[ntp:questions] Linux client ntp

Steve Kostecke kostecke at ntp.isc.org
Mon Apr 16 14:26:02 UTC 2007

NOTE: This article has been reformatted to allow in-line replies. Please
trim the quoted material in any reply.

On 2007-04-14, Riccardo Castellani <castellani.riccardo at tiscali.it>

> Steve Kostecke wrote:
>> On 2007-04-13, RICCARDO <castellani.riccardo at tiscali.it> wrote:
>>>I want to use ntpd -qg, it could be right this ntp.conf for my Linux
>>>client ?
>>>restrict default ignore
>>>restrict server A
>>>restrict server B
>>>server A
>>>server B
>> You could simplify this greatly by replacing all of those restrict lines
>> with this:
>> restrict default nomodify nopeer notrap noquery
> 1. I thought with "restrict default ignore" settings it was more
>secure for client, which will reject all packets except for server A/B.

When you use 'restrict default ignore' you are telling ntpd to ignore
all NTP packets (i.e. time service and control messages) from
everywhere. This is why you have to then explicitly relax the
restrictions for the localhost and your chosen time sources.

>At this time I suppose that "restrict default nomodify nopeer notrap
>noquery" setting can permitting to client to synchronize itself to
>server A/B but will not refuse those packets (malicious) which could be
>sent from other machines (different from A/B server).

However we should be realistic about the true level of risk involved in
running 'ntpq -gq' with the configuration shown above.

1. When configured with unicast (client/server) associations (i.e. the
'server' lines) ntpd polls, or asks, the 'servers' for the time. The
only way that a 'malicious' server could 'send' an unrequested packet is
if they established a passive peer association with your ntpd; use of
the 'nopeer' option prevents that.

2. When you run ntpd with '-gq' it will be operating for all of ~20
seconds, or so. This is not enough time for peer associations to be

3. If your system running ntpd is behind a stateful firewall, or NAT,
then connections initiated from the outside (i.e. incoming connections)
will not be possible and your ntpd will be accessible to the outside

> 2. "restrict default nomodify nopeer notrap noquery". According to
> ntpd manual, "nomodify" doesn't permit to modify daemon state but I
> don't understand how ntpd can adjust clock; that is what's option
> which permits ntpd to modify local clock time ?

ntpd by default disciplines your local clock to synchronize it with your
chosen time sources. If you wish to block time service you must specify
either 'ignore' or 'noserve' as the global (i.e. default) restriction or
as the restriction for an artitrary address/subnet.

> Does it exist specific option to add "restrict default nomodify nopeer
> notrap noquery" to avoid ntpd can set local clock ? example:
> restrict default nomodify nopeer notrap noquery
> server A
> server B
> server C

The 'server C' line is telling your ntpd to poll server C for the time.
If you don't want your ntpd to be ask 'server C' for the time leave that
server C line out of your ntp.conf.

If you wish to allow server C to make status queries in addition to
receiving the time add only this restrict line:

	restrict C nomodify nopeer notrap

If you wish to allow server C to _only_ make status queries but not
receive time service add only this restrict line:

	restrict C nomodify nopeer notrap noserve

If you wish to block all NTP packets to and from server C add only this
restrict line:

	restrict C ignore

If you wish to add server C to your ntpd only so that you can compare
your ntpd to server C without setting the time use the following server
line in addition to the default restriction shown above:

	server C noselect

Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/

More information about the questions mailing list