Chuck Swiger wrote:
> On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote:
>> My ntp.conf file looks like that:
>> server prefer
>> server
>> server
>> restrict default ignore
>> driftfile /var/db/ntp.drift
> Unless you've got additional restrict lines which permit some hosts to
> make changes, using only "restrict default ignore" will prevent ntpd
> from paying attention to the timeservers you've listed and it will even
> prevent ntpd from changing the local clock or being administered via
> ntpq from localhost.
> This misconfiguration will also cause your ntpd to generate excessive
> numbers of queries, rather than syncing up and reducing the NTP polling
> interval from minpoll to maxpoll. [1]
> Remove that line and restart ntpd.

That means that anyone can connect to your NTP daemon and poll it for time
service or use ntpdc to muck around with your configuration.  It's better
to use at minimum:

    restrict default nopeer nomodify
    restrict localhost

(the 'restrict localhost' line actually removes all limitations on access
from localhost.  Ain't ntp.conf syntax wonderful.)

Ideally, you'ld be able to use 'restrict default ignore' then apply

   restrict nopeer nomodify 
   server prefer

for each server you configure.  That works well if you specify individual
servers by name.  Unfortunately the way NTP pool mechanism works makes that  
approach unworkable.



Dr Matthew J Seaman MA, D.Phil.                       7 Priory Courtyard
                                                      Flat 3
PGP:         Ramsgate
                                                      Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to