On 2007-10-03, Rob <[EMAIL PROTECTED]> wrote: > Steve wrote: > >> "A properly chosen default restriction will, in many circumstances, >> eliminate the need to clutter your ntp.conf file with redundant restrict >> lines." > > ... some of the ntp.conf files that I have seen use "restrict default > nomodify nopeer notrap" > > In my view, this is a sensible default restrict line.
Yes. It blocks functionality not strictly required for time service and queries. > It lets others do queries on your ntpd server but not set traps (which > is probably only useful for debugging purposes and may increase load > on your ntpd server significantly). The only known trap client in existence is the ntptrap script in the distribution. The load from misconfigured clients (e.g. those that poll every second) will _far_ outweigh any possible load caused by montoring mode that is probably totally unused. > It also prevents others from doing run time modifications to your > server. Another senible restriction. Remote modification is only possible under two circumstances: 1. You have deliberately disabled NTP authentication 2. You have configured symmetric keys in ntp.conf, generated the keys, and distributed the keys. nomodify blocks _all_ remote configuration, even when the user has the correct key information. > But if you wanted to really lock down your company's ntpd server on a > corporate lan, one could use "restrict default nomodify nopeer noquery". That is the most restrictive set of restrictions short of ignore. > I suspect the noquery would also block traps. There's little harm in specifying a redundant configuration option in one place. > I am not sure. Why don't you test it? -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://support.ntp.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.org/mailman/listinfo/questions
