[70692] in North American Network Operators' Group
Re: ntp config tech note
daemon@ATHENA.MIT.EDU (Crist Clark)
Fri May 21 12:50:55 2004
Date: Fri, 21 May 2004 09:50:21 -0700
From: Crist Clark <crist.clark@globalstar.com>
In-reply-to: <Pine.LNX.4.44.0405202324070.20245-100000@pologrounds.richweb.com>
To: "C. Jon Larsen" <jlarsen@richweb.com>
Cc: Adrian Chadd <adrian@creative.net.au>, nanog@nanog.org
Errors-To: owner-nanog-outgoing@merit.edu
C. Jon Larsen wrote:
[snip]
> Its interesting to hear what other folks are doing. I had assumed folks
> normally don't run ntpd on each and every server and that ntpdate + cron
> was much preferred; maybe I am off-base.
After the last "big" xntpd vulnerability a few years ago, I went through
and made sure that I had the permissions set appropriately,
restrict <server1> noquery nomodify
restrict <server2> noquery nomodify
...
restrict 127.0.0.1 nomodify
restrict default ignore
On UNIXen servers. Of course, I upgraded my daemons where possible, but
the vulnerability occurred late enough in the message processing that the
approprate restrictions prevented exploit (the packet was dropped before
the vulernable code was reached).
Of course, there still is the potential for vulnerabilities very, very early
in message processing, or in spoofed query responses if someone knows what
servers I use and is behind the firewall. But overall, I like it much better
than what the UNIX admin here used to do,
0 2 * * * rdate timehost
--
Crist J. Clark crist.clark@globalstar.com
Globalstar Communications (408) 933-4387
