[ntp:questions] Re: restrict in ntpdc

Steve Kostecke kostecke at ntp.isc.org
Mon Nov 1 15:13:22 UTC 2004


On 2004-11-01, Nagy Bela <belus at petra.hos.u-szeged.hu> wrote:

<snip>

Before you start setting your ntpd restrictions you need to consider a
few points...

* About "nomodify" -- By default ntpd requires authentication with
symmetric keys for modifications made with ntpdc. So if you don't
configure symmetric keys for your ntpd, or keep them properly
safeguarded, you don't need to use 'nomodify' unless you are concerned
that the NTP authentication scheme might be compromised.

* About "noquery" -- The ntpd status query features provided by
ntpq/ntpdc will reveal some information about the system running ntpd
(e.g. OS version, ntpd version) that you many not wish other to know.
You need to decide if concealing this information is more important than
allowing your clients outweighs the possible benefits of allowing your
clients to see synchronization information about your ntpd.

* About "notrust" -- This option tells ntpd to ignore all packets which
are not crytographically authenticated (note that this is a change from
ntp-4.1.x). DO NOT use "notrust" unless ntp crypto (i.e. symmetric keys
or autokey) has been properly configured on "both ends" of an ntp
association (e.g. your ntpd and a remote time server, your ntpd and a
client).

* Keep in mind that tighter default restrictions require additional
configuration for authorized time-server/peers and client hosts/subnets.
And you _must_ use IP addresses on your restrict lines.

...and ask yourself a few questions:

1. Are incoming connections to your ntpd blocked by NAT or a stateful
inspection firewall?

--> If the answer is "Yes", skip to question #4.

2. If your ntpd is publically accessible, do you really need to block
all connections from unauthorized hosts?

--> If the answer is "No", skip to question #3.

--> If the answer is "Yes" use the following default restriction (and keep
in mind that you will have to add restrict lines for every authorized
server and client host/subnet):

	restrict default ignore

3. Since you are willing to allow others to get the time from your ntpd,
will you allow them to see your server status information (even though
this can reveal information about your OS and ntpd version)?

--> If the answer is "Yes" use the following default restriction:

	restrict default nomodify notrap nopeer

--> If the answer is "No" use the following default restriction:

	restrict default kod nomodify notrap nopeer noquery

4. How much protection do you need from clients on your internal
network?

--> If feel that you need to protect your ntpd from the hosts on your
LAN you may wish to consider the following default restrictions:

	restrict default kod nomodify notrap nopeer

> So basically my ntp.conf (would) look(s) like
>
> addserver x.y.z.w #with possibly other options 

In this case you need to repeat the following two lines for each remote
time server. You may use either a hostname or IP address on the server
line. You _must_ use an IP address on the restrict line.

server x.y.z.w
restrict x.y.z.w

> #and
> restrict default ignore
> restrict x.y.z.w mask 255.255.255.255 nomodify notrap noquery
> restrict 127.0.0.1
>
> But the machine is not connected when ntp starts.

Because you omitted the restrict line for each remote time server.

> So I would add the servers from /etc/ppp/ip-up
> and also the restrictions too.

If you are using a dial-up you need to seriously reconsider your default
restrictions.

Assuming that you're talking about the ntpd running on the dial-up
system... Just list the remote time servers in your /etc/ntp.conf and
use /etc/ppp/ip-up to restart ntpd. Your ntpd will sync to a remote time
server in ~15.30 seconds if you use the 'iburst' option on the server
lines in your /etc/ntp.conf.

> The thing that I dont understand is when using, say, pool.ntp.org with
> addserver, then how can I specify the corresponding restrict command
> in ntpdc?

You must use IP addresses when you set restrictions in ntp.conf or with
ntpdc.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Support Project - http://ntp.isc.org/



More information about the questions mailing list