On 2014-11-11 14:20, Phil W Lee wrote:
David Taylor <[email protected]> considered Tue,
11 Nov 2014 16:58:30 +0000 the perfect time to write:
On 11/11/2014 15:57, Brian Inglis wrote:
On 2014-11-11 04:07, David Taylor wrote:
[]
I have no restrict statements at all, but I'm not offering my NTP
servers for public use.
Are you sure?
Even if they are not being offered, does not mean they are not being used.
Your systems are well documented, so folks could try using them as servers.
Never seen any counts in the last columnn or six of sysstats?
[Presume sysstats columns report the server's responses to incoming
packets rather than other servers responses to its outgoing packets
- this is unclear!]
People spend a lot of time trolling the internet for unprotected systems
and ports they can exploit for attacks.
Please add the recommended restrict options to lock your systems up, and
then the required options to open up to your sources, LAN(s), and hosts.
I just ran a Gibson Shields Up check on port 123 and it said I was in
what it calls "perfect stealth" mode. Perhaps that is a sign that I am
OK externally without restrict lines?
Yeah, you're pretty much ok.
But strength in depth is never a bad thing, so I'd add the
restrictions suggested by Paul as well.
If you get used to that being a part of your default configuration,
you won't accidentally miss it if you configure an externally
accessible time server.
Thought I was tight also, but noticed a few non-zero entries at the end of my
sysstats, so decided to tighten up security from the router, firewall, AV, down
to the services.
--
Take care. Thanks, Brian Inglis
_______________________________________________
questions mailing list
[email protected]
http://lists.ntp.org/listinfo/questions
