New 16.04 Ubuntu MATE install TOR NTP and Welcome/Software Connectivity Issues

Development Discussion
#1

Hey all. I’ve been motivated by the discussions over at Jupiter Broadcasting podcasts to try Ubuntu MATE 16.04.9 LTS, (Linux m8 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 GNU/Linux. I’d like to utilize this VM as a potential suitor for replacing my current Debian Jessie rig.

My VM is configured to utilize network preferences. I am able to browse the web via Firefox with no browser proxy setting changes, as well as being able to apt-get packages. However, I am not able to leverage the online Welcome components and am presented with a Retry Connection button once network connectivity is established.

Also I noticed that NTP updates were going out to known TOR IPs. Not a show stopper but not wanted in a corporate environment. I changed the time (via GUI) to leverage a manually set time versus NTP. Unfortunately the behavior persisted in reaching out to TOR for NTP updates via UDP 123.

I hope that this is not a totally noob ignorance issue but thought I’d share my recent concerns.

P.S. I have enjoyed my Debian MATE testing at the house.

Cheers,

Chuck

#2

Port 123 is the well known port for ntp – working as expected. The big servers, which might also be running TOR, are probably ntp stratum 3 servers as well. You can change the ntp servers in /etc/ntp.conf

If you are in the US:
http://tf.nist.gov/tf-cgi/servers.cgi

Otherwise:
http://support.ntp.org/bin/view/Servers/NTPPoolServers

#3

If connection is established after Welcome is opened, you’ll need to “Retry Connection”.

Otherwise, if Welcome always fails to think it’s connected to the outside world, then you may want to check any HTTP configuration, since other applications could be impacted too.

Welcome tries to establish a HTTP connection to http://archive.ubuntu.com/ as a test. If this HTTP request fails, then Welcome presumes there is no connection.

If you need to force Welcome to stop showing that message, use this command:

ubuntu-mate-welcome --force-net
#5

Why would there be an option to set the time manually only to have NTP go out and validate time? That seems misleading or deceptive. Please understand I’m all for changing a config but if MATE were to be implemented it would reach some disapproval of talking to TOR nodes…potentially.

#6

I can browse all day long from Firefox and I can use apt-get without any proxy commands appended so those respect the system wide proxy settings. Welcome doesn’t work. I can run the System -> Administration -> Software Updater successfully, or at least it reports its fine. The Software Boutique states it needs to be online.

I don’t mind the Welcome from coming up at this point.

#7

You are aware that some Google IP addresses and even this Ubuntu Community is also a TOR address???

Did you stop the ntp server after you configured it to manual? Did you reboot?

Do you know how the Internet is done? Do you understand DNS?

#8

Yes, understand I am good with the TOR IPs. That is me personally. However the company in which I work for does not want to see traffic going to those IPs.

  1. Manually changed the time via Admin from NTP to manual. Reboot.
    Connections still went out to TOR IPs.
  2. Changed /etc/ntpd, commented out the Ubuntu NTP pools. Reboot.
    Not seeing outbound NTP connections.

Not sure if I know how the Internet is done but I am comfortable in networking and system administration.

The gist of this topic from my concern is that even when disabling time syncs via NTP and setting it to manually set a component of the OS still made outbound calls to NTP servers including TOR nodes. Why put a feature in that allows time to be set manually when NTP requests continue?

#9

I see where outbound connections to steelix.canonical.com and danava.canonical.com, TCP 80, are going out the default gateway via normal routes. Unfortunately that connectivity doesn’t exist and hence the use of a proxy server which seems to work for certain aspects of MATE.

#10 

user@mybox:~$ netstat -na | grep ":123"
udp        0      0 192.168.101.202:123     0.0.0.0:*                          
udp        0      0 127.0.0.1:123           0.0.0.0:*                          
udp        0      0 0.0.0.0:123             0.0.0.0:*                          
udp6       0      0 fe80::c053:cd8e:23f:123 :::*                               
udp6       0      0 ::1:123                 :::*                               
udp6       0      0 :::123                  :::*

I see ntp traffic in WireShark.

user@mybox:~$ netstat -na | grep ":123"
user@mybox:~$

No ntp traffic at all in WireShark.

I don't know why you are still seeing ntp traffic with time set to manual. Works correctly here.

Could there be another process or virtual machine making ntp requests?

#11

Good news, I left my MATE VM up all night and didn’t see any NTP outbound connections. This behavior was only observed after modifying the NTP conf file. I just installed Wireshark so I’ll go through some more testing when executing specific behavior.

#13

Screen cap while opening Welcome and clicking on Software. Why wouldn't the configured proxy be used in this example. Wireshark installed via apt-get.

Selection_265.png1280×984 555 KB

@lah7 thoughts?

#14

Try adding these environment variables, I think it’s because Python (ubuntu-mate-welcome) is not reading the proxy settings set by Ubuntu MATE:

export http_proxy=http://proxy.myproxy.com:80
export https_proxy=https://proxy.myproxy.com:80
ubuntu-mate-welcome

I’ve also filled this as a bug so we can keep track of it.

#15

Danke. That was the ticket.

#16

Where do I even setup the system wide proxy in Ubuntu Mate 16.04?
"Network" only has entries for DNS but not for Proxy.