ntpd question

Matthew Seaman m.seaman at infracaninophile.co.uk
Wed Mar 10 02:36:29 PST 2004 

On Tue, Mar 09, 2004 at 10:49:53PM -0500, Shaun T. Erickson wrote:
> I run ntpd to keep my server's time in sync with a remote server. In my 
> "netstat -a" output, I see:
> 
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> udp4       0      0  localhost.ntp          *.*
> udp4       0      0  peter.ntp              *.*
> udp4       0      0  *.ntp                  *.*
> 
> I'm not running an ntp server, and would like these entries to go away. 
> I've looked at the ntpd man page and haven't been able to find any 
> option to tell it not to attach to ports. How can I do this? TIA.

Unfortuately if you're going to run ntpd, you can't get rid of these:
ntpd(8) will automatically bind to all interfaces on the system, and
there are no controls within ntpd to control that.  It's not so bad
though -- ntpd isn't generally known as a gaping security hole, and
the worst problem you'll probably have to deal with is people taking a
time service without asking.

There are some things you can do:

i) Set up the access controls within ntp.conf carefully.  The best
strategy is to set up a default 'deny all access' entry, and then just
open up sufficient access to the servers you want to use and to your
local network:

    restrict default ignore           # Ignore everything (i)
    restrict 127.0.0.1                # Completely unrestrict localhost
    restrict 192.168.0.0 mask 255.255.255.0 # and local network

    server 12.34.56.78
    restrict 12.34.56.78 nomodify nopeer  # Let server supply timeservice (ii)

Unfortunately this approach requires that you know the IP numbers of
all servers you will be using, which doesn't really fit with using the
pool.ntp.org servers.  In that case, you can relax the default
restriction (i) to:

    restrict default nomodify nopeer noserve  # Mostly igore everything (i)

and the per server lines like (ii) are no-longer necessary. The
ntp.conf(5) man page has more details.

ii) Use firewall rulesets to prevent any external parties accessing
the NTP port on your network interface.  If you're using ipfw(8), a
good way to do that is setup a stateful rule that only allows incoming
NTP packets in response to stuff we've sent out:

    add 999 allow udp from me 123 to any 123 keep-state out xmit fxp0

(change 'me' to your external public IP address, if you have a fixed
one).

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20040310/daa3e57a/attachment-0001.bin

More information about the freebsd-questions mailing list