At 10:32 -0600 3/10/2001, Piotr Tarnowski wrote:
>Hi,
>
>I've installed NTP daemon on my firewall (with sync to
>external machine) and
>on all internal machines (with sync to my firewall).
>
>I found that this had opend port 123/udp on my firewall,
>so now everybody
>from the net can use my machine as a server.
>I have nothing against this as long as this is secure. Is
>it ?
>
>If not can I limit allowed clients somehow ? (I noticed
>that DENY
>on ipchains to others than my reference external server
>limits ntptrace usage).
>
>Best regards,
>Piotr Tarnowski
As detailed here:
http://www.eecis.udel.edu/~ntp/ntp_spool/html/accopt.htm
Some access control is supposed to be built into NTP, but I never got
it to work correctly (could be my fault, i dunno.)
As soon as I activiated it, nptd stopped updating from any time
server. Here's what I had in my ntp.conf file:
# don't trust anyone else's clock, or allow config changes
# restrict default notrust nomodify
# trust timeservers for time, but don't allow config changes
# note masks don't have to be the same network mask that the
# specified ip uses. using a mask of 255.255.255.255 applies
# a rule to that specific ip. A shorter mask applies
# the rule to more computers. When a packet arrives the rule
# with the most matching bits in the mask is used
# restrict time.server.1.ip mask 255.255.255.255
# restrict time.server.2.ip mask 255.255.255.255
# restrict time.server.3.ip mask 255.255.255.255
So instead I locked down access on the external interface to just the
time servers I use. In my firewall script I put:
TIME_SERVERS="time.server.1.ip time.server.2.ip time.server.3.ip
time.server.4.ip"
for TIMESERVER in $TIME_SERVERS
do
echo "Allowing client access to time server " $TIMESERVER "..."
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $TIMESERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $TIMESERVER 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# these seem to allow a local time server running
# on port 123 to sync with another time server on port
# 123
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d $TIMESERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $TIMESERVER 123 \
-d $IPADDR 123 -j ACCEPT
done
Not super secure as it does nothing against spoofing (guess that's
really only possible with a digitally signed time server signature),
but it sufficed for me.
Kevin
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
