[ntp:questions] notrust alternative?

Dennis Hilberg Jr dhilberg at comcast.net
Fri Nov 3 19:12:53 UTC 2006


No, I do not think I've been hacked, but I guess it's possible.  The server is behind a router, with only the ssh, smtp, and ntp 
ports open.

My system is Mandriva 2007 Free on x86.  No xwindows, command line only.  'ntpq -c version' returns:

saturn:# ntpq -c version
ntpq 4.2.0 at 1.1161-r Sat Sep 30 08:43:12 MDT 2006 (1)


'ntpcd -ncreslist' returns:

saturn:# ntpdc -ncreslist
   address          mask            count        flags
=====================================================================
0.0.0.0         0.0.0.0             93063  noquery, nomodify, nopeer, notrap, kod
127.0.0.1       255.255.255.255      1675  none
127.0.0.1       255.255.255.255         0  ntpport, interface, ignore
192.168.1.0     255.255.255.0          19  nomodify, nopeer, notrap
192.168.1.102   255.255.255.255         0  ntpport, interface, ignore
::              ::                      0  none

My ntp.conf:


# Default restriction.

restrict default kod nomodify notrap nopeer noquery

# Allow free access to localhost.

restrict 127.0.0.1

# Allow the local network access with the following modified restrictions.

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer

# Synchronization servers.  Include at least three, but no more than five.

server bigben.cac.washington.edu   iburst       # University of Washington, Seattle, WA
server montpelier.ilan.caltech.edu iburst       # California Institute of Technology, Pasadena, CA
server tick.ucla.edu               iburst       # UCLA, Los Angeles, CA
server clock.xmission.com          iburst       # XMission Internet, Salt Lake City, Utah
server clepsydra.dec.com           iburst       # HP Western Research Laboratory, Palo Alto, CA

# Drift file location

driftfile /etc/ntp/drift

# Location of the log file

logfile /var/log/ntp/ntp.log

# NTP monitoring parameters

statsdir /var/log/ntp/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Authentication parameters

#keys           /etc/ntp/keys
#trustedkey     2 3 4
#controlkey     3       # To access the ntpq utility
#requestkey     2       # To access the ntpdc utility

Do I have my access restrictions set up properly?  Am I missing anything?

Dennis


"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message news:l6ydnTpageZdF9bYnZ2dnUVZ_qCdnZ2d at comcast.com...
| Dennis Hilberg Jr wrote:
|
| > Here is the result of 'ntpq -p' on my system:
| >
| > saturn:# ntpq -p
| >      remote           refid      st t when poll reach   delay   offset  jitter
| > ==============================================================================
| > -bigben.cac.wash .USNO.           1 u   28   64  377   18.567    2.213   1.438
| > +montpelier.ilan .USNO.           1 u   31   64  377   48.057    0.342   2.201
| > +tick.ucla.edu   .PSC.            1 u   27   64  377   46.799   -0.404   2.485
| > +clock.xmission. .GPS.            1 u   26   64  377   52.507    0.491   1.587
| > *clepsydra.dec.c .GPS.            1 u   24   64  377   32.168    0.275   2.075
| >  bdsl.66.13.214. 141.156.108.23   2 u    -   16  377    0.001  5384.58 124.872
| > -71.216.67.53    63.119.46.3      2 u   16   16  373  131.452   21.951   6.855
| >  host98.liberto. 216.52.237.153   3 u   15   16  377  100.925  -5344.6  40.603
| >  cpe-65-186-213- 71.237.179.90    3 u   30   16  377   78.722  -386.14   5.327
| >  i-195-137-59-20 192.245.169.15   2 u   15   16  277   43.804  7099.33 236.967
| >  46.Red-80-38-9. 208.99.207.109   3 u   13   16  377  287.516  -3020.5  60.778
| >  72.15.196.228   216.52.237.153   3 u   13   16  377    0.001  30573.1 142.754
| >  213-84-173-46.a 192.245.169.15   2 u   10   16  377  1468.85  -11042.  11.560
| >  70.150.125.170  71.237.179.90    3 u    9   16  377   85.168  -40.077   6.857
| > -adsl-68-255-97- 64.81.199.165    2 u    8   16  377  106.531  -12.162   2.902
| >  65.5.127.231    71.237.179.90    3 u    8   16  377   88.479  -59.875   9.769
| >  mail.thamesself 71.237.179.90    3 u    7   16  377  172.238  -23.748  13.801
| >  217-116-10-20.r 66.92.77.98      3 u    8   16  377  731.425  -1245.1  42.582
| >  70.150.30.72    71.237.179.90    3 u    6   16  377  101.407  968.326   4.586
| > -adsl-158-64-228 141.156.108.23   2 u   98   16  374  109.658    3.006   2.807
| >  S01060011d8dcef 216.165.129.244  2 u    5   16  277   52.252  2650.47  33.139
| >  neu67-4-88-160- 209.132.176.4    2 u    5   16  377   71.208  29201.2 102.426
| >  host204-64-dyna 192.245.169.15   2 u  356   16  300   49.252  4497.48  43.638
| >  227-33.netwurx. 71.237.179.90    3 u    4   16  357  123.479  -59.126   9.594
| >  226.Red-83-41-1 81.169.139.140   3 u    2   16  177  284.796  539.697  34.158
| >  adsl-212-42-174 209.132.176.4    2 u    9   16  327  204.512   95.673  62.616
| >  cpe-24-24-123-2 80.127.4.179     2 u    2   16  377    0.001  11796.3 115.867
| > -70-89-23-210-ph 216.52.237.153   3 u   11   16  176   83.227  -18.373   1.094
| >  65.5.122.162    72.3.133.147     3 u  261  256    4   99.722    1.725   0.001
| > #194.150.135.94  81.169.152.214   3 u   10   16   76  293.509  -14.045   7.274
| >  host114-244-dyn 192.245.169.15   2 u  212   16   30    0.001  4720.98 126.715
| >  bdsl.66.13.227. 63.119.46.3      2 u   72  256    7  117.779   -4.601   4.494
| > -mail.getmedium. 63.119.46.3      2 u   16   16   16  125.852   16.342   2.413
| >  host119-247-dyn 192.245.169.15   2 u    4   16    5    0.001  5061.93 236.150
| >  64.184.118.233  216.106.191.180  3 u  117   16    2    0.001  -100239   0.001
| >  host134.209.113 63.119.46.3      2 u   34  128    3    0.001  -603.10 859.203
| > -157.199.7.146   198.60.22.240    2 u    1   16    3   84.881  -21.815   1.294
| >  d54C3CA72.acces 192.245.169.15   2 u    5   16    3  169.735  -375.17   1.819
| >  ACaen-251-1-63- 81.169.152.214   3 u    4   16    2  441.105   68.311  24.742
| > #ip-207-145-35-7 65.19.139.44     3 u    4   16    3  144.620   22.869   6.186
| >  mulder.f5.com   216.52.237.153   3 u   66   16    2    5.431  -14.845   0.001
| >  65.107.178.178. 141.156.108.23   2 u   16   16    2   98.225  -3365.3   2.504
| >  wsip-68-14-240- 63.119.46.3      2 u   15   16    1   46.460  -24.621   1.612
| >  c-67-166-119-12 71.237.179.90    3 u   10   16    1    0.001  1149.46   4.429
| >  cpe-24-209-208- 66.92.68.11      2 u    9   16    1    0.001  -777.07  22.086
| >  foreman.heartla 75.13.24.211     2 u    8   16    1  172.065  -68.752   1.445
| >  cpe-65-27-168-2 141.156.108.23   2 u   22   64    1   87.519  124.139   0.001
| >
| > The first five servers listed above are the same ones listed in my ntp.conf as synchronization sources.  What are the rest of 
them?
| >
| > 'ntpdc -c monlist' returns 384 entries.  Is that typical?
| >
|
| If you are operating a server, 384 clients does not seem unreasonable.
| For clients to show up on the ntpq banner like that, they would almost
| have to be "peers".  From the looks of things, you would not want most
| of them as peers; they seem to be clueless about what time it is
| (assuming that your server is correct).  Actually, about half of them
| could not even be peers because they are at stratum 3 and your server
| would appear to be at stratum 2.
|
| I would study the "restrict" statement and add restrict statements that
| would prevent anyone from peering with my server (at least any of THAT
| crowd)!!!  I might even scrub my hands with disinfectant when I
| finished!!!!!!   YUCK!!!!!!!!!!!!!!!
|
| FWIW, I tried a couple of those addresses with "ping", "ntpq", and
| "ntpdate" and got no response.  I tried one with nslookup and got no
| translation.  I'd say it's a pretty "ripe" collection!!
|
| What platform are you running on?  Which O/S?  What version?  Do you
| have a firewall?  Is it possible that your system has been "hacked"?
| 





More information about the questions mailing list