Dennis, I set up a likely scenario similar to yours and confirmed the default behavior, even with no restrictions, is to resist mobilizing a peer association as apparently happened to you. There was a code groom late last year, which might have produced a bug, but the groom was thoroughly checked specifically to resist apparent attacks like yours. In spite of that, the default behavior for many years before that is to resist mobilizing anything if authentication is not explicitly turned off.
What makes me even mor suspicious is all those 16s for the peer poll interval. That is not credible, unless spoofed. Apparently, the spoofer is trying to heat up your wires and force you to consume memory and network bandwidth. I may have done something evil in allowing a symmetric active peer to obtain service while not allowing an association to be mobilized. That was done because the original Windows client used symmetric active mode when it should have used client mode. If the notrust bit is set, the perp will not get any response at all. However, the problem remains that those spoofed assocations should never have been mobilized in the first place. If you can recreate the scenario, run ntpq and rv for one or more of those voodoo associations, then send the results. I'd like to see the peer poll interval and the modes. Dave Dennis Hilberg Jr wrote: > No, I do not think I've been hacked, but I guess it's possible. The server > is behind a router, with only the ssh, smtp, and ntp > ports open. > > My system is Mandriva 2007 Free on x86. No xwindows, command line only. > 'ntpq -c version' returns: > > saturn:# ntpq -c version > ntpq [EMAIL PROTECTED] Sat Sep 30 08:43:12 MDT 2006 (1) > > > 'ntpcd -ncreslist' returns: > > saturn:# ntpdc -ncreslist > address mask count flags > ===================================================================== > 0.0.0.0 0.0.0.0 93063 noquery, nomodify, nopeer, notrap, > kod > 127.0.0.1 255.255.255.255 1675 none > 127.0.0.1 255.255.255.255 0 ntpport, interface, ignore > 192.168.1.0 255.255.255.0 19 nomodify, nopeer, notrap > 192.168.1.102 255.255.255.255 0 ntpport, interface, ignore > :: :: 0 none > > My ntp.conf: > > > # Default restriction. > > restrict default kod nomodify notrap nopeer noquery > > # Allow free access to localhost. > > restrict 127.0.0.1 > > # Allow the local network access with the following modified restrictions. > > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer > > # Synchronization servers. Include at least three, but no more than five. > > server bigben.cac.washington.edu iburst # University of Washington, > Seattle, WA > server montpelier.ilan.caltech.edu iburst # California Institute of > Technology, Pasadena, CA > server tick.ucla.edu iburst # UCLA, Los Angeles, CA > server clock.xmission.com iburst # XMission Internet, Salt > Lake City, Utah > server clepsydra.dec.com iburst # HP Western Research > Laboratory, Palo Alto, CA > > # Drift file location > > driftfile /etc/ntp/drift > > # Location of the log file > > logfile /var/log/ntp/ntp.log > > # NTP monitoring parameters > > statsdir /var/log/ntp/ > statistics loopstats peerstats clockstats > filegen loopstats file loopstats type day enable > filegen peerstats file peerstats type day enable > filegen clockstats file clockstats type day enable > > # Authentication parameters > > #keys /etc/ntp/keys > #trustedkey 2 3 4 > #controlkey 3 # To access the ntpq utility > #requestkey 2 # To access the ntpdc utility > > Do I have my access restrictions set up properly? Am I missing anything? > > Dennis > > > "Richard B. Gilbert" <[EMAIL PROTECTED]> wrote in message news:[EMAIL > PROTECTED] > | Dennis Hilberg Jr wrote: > | > | > Here is the result of 'ntpq -p' on my system: > | > > | > saturn:# ntpq -p > | > remote refid st t when poll reach delay offset > jitter > | > > ============================================================================== > | > -bigben.cac.wash .USNO. 1 u 28 64 377 18.567 2.213 > 1.438 > | > +montpelier.ilan .USNO. 1 u 31 64 377 48.057 0.342 > 2.201 > | > +tick.ucla.edu .PSC. 1 u 27 64 377 46.799 -0.404 > 2.485 > | > +clock.xmission. .GPS. 1 u 26 64 377 52.507 0.491 > 1.587 > | > *clepsydra.dec.c .GPS. 1 u 24 64 377 32.168 0.275 > 2.075 > | > bdsl.66.13.214. 141.156.108.23 2 u - 16 377 0.001 5384.58 > 124.872 > | > -71.216.67.53 63.119.46.3 2 u 16 16 373 131.452 21.951 > 6.855 > | > host98.liberto. 216.52.237.153 3 u 15 16 377 100.925 -5344.6 > 40.603 > | > cpe-65-186-213- 71.237.179.90 3 u 30 16 377 78.722 -386.14 > 5.327 > | > i-195-137-59-20 192.245.169.15 2 u 15 16 277 43.804 7099.33 > 236.967 > | > 46.Red-80-38-9. 208.99.207.109 3 u 13 16 377 287.516 -3020.5 > 60.778 > | > 72.15.196.228 216.52.237.153 3 u 13 16 377 0.001 30573.1 > 142.754 > | > 213-84-173-46.a 192.245.169.15 2 u 10 16 377 1468.85 -11042. > 11.560 > | > 70.150.125.170 71.237.179.90 3 u 9 16 377 85.168 -40.077 > 6.857 > | > -adsl-68-255-97- 64.81.199.165 2 u 8 16 377 106.531 -12.162 > 2.902 > | > 65.5.127.231 71.237.179.90 3 u 8 16 377 88.479 -59.875 > 9.769 > | > mail.thamesself 71.237.179.90 3 u 7 16 377 172.238 -23.748 > 13.801 > | > 217-116-10-20.r 66.92.77.98 3 u 8 16 377 731.425 -1245.1 > 42.582 > | > 70.150.30.72 71.237.179.90 3 u 6 16 377 101.407 968.326 > 4.586 > | > -adsl-158-64-228 141.156.108.23 2 u 98 16 374 109.658 3.006 > 2.807 > | > S01060011d8dcef 216.165.129.244 2 u 5 16 277 52.252 2650.47 > 33.139 > | > neu67-4-88-160- 209.132.176.4 2 u 5 16 377 71.208 29201.2 > 102.426 > | > host204-64-dyna 192.245.169.15 2 u 356 16 300 49.252 4497.48 > 43.638 > | > 227-33.netwurx. 71.237.179.90 3 u 4 16 357 123.479 -59.126 > 9.594 > | > 226.Red-83-41-1 81.169.139.140 3 u 2 16 177 284.796 539.697 > 34.158 > | > adsl-212-42-174 209.132.176.4 2 u 9 16 327 204.512 95.673 > 62.616 > | > cpe-24-24-123-2 80.127.4.179 2 u 2 16 377 0.001 11796.3 > 115.867 > | > -70-89-23-210-ph 216.52.237.153 3 u 11 16 176 83.227 -18.373 > 1.094 > | > 65.5.122.162 72.3.133.147 3 u 261 256 4 99.722 1.725 > 0.001 > | > #194.150.135.94 81.169.152.214 3 u 10 16 76 293.509 -14.045 > 7.274 > | > host114-244-dyn 192.245.169.15 2 u 212 16 30 0.001 4720.98 > 126.715 > | > bdsl.66.13.227. 63.119.46.3 2 u 72 256 7 117.779 -4.601 > 4.494 > | > -mail.getmedium. 63.119.46.3 2 u 16 16 16 125.852 16.342 > 2.413 > | > host119-247-dyn 192.245.169.15 2 u 4 16 5 0.001 5061.93 > 236.150 > | > 64.184.118.233 216.106.191.180 3 u 117 16 2 0.001 -100239 > 0.001 > | > host134.209.113 63.119.46.3 2 u 34 128 3 0.001 -603.10 > 859.203 > | > -157.199.7.146 198.60.22.240 2 u 1 16 3 84.881 -21.815 > 1.294 > | > d54C3CA72.acces 192.245.169.15 2 u 5 16 3 169.735 -375.17 > 1.819 > | > ACaen-251-1-63- 81.169.152.214 3 u 4 16 2 441.105 68.311 > 24.742 > | > #ip-207-145-35-7 65.19.139.44 3 u 4 16 3 144.620 22.869 > 6.186 > | > mulder.f5.com 216.52.237.153 3 u 66 16 2 5.431 -14.845 > 0.001 > | > 65.107.178.178. 141.156.108.23 2 u 16 16 2 98.225 -3365.3 > 2.504 > | > wsip-68-14-240- 63.119.46.3 2 u 15 16 1 46.460 -24.621 > 1.612 > | > c-67-166-119-12 71.237.179.90 3 u 10 16 1 0.001 1149.46 > 4.429 > | > cpe-24-209-208- 66.92.68.11 2 u 9 16 1 0.001 -777.07 > 22.086 > | > foreman.heartla 75.13.24.211 2 u 8 16 1 172.065 -68.752 > 1.445 > | > cpe-65-27-168-2 141.156.108.23 2 u 22 64 1 87.519 124.139 > 0.001 > | > > | > The first five servers listed above are the same ones listed in my > ntp.conf as synchronization sources. What are the rest of > them? > | > > | > 'ntpdc -c monlist' returns 384 entries. Is that typical? > | > > | > | If you are operating a server, 384 clients does not seem unreasonable. > | For clients to show up on the ntpq banner like that, they would almost > | have to be "peers". From the looks of things, you would not want most > | of them as peers; they seem to be clueless about what time it is > | (assuming that your server is correct). Actually, about half of them > | could not even be peers because they are at stratum 3 and your server > | would appear to be at stratum 2. > | > | I would study the "restrict" statement and add restrict statements that > | would prevent anyone from peering with my server (at least any of THAT > | crowd)!!! I might even scrub my hands with disinfectant when I > | finished!!!!!! YUCK!!!!!!!!!!!!!!! > | > | FWIW, I tried a couple of those addresses with "ping", "ntpq", and > | "ntpdate" and got no response. I tried one with nslookup and got no > | translation. I'd say it's a pretty "ripe" collection!! > | > | What platform are you running on? Which O/S? What version? Do you > | have a firewall? Is it possible that your system has been "hacked"? > | > > _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
