Yves Dorfsman
2007-11-07 14:07:48 UTC
I'm thinking there might be other people as confused as me "out here", so
I'll try here before I go the newsgroup way...
Here's my understanding of current ntp, and would love to hear where I'm
wrong, or comment about it:
1) ntpdate is bad and shouldn't be used
2) ntpd talks over UDP, and on port 123 on BOTH side
3) contrary to ntpdate, nptd uses two connections, one going out, one
coming in (if I close connections coming in on port 123, ntpd -gq doesn't
work) ?
4) the "restrict" command in ntp.conf is very powerfull (read dangerous),
widely misunderstood, badly documented, and affects ntpd not only as a
server, but as a client as well. Therefore, and contrary to what is
written in the comments of ntp.conf, "restrict default ignore" prevents
anybody from accessing your ntpd server, but ALSO prevents ntpd to
function as a client unless you add a restrict command for the server(s)
you are going to talk to.
5) you should really use *.pool.ntp.org rather than specific servers from
th internet
6) because of 2), 3) 4) and 5), you cannot use ntpd to sync your machine
from the internet, without allowing other machines from the internet to
use you a time server.
7) if you use "restrict default kod nomodify notrap nopeer noquery"
you're limiting the type of DoS attacks that can be done against you on
port 123, but some are still possible ???
Thank you !
Yves.
----
Yves Dorfsman ***@zioup.com
http://www.SollerS.ca
I'll try here before I go the newsgroup way...
Here's my understanding of current ntp, and would love to hear where I'm
wrong, or comment about it:
1) ntpdate is bad and shouldn't be used
2) ntpd talks over UDP, and on port 123 on BOTH side
3) contrary to ntpdate, nptd uses two connections, one going out, one
coming in (if I close connections coming in on port 123, ntpd -gq doesn't
work) ?
4) the "restrict" command in ntp.conf is very powerfull (read dangerous),
widely misunderstood, badly documented, and affects ntpd not only as a
server, but as a client as well. Therefore, and contrary to what is
written in the comments of ntp.conf, "restrict default ignore" prevents
anybody from accessing your ntpd server, but ALSO prevents ntpd to
function as a client unless you add a restrict command for the server(s)
you are going to talk to.
5) you should really use *.pool.ntp.org rather than specific servers from
th internet
6) because of 2), 3) 4) and 5), you cannot use ntpd to sync your machine
from the internet, without allowing other machines from the internet to
use you a time server.
7) if you use "restrict default kod nomodify notrap nopeer noquery"
you're limiting the type of DoS attacks that can be done against you on
port 123, but some are still possible ???
Thank you !
Yves.
----
Yves Dorfsman ***@zioup.com
http://www.SollerS.ca