[ntp:questions] Re: ntp on linux (RH9) configuration problem

Paolo Airaldi paolo.airaldi_removeme at nospam.tin.it
Fri Dec 19 00:01:26 UTC 2003


Sorry but I used my wife account for previous reply.

Paolo Airaldi

Str. Genova, 315
I - 10024 Moncalieri (TO) Italy
Tel. +39 011 681 39 26
Fax. +39 02 700 40 61 93
Mobile +39 348 230 30 86
---
"Giuseppina Melino" <mielinoremoveme at nospam.ciaoweb.it> ha scritto nel
messaggio news:Z9rEb.17666$0w.826013 at news2.tin.it...
>
> "Andrew" <andrew at arda.homeunix.net> wrote in message
> news:zOgEb.15783$CK3.1355231 at news20.bellglobal.com...
> >
> >
> > Paolo Airaldi wrote:
> > > Hi,
> > >
> > > I'm configuring ntp (ntp-4.1.2-0.rc1.2) on my Linux box.
> > >
> > > If in my ntp.conf file I leave uncommented the line stating:
> > > restrict default ignore
> >
> > Using this line alone tells ntpd to ignore everything coming from
> > anywhere. Very secure but not very useful. You have to add additional
> > 'restrict' lines that give permissions to different subnets to do
> > different things.
>
> I've got also other restrict lines (for servers and internal lan) but it
> seems that with "restrict default ignore" uncommented that entries are
> ignored. I also tried to configure like you did, but it seems it doesn't
> works.
>
> > > which is the installation default, ntp doesn't synchronize with peer
> > > servers. (From ntp -d it seems it doesn't receive replies from peer
> servers)
> > >
> > > If I comment out this line everything works fine.
> > >
> > > How different ntp behaves when the line is commented?
> >
> > Without access controls or authentication configured, anyone from
> > anywhere can do anything with your time server, including changing
> > internal settings.
> >
> > > Is this a security risk?
> >
> > You tell me.
> >
> > > what are the best setting for restrict default entry for a box that
has
> the
> > > only purpouse of sync with external server and distribute time on
local
> > > network?
> >
> > I recommend reading the Official NTP Documentation at
> > http://www.ntp.org/documentation.html to get an understanding of what
> > all the access control and authentication options do.
> > Take a look at http://www.arda.homeunix.net/ntpsetup.shtml for an
> > example setup.
> >
> > >
> > > I'm thinking to use a firewall to close port 123/udp in input on ppp0
> > > interface. What are pro and cons in doing so?
> >
> > I'm not certain but I think this will kill your ability to use public
> > time servers to sync time. I believe time sync reply packets arrive on
> > port 123/udp, too. I expect other people on this list can confirm or
> > deny this. If in doubt, use a packet sniffer to verify for yourself.
>
> In my test it seems working. I don't use broadcast, so my client start the
> communication and iptables allows exit of ntp protocol.
>
> > > Thanks in advance for your reply and sorry for my poor english.
> > >
> > > Paolo Airaldi
> > > --
> > > Paolo Airaldi
> > > Str. Genova, 315
> > > I - 10024 Moncalieri (TO) Italy
> > > Tel. +39 011 681 39 26
> > > Fax. +39 02 700 40 61 93
> > > Mobile +39 348 230 30 86
> > >
> > >
> >
>
>





More information about the questions mailing list