ntp config tech note

• Previous message (by thread): ntp config tech note
• Next message (by thread): ntp config tech note
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

C. Jon Larsen wrote:
[snip]

> Its interesting to hear what other folks are doing. I had assumed folks 
> normally don't run ntpd on each and every server and that ntpdate + cron 
> was much preferred; maybe I am off-base.

After the last "big" xntpd vulnerability a few years ago, I went through
and made sure that I had the permissions set appropriately,

restrict <server1>	noquery nomodify
restrict <server2>	noquery nomodify
...
restrict 127.0.0.1	nomodify
restrict default	ignore

On UNIXen servers. Of course, I upgraded my daemons where possible, but
the vulnerability occurred late enough in the message processing that the
approprate restrictions prevented exploit (the packet was dropped before
the vulernable code was reached).

Of course, there still is the potential for vulnerabilities very, very early
in message processing, or in spoofed query responses if someone knows what
servers I use and is behind the firewall. But overall, I like it much better
than what the UNIX admin here used to do,

   0 2 * * * rdate timehost

-- 
Crist J. Clark                               crist.clark at globalstar.com
Globalstar Communications                                (408) 933-4387

• Previous message (by thread): ntp config tech note
• Next message (by thread): ntp config tech note
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]