[ntp:questions] adding access restrictions to the windows ntp config

Dave Hart davehart at gmail.com
Wed Feb 15 12:27:29 UTC 2012

On Wed, Feb 15, 2012 at 08:30, Ron Frazier (NTP)
<timekeepingntplist at c3energy.com> wrote:
> Hi all,
> In my research operating ntpd on Windows and Linux, I discovered that the
> default ntp.conf installed by Meinberg does not have any access
> restrictions.  I think it would be a good idea to add this to your file
> unless you require more liberal access for your LAN, etc.  This is the
> default setup for my Ubuntu Linux machines.
> # By default, exchange time with everybody, but don't allow configuration.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery

With version 4.2.5p178 and later, there's no need to repeat yourself,
a single restrict default (no -4 or -6) affects both IPv4 and IPv6.

Also note that the kod restriction does nothing without the limited
restriction, which I highly recommend using to keep your ntpd from
being useful as a reflector of traffic originated with forged source
addresses belonging to the real targets.  Rate limiting processing
occurs only with the limited restriction, and when the rate is
exceeded, there is either no response, or with kod restriction present
as well, a Kiss o' Death (useless for timekeeping, with refid RATE) is
sent unless one was sent to that remote address in the last 8 seconds.
 This rate limiting of KoDs to once per 8 seconds again addresses the
reflector issue.

> # allow unrestricted access from the localhost (so that you may monitor ntpd
> # and perform on-the-fly configuration changes with ntpdc)
> # Local users may interrogate the ntp server more closely.
> # IPv4
> restrict
> # IPv6
> restrict -6 ::1

I believe with 4.2.5p178 and later a single "restrict localhost" will
do the same, subject to your system resolving localhost to both IPv4
and IPv6 addresses.  With "noquery" in the default restrictions, you
can verify the restrict localhost applied to both using "ntpq -p" and "ntpq -p ::1".  If one of the two does not work, you
know you're getting the default restriction on that localhost address.

Alternatively, if you've configured ntpd for authenticated ntpq/ntpdc
queries using "keys", "trustedkey", "requestkey" and "controlkey", you
can verify the active restrictions using ntpq's reslist, or if your
version of ntpq is too old to support the reslist command, ntpdc's.

Dave Hart

More information about the questions mailing list