-bootstrap.ubuntu.com iburst maxsources 1 nts certset 1

The bootstrap server uses special certificate handling for systems whose clock is too far off for standard TLS certificate validation - addressing the chicken-and-egg problem of NTS requiring accurate time to establish secure time sync.

Verifying NTS status

sudo chronyc -N authdata
# Name/IP address    Mode KeyID Type KLen Last Atmp  NAK Cook CLen
# 1.ntp.ubuntu.com    NTS     6   30  128  14d    0    0    8   64

Core hardening dimensions for Ubuntu 26.04

1. Access control (server mode only):

The default config has port 0 (no server port open). If serving time to a local network, add explicit subnet restrictions:

allow 192.168.1.0/24
allow 10.0.0.0/8
deny all

2. Rate limiting:

ratelimit interval 1 burst 8 leak 2

Prevents abuse even from allowed subnets. For high-load servers, increase burst to 16.

3. Command port lockdown:

cmdport 323
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

Or disable entirely for production: cmdport 0 (prevents all chronyc interaction).

4. Source diversity and minimum agreement:

minsources 2

Requires at least 2 independent time sources to agree before adjusting the clock - prevents a single compromised or faulty source from poisoning time. The PrivSec.Dev hardening guide recommends minsources > 1 and references GrapheneOS's chrony.Conf as a model.

5. Systemd service sandboxing:

# sudo systemctl edit chrony
[Service]
NoNewPrivileges=yes
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=strict
ReadWritePaths=/var/lib/chrony /var/log/chrony /run/chrony
RestrictAddressFamilies=AF_INET AF_INET6
LimitNOFILE=1024
LimitNPROC=64

6. Firewall rules:

# Client mode (outgoing only):
sudo ufw allow out 123/udp
sudo ufw allow out 4460/tcp  # NTS key exchange

# Server mode (restrict to local network):
sudo ufw allow from 192.168.1.0/24 to any port 123 proto udp

7. Symmetric key authentication (for legacy/internal servers without NTS):

sudo bash -c 'echo "1 SHA1 $(head -c 32 /dev/urandom | base64)" > /etc/chrony/chrony.keys'
sudo chmod 640 /etc/chrony/chrony.keys
sudo chown root:_chrony /etc/chrony/chrony.keys

Then reference in config: server ntp.internal.example.com iburst key 1

8. Seccomp filter (enabled by default on Ubuntu):

Ubuntu/Debian's /etc/default/chrony ships with seccomp filtering enabled. Verify with:

grep -r "seccomp" /etc/default/chrony
# or check: systemctl show chrony | grep -i seccomp

9. Monitoring:

Key health metrics - offset <100ms, frequency drift <10ppm, active sources ≥1, stratum 2–4. Monitoring can be done via cron scripts, systemd timers, or Prometheus metrics export using chronyc -c tracking.

Evidence, comparisons, and related context

Chrony vs alternatives (2026)

Implementation NTS Server mode Memory safety Default on
chrony 4.8 ✅ (mature) C (audited, seccomp) Ubuntu 26.04, RHEL, Fedora, Arch
ntpd-rs 1.7 ✅ Rust Future Ubuntu 26.10+
ntpsec C (hardened fork) Debian 12
ntpd (reference) C (legacy) Deprecated
systemd-timesyncd C (systemd) Old Ubuntu default

Key finding from ntpd-rs migration docs: ntpd-rs lacks hardware refclock support, NTP MAC authentication, and leap second data sourcing - features chrony has. Ntpd-rs also defaults to minimum-agreeing-sources=3 (vs chrony's 1), which is more secure but may break configurations with few time sources.

NTS protocol mechanism

NTS (RFC 8915) operates in two phases:

  1. NTS-KE (Key Exchange): TLS 1.3 handshake over TCP port 4460. The server provides cookies (encrypted key material) to the client.
  2. NTPv4 with NTS extension fields: The client attaches cookies to NTP requests (UDP 123). The server decrypts the cookie, derives AEAD keys, and authenticates its response. Each cookie is single-use; the response includes fresh cookies for subsequent requests.

This prevents: time spoofing, replay attacks, and man-in-the-middle manipulation.

CIS/DISA-STIG compliance

  • USG (Ubuntu Security Guide) is the official tool for applying CIS benchmarks and DISA-STIG rules on Ubuntu. It requires Ubuntu Pro subscription.
  • DISA STIG for Ubuntu 24.04 (UBTU-24-100010) states: "The Ubuntu operating system must, for networked systems, compare internal information service clocks at least every 24 hours with an authoritative time server." The SCAP Security Guide includes chrony-specific rules for CIS RHEL 9 profiles - equivalent rules apply to Ubuntu through USG.
  • The scap-security-guide package, also available on Ubuntu, provides OpenSCAP-based compliance scanning that includes chrony configuration checks.

Limitations and critiques

  1. NTS requires TCP 4460 outbound: Networks that block non-standard ports will cause NTS to fail silently. The bootstrap fallback server helps with clock-drift issues but not network-level blocks. Users in restrictive environments must configure non-NTS fallback servers.

  2. Default config is client-only: While secure, this means organizations needing an internal NTP server must explicitly configure access control, rate limiting, and monitoring - the defaults don't cover server-mode hardening.

  3. No dedicated Ubuntu 26.04 CIS benchmark at research time: USG is the canonical tool, but the specific CIS rule set for Ubuntu 26.04 chrony wasn't directly examined. Rules from 24.04 STIGs likely apply but need verification.

  4. ntpd-rs migration will require re-hardening: When Ubuntu eventually switches to ntpd-rs (targeted for 26.10/27.04), the configuration format changes from chrony's command-list style to TOML, with different defaults (e.G., minimum-agreeing-sources=3). Hardening configurations will need translation, and features like hardware refclocks and MAC authentication aren't yet available in ntpd-rs.

  5. Source bias in independent comparisons: The chrony-project.Org comparison table is maintained by the chrony project itself. While factually detailed, it naturally emphasizes chrony's advantages. Community sources (NTP Pool forum) confirm chrony is widely used and well-regarded, but this is consensus rather than independent benchmarking.

  6. Amplification risk in server mode: While chrony isn't vulnerable to the classic monlist amplification (that's ntpd-specific), any open NTP server can still be abused for reflection attacks if rate limiting isn't configured. The default port 0 prevents this, but enabling server mode without deny all + explicit allow + rate limiting creates risk.

Open questions

  • What are the exact CIS benchmark rules for NTP/chrony on Ubuntu 26.04, and how do they differ from the 24.04 STIG?
  • Does Ubuntu 26.04 ship a dedicated AppArmor profile for chrony beyond the seccomp filter?
  • What specific CVEs affected chrony versions 4.5 through 4.8, and are all patched in the 26.04 package?
  • Will the ntpd-rs migration include an automated config translator from chrony.Conf to ntp.Toml?

Practical takeaways

  • On fresh Ubuntu 26.04, NTP is already hardened for client use. Verify with chronyc -N authdata and chronyc tracking. No configuration changes are needed for basic client deployments.

  • For NTP servers, layer your hardening: Start with allow/deny all for access control, then add rate limiting (ratelimit interval 1 burst 8 leak 2), then systemd sandboxing (ProtectSystem=strict, NoNewPrivileges=yes), then firewall rules restricting to known subnets. Apply minsources 2 for clock integrity.

  • Monitor aggressively: A simple cron/systemd-timer script checking chronyc tracking for offset >100ms and source count ≥1 catches most issues. For production, export chronyc -c tracking to Prometheus and alert on stratum changes or source loss.

  • Plan for ntpd-rs: While not relevant for 26.04 deployments, note that ntpd-rs lacks hardware refclock support and uses stricter defaults (minimum-agreeing-sources=3). If you use GPS/PPS refclocks, stay on chrony indefinitely. If you use only network sources, start testing ntpd-rs in non-production when it lands in 26.10 to prepare for the eventual migration.

Sources used