Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 10 Mar 2004 10:36:22 +0000
From:      Matthew Seaman <m.seaman@infracaninophile.co.uk>
To:        "Shaun T. Erickson" <ste@ste-land.com>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: ntpd question
Message-ID:  <20040310103622.GA49215@happy-idiot-talk.infracaninophile.co.uk>
In-Reply-To: <404E9061.3050805@ste-land.com>
References:  <404E9061.3050805@ste-land.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 09, 2004 at 10:49:53PM -0500, Shaun T. Erickson wrote:
> I run ntpd to keep my server's time in sync with a remote server. In my=
=20
> "netstat -a" output, I see:
>=20
> Active Internet connections (including servers)
> Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
> udp4       0      0  localhost.ntp          *.*
> udp4       0      0  peter.ntp              *.*
> udp4       0      0  *.ntp                  *.*
>=20
> I'm not running an ntp server, and would like these entries to go away.=
=20
> I've looked at the ntpd man page and haven't been able to find any=20
> option to tell it not to attach to ports. How can I do this? TIA.

Unfortuately if you're going to run ntpd, you can't get rid of these:
ntpd(8) will automatically bind to all interfaces on the system, and
there are no controls within ntpd to control that.  It's not so bad
though -- ntpd isn't generally known as a gaping security hole, and
the worst problem you'll probably have to deal with is people taking a
time service without asking.

There are some things you can do:

i) Set up the access controls within ntp.conf carefully.  The best
strategy is to set up a default 'deny all access' entry, and then just
open up sufficient access to the servers you want to use and to your
local network:

    restrict default ignore           # Ignore everything (i)
    restrict 127.0.0.1                # Completely unrestrict localhost
    restrict 192.168.0.0 mask 255.255.255.0 # and local network

    server 12.34.56.78
    restrict 12.34.56.78 nomodify nopeer  # Let server supply timeservice (=
ii)

Unfortunately this approach requires that you know the IP numbers of
all servers you will be using, which doesn't really fit with using the
pool.ntp.org servers.  In that case, you can relax the default
restriction (i) to:

    restrict default nomodify nopeer noserve  # Mostly igore everything (i)

and the per server lines like (ii) are no-longer necessary. The
ntp.conf(5) man page has more details.

ii) Use firewall rulesets to prevent any external parties accessing
the NTP port on your network interface.  If you're using ipfw(8), a
good way to do that is setup a stateful rule that only allows incoming
NTP packets in response to stuff we've sent out:

    add 999 allow udp from me 123 to any 123 keep-state out xmit fxp0

(change 'me' to your external public IP address, if you have a fixed
one).

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                       26 The Paddocks
                                                      Savill Way
PGP: http://www.infracaninophile.co.uk/pgpkey         Marlow
Tel: +44 1628 476614                                  Bucks., SL7 1TH UK

--LZvS9be/3tNcYl/X
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFATu+mdtESqEQa7a0RApd1AJ487xKP91Hk0M3or61NhFpyBxurCQCfWUjP
wjnPZMq2X7e3JX9cy5hprOg=
=0WQb
-----END PGP SIGNATURE-----

--LZvS9be/3tNcYl/X--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20040310103622.GA49215>