Merit Network
Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives

North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: ntp config tech note

  • From: Crist Clark
  • Date: Fri May 21 12:52:46 2004

C. Jon Larsen wrote:
[snip]

Its interesting to hear what other folks are doing. I had assumed folks normally don't run ntpd on each and every server and that ntpdate + cron was much preferred; maybe I am off-base.
After the last "big" xntpd vulnerability a few years ago, I went through
and made sure that I had the permissions set appropriately,

restrict <server1>	noquery nomodify
restrict <server2>	noquery nomodify
...
restrict 127.0.0.1	nomodify
restrict default	ignore

On UNIXen servers. Of course, I upgraded my daemons where possible, but
the vulnerability occurred late enough in the message processing that the
approprate restrictions prevented exploit (the packet was dropped before
the vulernable code was reached).

Of course, there still is the potential for vulnerabilities very, very early
in message processing, or in spoofed query responses if someone knows what
servers I use and is behind the firewall. But overall, I like it much better
than what the UNIX admin here used to do,

  0 2 * * * rdate timehost

--
Crist J. Clark                               crist.clark@globalstar.com
Globalstar Communications                                (408) 933-4387




Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.