[ntp:questions] Re: ntp on linux (RH9) configuration problem

Giuseppina Melino mielinoremoveme at nospam.ciaoweb.it
Thu Dec 18 23:57:45 UTC 2003


"Andrew" <andrew at arda.homeunix.net> wrote in message
news:zOgEb.15783$CK3.1355231 at news20.bellglobal.com...
>
>
> Paolo Airaldi wrote:
> > Hi,
> >
> > I'm configuring ntp (ntp-4.1.2-0.rc1.2) on my Linux box.
> >
> > If in my ntp.conf file I leave uncommented the line stating:
> > restrict default ignore
>
> Using this line alone tells ntpd to ignore everything coming from
> anywhere. Very secure but not very useful. You have to add additional
> 'restrict' lines that give permissions to different subnets to do
> different things.

I've got also other restrict lines (for servers and internal lan) but it
seems that with "restrict default ignore" uncommented that entries are
ignored. I also tried to configure like you did, but it seems it doesn't
works.

> > which is the installation default, ntp doesn't synchronize with peer
> > servers. (From ntp -d it seems it doesn't receive replies from peer
servers)
> >
> > If I comment out this line everything works fine.
> >
> > How different ntp behaves when the line is commented?
>
> Without access controls or authentication configured, anyone from
> anywhere can do anything with your time server, including changing
> internal settings.
>
> > Is this a security risk?
>
> You tell me.
>
> > what are the best setting for restrict default entry for a box that has
the
> > only purpouse of sync with external server and distribute time on local
> > network?
>
> I recommend reading the Official NTP Documentation at
> http://www.ntp.org/documentation.html to get an understanding of what
> all the access control and authentication options do.
> Take a look at http://www.arda.homeunix.net/ntpsetup.shtml for an
> example setup.
>
> >
> > I'm thinking to use a firewall to close port 123/udp in input on ppp0
> > interface. What are pro and cons in doing so?
>
> I'm not certain but I think this will kill your ability to use public
> time servers to sync time. I believe time sync reply packets arrive on
> port 123/udp, too. I expect other people on this list can confirm or
> deny this. If in doubt, use a packet sniffer to verify for yourself.

In my test it seems working. I don't use broadcast, so my client start the
communication and iptables allows exit of ntp protocol.

> > Thanks in advance for your reply and sorry for my poor english.
> >
> > Paolo Airaldi
> > --
> > Paolo Airaldi
> > Str. Genova, 315
> > I - 10024 Moncalieri (TO) Italy
> > Tel. +39 011 681 39 26
> > Fax. +39 02 700 40 61 93
> > Mobile +39 348 230 30 86
> >
> >
>





More information about the questions mailing list