[ntp:questions] "Trapping" in ntpd
kostecke at ntp.org
Wed Oct 3 21:05:18 UTC 2007
On 2007-10-03, Rob <pse at nospam.com> wrote:
> Steve wrote:
>> "A properly chosen default restriction will, in many circumstances,
>> eliminate the need to clutter your ntp.conf file with redundant restrict
> ... some of the ntp.conf files that I have seen use "restrict default
> nomodify nopeer notrap"
> In my view, this is a sensible default restrict line.
Yes. It blocks functionality not strictly required for time service and
> It lets others do queries on your ntpd server but not set traps (which
> is probably only useful for debugging purposes and may increase load
> on your ntpd server significantly).
The only known trap client in existence is the ntptrap script in the
The load from misconfigured clients (e.g. those that poll every second)
will _far_ outweigh any possible load caused by montoring mode that is
probably totally unused.
> It also prevents others from doing run time modifications to your
> server. Another senible restriction.
Remote modification is only possible under two circumstances:
1. You have deliberately disabled NTP authentication
2. You have configured symmetric keys in ntp.conf, generated the keys,
and distributed the keys.
nomodify blocks _all_ remote configuration, even when the user has the
correct key information.
> But if you wanted to really lock down your company's ntpd server on a
> corporate lan, one could use "restrict default nomodify nopeer noquery".
That is the most restrictive set of restrictions short of ignore.
> I suspect the noquery would also block traps.
There's little harm in specifying a redundant configuration option in
> I am not sure.
Why don't you test it?
Steve Kostecke <kostecke at ntp.org>
NTP Public Services Project - http://support.ntp.org/
More information about the questions