[opensuse] ntp default restrict options - seems to block broadcastclient ?
The current openSUSE packaged NTP config contains the following: restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work. Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync? thanks Per -- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query. server ntp.ubuntu.com restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <------- The only part that is exploitable is the management functions. Serving time to others, even those outside your network is not risky. Being able to manage it from outside is. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is: restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 Through trial&error I was able to determine that my broadcast worked when I commented out the two top ones. My client setup: broadcastclient disable auth -- Per Jessen, Zürich (15.1°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Per Jessen wrote:
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
Found it - http://datacurrent.blogspot.ch/2008/04/simple-ntp-network-time-protocol-serv...
Also you have to remove the _nopeer_ option from the default restriction, otherwise ntpd will not open a new client connection to the NTP server when it receives a broadcast packet.
-- Per Jessen, Zürich (15.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Sep 24, 2014 at 08:22:52AM +0200, Per Jessen wrote:
John Andersen wrote:
On 9/23/2014 10:23 AM, Per Jessen wrote:
The current openSUSE packaged NTP config contains the following:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
When they're enabled, ntp doesn't sync to my broadcast. Only when I comment them out does it work.
Which one of "default kod notrap nomodify nopeer noquery" is preventing my broadcast sync?
thanks Per
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1
Through trial&error I was able to determine that my broadcast worked when I commented out the two top ones.
This will reenable the remote denial of service amplification possibility against your machine if reachable from the outside world. http://www.symantec.com/connect/blogs/hackers-spend-christmas-break-launchin... So make sure your ntp server is not reachable from outside your network if you use this, or use more finegrained controls.
My client setup:
broadcastclient disable auth
Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Marcus Meissner wrote:
On Wed, Sep 24, 2014 at 08:22:52AM +0200, Per Jessen wrote:
Are you sure those are the only restrictions? Some suggest you also need a line to allow management from locolhost and specific server lines for it to query.
server ntp.ubuntu.com
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
restrict 127.0.0.1 restrict ::1 restrict <some-ip-that-y0u-trust> <-------
Right, the complete set is:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 So make sure your ntp server is not reachable from outside your network if you use this, or use more finegrained controls.
My client setup:
broadcastclient disable auth
Somehow, when this came up for me, (call from ISP, "could you stop your NTP from being a contributor"...)... I ended up with: disable monitor discard 3 1 67 ignore kod noquery nomodify restrict default ignore kod nomodify notrap noquery restrict -6 default ignore kod nomodify notrap noquery nopeer restrict 192.168.3.0 mask 255.255.255.0 restrict 192.168.4.0 mask 255.255.255.0 restrict 127.0.0.1 restrict 173.164.175.66 --- which seemed to satisfy my ISP, but still looks like "Greek" to me... --- I.e. I wanted my edge server to serve 'time' outside but not be "misused". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
John Andersen
-
Linda Walsh
-
Marcus Meissner
-
Per Jessen