[ntp:questions] What to do for clients less than 4.2.8?

Rob nomail at example.com
Sun Dec 21 10:48:16 UTC 2014

David Woolley <david at ex.djwhome.demon.invalid> wrote:
> On 20/12/14 22:01, Rob wrote:
>> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>>> On 20/12/14 19:58, William Unruh wrote:
>>>> Is it an ntp packet (ie a time exchange packet)? is it a control packet
>>>> (eg ntpq type packet?) or what?
>>>> Ie, unless you use crypto, these two look like they might be dangerous.
>>> Both routines only process NTP type 6 packets, i.e. nptq.
>> But is that before or after those packets are filtered by "restrict"?
> ctl_putdata is sending the response (my guess is the attack is monlist 
> based), so it is definitely after the filter.  configure is a fairly 
> complex command processing option, so, although I didn't check the code 
> in detail, I would be most surprised if it wasn't after the filter.

Looking in the packet trace I see monlist attempts all the time, but
they are probably for the previous NTP issue.  I have restricted those,
but I feel unsure if I am vulnerable to the current problem.

People say "disable crypto" but there is no clear direction in the docs
on how to do that.  There is no "crypto off" or "disable crypto" config
directive at first glance.  So how is this done?

Again, the users are left in the dark.  There no default config file,
so all distributions make their own.  My OpenSUSE system includes:

# Authentication stuff
keys /etc/ntp.keys              # path for keys file
trustedkey 1                    # define trusted keys
requestkey 1                    # key (7) for accessing server variables
# controlkey 15                 # key (6) for accessing server variables

I have commented those all.
But there is no such thing in the Debian config file.

Is crypto off by default?  I don't think so, because there is no crypto
statement in the OpenSUSE config file, yet it refers to crypto-related

How much simplere would it be when there was a news release telling us
what we need to config in our /etc/ntp.conf or what we need to trap in
the firewall.

More information about the questions mailing list