Re: ntpd question

[Matthew Seaman]

On Tue, Mar 09, 2004 at 10:49:53PM -0500, Shaun T. Erickson wrote:
 I run ntpd to keep my server's time in sync with a remote server. In my 
 netstat -a output, I see:
 
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
 udp4   0  0  localhost.ntp  *.*
 udp4   0  0  peter.ntp  *.*
 udp4   0  0  *.ntp  *.*
 
 I'm not running an ntp server, and would like these entries to go away. 
 I've looked at the ntpd man page and haven't been able to find any 
 option to tell it not to attach to ports. How can I do this? TIA.

Unfortuately if you're going to run ntpd, you can't get rid of these:
ntpd(8) will automatically bind to all interfaces on the system, and
there are no controls within ntpd to control that.  It's not so bad
though -- ntpd isn't generally known as a gaping security hole, and
the worst problem you'll probably have to deal with is people taking a
time service without asking.

There are some things you can do:

i) Set up the access controls within ntp.conf carefully.  The best
strategy is to set up a default 'deny all access' entry, and then just
open up sufficient access to the servers you want to use and to your
local network:

restrict default ignore   # Ignore everything (i)
restrict 127.0.0.1# Completely unrestrict localhost
restrict 192.168.0.0 mask 255.255.255.0 # and local network

server 12.34.56.78
restrict 12.34.56.78 nomodify nopeer  # Let server supply timeservice (ii)

Unfortunately this approach requires that you know the IP numbers of
all servers you will be using, which doesn't really fit with using the
pool.ntp.org servers.  In that case, you can relax the default
restriction (i) to:

restrict default nomodify nopeer noserve  # Mostly igore everything (i)

and the per server lines like (ii) are no-longer necessary. The
ntp.conf(5) man page has more details.

ii) Use firewall rulesets to prevent any external parties accessing
the NTP port on your network interface.  If you're using ipfw(8), a
good way to do that is setup a stateful rule that only allows incoming
NTP packets in response to stuff we've sent out:

add 999 allow udp from me 123 to any 123 keep-state out xmit fxp0

(change 'me' to your external public IP address, if you have a fixed
one).

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.   26 The Paddocks
  Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey Marlow
Tel: +44 1628 476614  Bucks., SL7 1TH UK


pgp0.pgp
Description: PGP signature

Re: ntpd question

[Shaun T. Erickson]

Matthew Seaman wrote:

Unfortuately if you're going to run ntpd, you can't get rid of these:
ntpd(8) will automatically bind to all interfaces on the system, and
there are no controls within ntpd to control that.
Darn. Thanks for the suggestions! I was already controlling access to 
the port with my ipfilter firewall, and will continue to do so. I just 
believe in not letting anything bind to a port, that isn't required to.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]

Re: ntpd question

[Nathan Kinkade]

On Tue, Mar 09, 2004 at 10:49:53PM -0500, Shaun T. Erickson wrote:
 I run ntpd to keep my server's time in sync with a remote server. In my 
 netstat -a output, I see:
 
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
 udp4   0  0  localhost.ntp  *.*
 udp4   0  0  peter.ntp  *.*
 udp4   0  0  *.ntp  *.*
 
 I'm not running an ntp server, and would like these entries to go away. 
 I've looked at the ntpd man page and haven't been able to find any 
 option to tell it not to attach to ports. How can I do this? TIA.
 
   -ste

You could run ntpd with the -q option, which should cause ntpd to run,
update the clock and then exit.  The ports will still be open during the
time in which ntpd is running, which will likely only be a minute or
two.  This doesn't necessarily solve your issue, but it will allow for
you to update your clock regularly and not have the ports open full time.
I run ntpd through a cron job that is set to run once a day, at a time
when Internet traffic is likely to be low.

Nathan
-- 
gpg --keyserver pgp.mit.edu --recv-keys D8527E49


pgp0.pgp
Description: PGP signature

ntpd question

[Shaun T. Erickson]

I run ntpd to keep my server's time in sync with a remote server. In my 
netstat -a output, I see:

Active Internet connections (including servers)
Proto Recv-Q Send-Q  Local Address  Foreign Address(state)
udp4   0  0  localhost.ntp  *.*
udp4   0  0  peter.ntp  *.*
udp4   0  0  *.ntp  *.*
I'm not running an ntp server, and would like these entries to go away. 
I've looked at the ntpd man page and haven't been able to find any 
option to tell it not to attach to ports. How can I do this? TIA.

	-ste

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to [EMAIL PROTECTED]