[ntp:questions] notrust alternative?

mills at udel.edu mills at udel.edu
Mon Nov 6 16:02:29 UTC 2006


Dennis,

You are not reading my messages. Read them again; take them very 
seriously. You are being hacked. Any entries shown in ntpq other than 
those you configured are spurious and the result of tampering in the 
sources that leave here. It's very important to track down how that 
happened. Forget about the +, -, * issues; there are more important 
things going on here.

Dave

Dennis Hilberg Jr wrote:

> Maybe I'm misunderstanding the output of 'ntpq -p'.  When I use this command, a large list is printed to the screen (sometimes 60 or 
> more entries in length), of which, the first five of the entries are the servers I have listed in my ntp.conf and the rest I'm 
> assuming are clients, or systems using my server's clock as a synchronization source.  Am I correct on that?  Most of the time those 
> five servers are the ones that have +, -, or * next to them.  Of those five, there's always a * and usually two +.  On occasion 
> though, some of the systems in the 'ntpq -p' output OTHER than my five servers have a + next to them.  Is this normal, based on my 
> ntp.conf?  My concern is that my server might be using systems other than the five I have listed in my ntp.conf as a synchronization 
> source.  Perhaps I should have worded my initial post this way, as some replies indicate that I might have failed to explain my 
> situation properly.
> 
> Here is my ntp.conf again:
> 
> 
> # Default restriction.
> 
> restrict default kod nomodify notrap nopeer noquery
> 
> # Allow free access to localhost.
> 
> restrict 127.0.0.1
> 
> # Allow the local network access with the following modified restrictions.
> 
> restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
> 
> # Synchronization servers.  Include at least three, but no more than five.
> 
> server bigben.cac.washington.edu  iburst
> server montpelier.ilan.caltech.edu   iburst
> server tick.ucla.edu                        iburst
> server clock.xmission.com             iburst
> server clepsydra.dec.com              iburst
> 
> # Drift file location
> 
> driftfile /etc/ntp/drift
> 
> # Location of the log file
> 
> logfile /var/log/ntp/ntp.log
> 
> # NTP monitoring parameters
> 
> statsdir /var/log/ntp/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
> 
> # Authentication parameters
> 
> #keys           /etc/ntp/keys
> #trustedkey     2 3 4
> #controlkey     3       # To access the ntpq utility
> #requestkey     2       # To access the ntpdc utility
> 
> Thanks for all the help.
> 
> Dennis.
> 
> "Ronan Flood" <ronan at noc.ulcc.ac.uk> wrote in message news:eia97n$kn8$1 at canard.ulcc.ac.uk...
> | "Dennis Hilberg Jr" <dhilberg at comcast.net> wrote:
> |
> | > On one instance I noticed that in the output of 'ntpq -p' one of my server's
> | > clients was flagged with the '+'.  notrust under version 4.2 and later now
> | > means "Ignore all NTP packets that are not cryptographically authenticated"
> | > instead of the 4.1 and earlier versions where it meant "Don't trust this
> | > host/subnet for time."  How do I specify with version 4.2 and later that I
> | > only want the five server entries in the ntp.conf to be trusted for
> | > synchronization?  Or is this automatic, and that particular 'ntpq -p' output
> | > a fluke?
> |
> | 'nopeer' should prevent a client establishing a symmetric-passive
> | association on your server, so the ntp.conf you show in your later
> | message should be working.  Post the output of 'ntpq -p' showing
> | your client listed (with or without '+') and 'ntpq -classoc',
> | and 'ntpq "-crv nnn"' where nnn is the number of the association
> | (assID) for your client in the lassoc output.
> |
> | Hmm, "ntpdc -ncreslist" will show the active restrictions, so check
> | that matches your ntp.conf.
> |
> | -- 
> |                      Ronan Flood <R.Flood at noc.ulcc.ac.uk>
> |                        working for but not speaking for
> |             Network Services, University of London Computer Centre
> |     (which means: don't bother ULCC if I've said something you don't like) 
> 
> 




More information about the questions mailing list