The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
The only part that is exploitable is the management functions. Serving time to others, even those outside your network is not risky. Being able to manage it from outside is.
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1
Through trial&error I was able to determine that my broadcast worked when I commented out the two top ones.
My client setup:
broadcastclient disable auth
Per Jessen wrote:
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
Found it -
http://datacurrent.blogspot.ch/2008/04/simple-ntp-network-time-protocol-serv...
Also you have to remove the _nopeer_ option from the default restriction, otherwise ntpd will not open a new client connection to the NTP server when it receives a broadcast packet.
On Wed, Sep 24, 2014 at 08:22:52AM +0200, Per Jessen wrote:
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1
Through trial&error I was able to determine that my broadcast worked when I commented out the two top ones.
This will reenable the remote denial of service amplification possibility against your machine if reachable from the outside world.
http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launchin...
So make sure your ntp server is not reachable from outside your network if you use this, or use more finegrained controls.
My client setup:
broadcastclient disable auth
Ciao, Marcus
Marcus Meissner wrote:
On Wed, Sep 24, 2014 at 08:22:52AM +0200, Per Jessen wrote:
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 So make sure your ntp server is not reachable from outside your network if you use this, or use more finegrained controls.
My client setup:
broadcastclient disable auth
---- Somehow, when this came up for me, (call from ISP, "could you stop your NTP from being a contributor"...)... I ended up with:
disable monitor discard 3 1 67 ignore kod noquery nomodify restrict default ignore kod nomodify notrap noquery restrict -6 default ignore kod nomodify notrap noquery nopeer restrict 192.168.3.0 mask 255.255.255.0 restrict 192.168.4.0 mask 255.255.255.0 restrict 127.0.0.1 restrict 173.164.175.66 --- which seemed to satisfy my ISP, but still looks like "Greek" to me... --- I.e. I wanted my edge server to serve 'time' outside but not be "misused".
-
John Andersen -
Linda Walsh -
Marcus Meissner -
Per Jessen