[ntp:questions] problem with pool directive?

Rob nomail at example.com
Thu Nov 13 20:25:40 UTC 2014


Phil W Lee <phil at lee-family.me.uk> wrote:
> BTW, I also use and recommend the excellent Shield Up! security
> checking utility on the Gibson Research site.

And then he proceeds with:

> Clearly, if you operate a public server of any type, you may find that
> the relevant port(s) respond, but no others should give any response
> at all, and even ports with a service running on them may not respond.
> Correctly configured NTP servers don't actually respond to the probe,
> as it is not a correctly formatted ntp packet.
> Mine is a stratum 1 member of the uk pool, with a top availability
> score and more systems synchronising to it than you can shake a stick
> at, so clearly responds to ntp queries of the allowed types - but
> Shields Up! gives it a clean bill of health :-) 
> Few services are as discriminating, which says much for the security
> of ntp.
> In an ideal world, no service would respond at all to any packet which
> wasn't correctly formatted for that service.

I think those two statements are quite contradicting...

First your recommend "the excellent Shield Up! security checking utility"
and then you notice that it would not detect an NTP server even when it
was wide open without the operator's attention.

Apparently the checking utility is completely useless for this.

About as useless as Gibson's ideas, I could add.



More information about the questions mailing list