[ntp:questions] Why do many time servers time out on queries from ntpq -p?

Ryan Malayter malayter at gmail.com
Sat Apr 12 14:19:25 UTC 2008


On Apr 12, 12:29 am, Steve Kostecke <koste... at ntp.org> wrote:
> The server operator has set a 'noquery' restriction.

I'll try to pre-emptively answer the next question, whcih is likely to
be "why would they do that?"

The answer is security. On our network, we follow the principle of
least privelege. That is, we enable or allow only that which is
required to perform a particular function, and nothing else. Some
people call this a "default deny" permissions model.

ntpq can leak information about your internal network structure that
could be useful to an attacker. It is also another bit of network-
enabled code that could have buffer overflows or other vulnerabilites.
ntp (the protocol) functions just fine with without mode 6/7 queries
enabled, so they are disabled.




More information about the questions mailing list