I just added some experimental restrict statements to one on my servers:
restrict default notrap nomodify nopeer noquery
restrict default notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 192.168.0.0 mask 255.255.255.0 peer
and it now seems that the pool
On 20/12/14 22:01, Rob wrote:
David Woolley david@ex.djwhome.demon.invalid wrote:
On 20/12/14 19:58, William Unruh wrote:
Is it an ntp packet (ie a time exchange packet)? is it a control packet
(eg ntpq type packet?) or what?
Ie, unless you use crypto, these two look like they might be
On 20/12/14 20:54, A C wrote:
Ok, so the remaining uncertainty is whether some of the crafted packets
can be the response packets for a normal time exchange or if they're
only query/config packets. The advisory isn't completely clear on what
types of packets can cause the buffer overflows.
David Woolley david@ex.djwhome.demon.invalid wrote:
On 20/12/14 22:01, Rob wrote:
David Woolley david@ex.djwhome.demon.invalid wrote:
On 20/12/14 19:58, William Unruh wrote:
Is it an ntp packet (ie a time exchange packet)? is it a control packet
(eg ntpq type packet?) or what?
Ie, unless you
David Taylor david-tay...@blueyonder.co.uk.invalid wrote:
I just added some experimental restrict statements to one on my servers:
restrict default notrap nomodify nopeer noquery
restrict default notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict
Rob wrote:
David Taylor david-tay...@blueyonder.co.uk.invalid wrote:
I just added some experimental restrict statements to one on my servers:
restrict default notrap nomodify nopeer noquery
restrict default notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
David Woolley david@ex.djwhome.demon.invalid wrote:
On 21/12/14 10:48, Rob wrote:
People say disable crypto but there is no clear direction in the docs
on how to do that. There is no crypto off or disable crypto config
directive at first glance. So how is this done?
I would assume by not
Terje Mathisen terje.mathi...@tmsw.no wrote:
Rob wrote:
David Taylor david-tay...@blueyonder.co.uk.invalid wrote:
I just added some experimental restrict statements to one on my servers:
restrict default notrap nomodify nopeer noquery
restrict default notrap nomodify nopeer noquery
On 21/12/14 10:48, Rob wrote:
People say disable crypto but there is no clear direction in the docs
on how to do that. There is no crypto off or disable crypto config
directive at first glance. So how is this done?
I would assume by not enabling it.
David Woolley david@ex.djwhome.demon.invalid wrote:
On 21/12/14 11:24, Rob wrote:
Anyway, I consider it a bug. I don't want to lift restrictions to
arbitrary systems selected from a pool. So, out went the pool command.
Why do you want to specify pool servers if you want to restrict their
On 21/12/14 11:24, Rob wrote:
Anyway, I consider it a bug. I don't want to lift restrictions to
arbitrary systems selected from a pool. So, out went the pool command.
Why do you want to specify pool servers if you want to restrict their
use so that you cannot use them?
When people say
On 21/12/14 11:38, Rob wrote:
David Woolley david@ex.djwhome.demon.invalid wrote:
On 21/12/14 10:48, Rob wrote:
People say disable crypto but there is no clear direction in the docs
on how to do that. There is no crypto off or disable crypto config
directive at first glance. So how is this
David Woolley david@ex.djwhome.demon.invalid wrote:
Paranoia? Security alerts are generally not that explicit (and this one
is actually unusually explicit) because they provide information to the
hackers.
That is usually obtained anyway be reverse-engineering the fix.
In this case that is
David Taylor writes:
I just added some experimental restrict statements to one on my servers:
restrict default notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict 192.168.0.0 mask 255.255.255.0 peer
and it now seems that the pool directive is not finding
I have been the fortunate recipient of a Soekris net4501, but although
I've written a Compact Flash card image it doesn't boot, from the CF
card, although the V1.23 BIOS appears to work. I may not spend too long
on this but could anyone point me to a known working image? I used
m0n0wall
On 21/12/2014 14:22, Rob wrote:
[]
Yes, when you want to allow things to the local system you need to add:
restrict 127.0.0.1
restrict ::1
I already had those, but ntpq didn't work from a local PC, if that PC
was also listed as a server.
At least do not recommend others to set default
On 21/12/2014 11:17, Terje Mathisen wrote:
[]
'restrict source' is the proper way to do it, as long as you have a
version which supports that command.
Terje
Thanks, Rob Terje, that did the job. Almost!
The except was that if you have a local node defined as a server, and
you want that
David Taylor david-tay...@blueyonder.co.uk.invalid wrote:
On 21/12/2014 11:17, Terje Mathisen wrote:
[]
'restrict source' is the proper way to do it, as long as you have a
version which supports that command.
Terje
Thanks, Rob Terje, that did the job. Almost!
The except was that if you
On 12/21/2014 12:38 PM, Rob wrote:
David Woolley david@ex.djwhome.demon.invalid wrote:
On 21/12/14 10:48, Rob wrote:
People say disable crypto but there is no clear direction in the docs
on how to do that.
I would assume by not enabling it.
Ok, but in that case why the worry about the
Jochen Bern jochen.b...@linworks.de wrote:
As far as I'm concerned, 0.66 * -9295 is enough for me to grab the
backports from the repos for our outward-serving ntpds right now ...
Yes, for most systems I did the same, but I have the development version
of ntpd running on a couple of systems, and
On 21/12/14 14:08, David Taylor wrote:
I have been the fortunate recipient of a Soekris net4501, but although
I've written a Compact Flash card image it doesn't boot, from the CF
card, although the V1.23 BIOS appears to work. I may not spend too long
on this but could anyone point me to a
On Sun, Dec 21, 2014 at 9:19 AM, David Taylor
david-tay...@blueyonder.co.uk.invalid wrote:
The except was that if you have a local node defined as a server, and you
want that node to be able to issue ntpq commands, it seems that the
configuration I suggested blocks this, even adding query to the
On Sun, Dec 21, 2014 at 7:04 AM, Rob nom...@example.com wrote:
That means I don't accept that anyone outside does something that may
modify my server (including setting up a peer relationship).
If you actually think the software is so badly designed that it would allow
this you should stop
Paul tik-...@bodosom.net wrote:
On Sun, Dec 21, 2014 at 7:04 AM, Rob nom...@example.com wrote:
That means I don't accept that anyone outside does something that may
modify my server (including setting up a peer relationship).
If you actually think the software is so badly designed that it
On 2014-12-21, Harlan Stenn st...@ntp.org wrote:
A C writes:
I'm trying to compile the new 4.2.8 tarball since the Debian source
packages are broken and unable to compile due to various issues.
I downloaded the new 4.2.8 from ntp.org, unpacked and ran the following:
./configure
On Sun, Dec 21, 2014 at 3:10 PM, Rob nom...@example.com wrote:
The documentation is very difficult to read.
I better spend my time on other things.
Well I certainly hope everyone here will notice that you have better things
to do than read the documents ...
Or even ask:
will using
William Unruh writes:
On 2014-12-21, Harlan Stenn st...@ntp.org wrote:
It doesn't contradict itself. It finds sys/timepps.h. This is
expected.
It does not find timepps.h. This is expected.
The former lives in /usr/include/sys/timepps.h, as you note above.
The latter does not
David H. Lipman wrote:
(Dave Lipman posted examples from his router logs of incoming traffic to
port 123)
Um - did you notice that 149.20.68.17 resolves to
pool-test.ntp.org?
Your other IP's resolve to:
108.61.73.244 = helium.constant.com
162.243.55.105 =
Virus Guy writes:
...
So either you are misreading your logs (and what you think are incoming
queries on port 123 are really outgoing queries from some computer on
your lan to something.pool.ntp.org), or these really are incoming
queries coming from legit (or previous legit) NTP servers.
On Sun, Dec 21, 2014 at 3:23 PM, William Unruh un...@invalid.ca wrote:
Why would it be searching for timepps.h when it had already found
sys/timepps.h?
I suspect there's a multitude that believe configure is ... inefficient.
Nothing like building on an armel to make you rethink
NTP 4.2.8 (Harlan Stenn st...@ntp.org, 2014/12/18)
Focus: Security and Bug fixes, enhancements.
Severity: HIGH
In addition to bug fixes and enhancements, this release fixes the
following high-severity vulnerabilities:
** vv NOTE WELL vv *
Paul writes:
On Sun, Dec 21, 2014 at 3:23 PM, William Unruh un...@invalid.ca wrote:
Why would it be searching for timepps.h when it had already found
sys/timepps.h?
I suspect there's a multitude that believe configure is ... inefficient.
Nothing like building on an armel to make you
From: Virus Guy Virus@Guy . com
David H. Lipman wrote:
(Dave Lipman posted examples from his router logs of incoming traffic to
port 123)
Um - did you notice that 149.20.68.17 resolves to
pool-test.ntp.org?
Your other IP's resolve to:
108.61.73.244 = helium.constant.com
162.243.55.105 =
On Sun, Dec 21, 2014 at 7:54 PM, Harlan Stenn st...@ntp.org wrote:
What would be demonstrably better?
That's an impossible request. No one can know a priori if you'd make a
good-faith effort to switch to say CMake and then find it better than Auto*
I'm willing to excuse the the
On 2014-12-21, Jochen Bern jochen.b...@linworks.de wrote:
On 12/21/2014 12:38 PM, Rob wrote:
David Woolley david@ex.djwhome.demon.invalid wrote:
On 21/12/14 10:48, Rob wrote:
People say disable crypto but there is no clear direction in the docs
on how to do that.
I would assume by not
On 21/12/14 20:10, Rob wrote:
What I got from the documentation is that without nopeer a server
could setup a peer association. I don't like that.
No. Without nopeer, a *client* can't set up a peer session. If you are
using a system as a server, it cannot cause you more disruption than if
Harlan Stenn wrote:
... or these really are incoming queries coming from legit
(or previous legit) NTP servers.
If the answer is the latter, then these may very well be examples
of comprimised / trojanized NTP servers performing their own NTP
probes under botnet control.
I think
Bill,
Are you willing to improve your deportment?
You are performing an active dis-service. I find your posts too often
to be destructive, not constructive. See below.
William Unruh writes:
On 2014-12-21, Jochen Bern jochen.b...@linworks.de wrote:
On 12/21/2014 12:38 PM, Rob wrote:
David
On Sun, Dec 21, 2014 at 4:25 PM, William Unruh un...@invalid.ca wrote:
There are lots of people who are strongly interested in having good
time, but cannot simply upgrade to 4.2.8.
And yet people apply critical monthly patches from Microsoft and Oracle all
the time without running them
On 12/21/2014 8:13 PM, David H. Lipman wrote:
From: Virus Guy Virus@Guy . com
David H. Lipman wrote:
(Dave Lipman posted examples from his router logs of incoming traffic to
port 123)
Nope. There is no reason to believe that the LAN behind the static IP
does anything but syncs time
On 12/21/2014 11:11 PM, brian utterback wrote:
loop and taking them off the error. Just my two cents.
Doh! air.
--
Brian Utterback
Solaris RPE, Oracle Corporation.
Ph:603-262-3916, Em:brian.utterb...@oracle.com
___
questions mailing list
Virus Guy writes:
Harlan Stenn wrote:
... or these really are incoming queries coming from legit
(or previous legit) NTP servers.
If the answer is the latter, then these may very well be examples
of comprimised / trojanized NTP servers performing their own NTP
probes under
On 2014-12-21, Harlan Stenn st...@ntp.org wrote:
William Unruh writes:
On 2014-12-21, Harlan Stenn st...@ntp.org wrote:
It doesn't contradict itself. It finds sys/timepps.h. This is
expected.
It does not find timepps.h. This is expected.
The former lives in
Thank you for this Note Well and putting the additional lines into
http://support.ntp.org/bin/view/Main/SecurityNotice telling us about the
restric default noquery option.
On 2014-12-22, Harlan Stenn st...@ntp.org wrote:
NTP 4.2.8 (Harlan Stenn st...@ntp.org, 2014/12/18)
Focus: Security
In comp.protocols.time.ntp, you wrote:
Bill,
Are you willing to improve your deportment?
You are performing an active dis-service. I find your posts too often
to be destructive, not constructive. See below.
See below
William Unruh writes:
On 2014-12-21, Jochen Bern
On 21/12/2014 19:05, Jan Ceuleers wrote:
On 21/12/14 14:08, David Taylor wrote:
I have been the fortunate recipient of a Soekris net4501, but although
I've written a Compact Flash card image it doesn't boot, from the CF
card, although the V1.23 BIOS appears to work. I may not spend too long
on
46 matches
Mail list logo