[ntp:questions] Generating keys for ntpdc control

Bob bobsjunkmail at bellsouth.net
Sat Jul 5 02:53:15 UTC 2008


"Per Hedeland" <per at hedeland.org> wrote in message 
news:g4m5s6$312b$1 at hedeland.org...
> In article <uCubk.27069$s77.14269 at bignews3.bellsouth.net> "Bob"
> <bobsjunkmail at bellsouth.net> writes:
>>
>>"Steve Kostecke" <kostecke at ntp.org> wrote in message
>>news:slrng6sdqh.lip.kostecke at stasis.kostecke.net...
>>
>>> None of the following is germane to your symmetric key issue, but ...
>>>
>>>> keys "C:\Program Files\NTP\etc\ntp.keys"
>>>> enable auth
>>>
>>> Auth is enabled by default. It can be disabled on the command-line. The
>>> worst that can happen is this line will generate an extra log entry.
>>
>>I disabled auth earlier this week, and promptly got attacked. I did an
>>enable auth with the intention of reversing my disable auth.
>
> Unless someone has done something really bad to current versions of the
> code, enable/disable auth has nothing to do with ntpdc control commands
> - those *always* require authentication, and if you haven't configured a
> key file, they just cannot be done. If (as you claimed earlier) your
> config got changed by someone else, you have bigger problems to chase
> (as in someone has broken into your system). I suspect that you were
> just seeing a badly-behaved client trying to get time from your server,
> though.
>
> --Per Hedeland
> per at hedeland.org

There was no change to my config file. I noticed that I was frequently 
polling a single server in addition to my normal list, which were being 
polled at their normal rate. I looked at my server list, via ntpdc, and 
there was about 15 entries for the same IP. I never told my system to look 
at that server. I saw reasonably frequent incoming requests from that 
server, and they were listed as mode 1. I looked at the time being received 
from that server, and it's time was off by a couple of minutes. I'm willing 
to set my server to disable auth, and see if it happens again. This time 
Wireshark will be running to see what they're sending. 





More information about the questions mailing list