Re: [OpenIndiana-discuss] NTP trouble and 123 port
On sort of the same topic. I've set up ntpd as a client, similar to what you described but I can't seem to get it to work. ntpq -p always shows all the peers in INIT state with a stratum of 16. (That's not exactly true, every once in a while I get an ipv6 peer through my 4to6 tunnel to initialize but that's a rare occurrence). To make matters more confusing, ntpdate works as expected with any of the peers on my server list. Because of this, I've disabled nptd and use ntpdate using cron but I was wondering if anyone had a clue to why ntpd would fail while ntpdate succeeds or how to debug this. Gary On 04/25/2014 09:23 AM, Gary Mills wrote: On Fri, Apr 25, 2014 at 11:15:31AM +0200, Jozsef Brogyanyi wrote: I have trouble with 123 port. I wanted to set a NTP client not a server. I received an e-mail my ISP with a complain. Someone use my server 123 port. I'll bounce you the message I sent to this mailing list in February. It explains how to avoid the NTP amplification exploit that your ISP complained about. My NTP settings is the next: cp /etc/inet/ntp.client /etc/inet/ntp.conf nano /etc/inet/ntp.conf Insert these lines. May be the these are not good. server 0.hu.pool.ntp.org iburst server 1.hu.pool.ntp.org iburst server 2.hu.pool.ntp.org iburst server 3.hu.pool.ntp.org iburst I don't know what `iburst' means, but `man ntpd' describes it partially. I don't use it. svcadm enable ntp svcs ntp svcs -x ntp ntpq -p How can I solve this problem if I need the NTP client? Here are the non-comment lines from my ntp.conf: $ egrep -v '^#|^$' /etc/inet/ntp.conf restrict default kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap nopeer restrict 127.0.0.1 restrict -6 ::1 server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org driftfile /var/ntp/ntp.drift statsdir /var/ntp/ntpstats/ filegen peerstats file peerstats type day enable filegen loopstats file loopstats type day enable You likely won't need the `192.168.0.0' line. That's for my private network. It works: $ ntpq -p remote refid st t when poll reach delay offset jitter == +time.netspectru 208.90.144.523 u 489 512 377 34.1300.809 0.739 *penguin.hopcoun 209.51.161.238 2 u 140 512 377 31.1450.683 1.324 -mongrel.ahem.ca 208.81.2.13 2 u 144 512 377 24.124 -9.238 4.130 +mirror.mountain 200.98.196.212 2 u 508 512 377 31.8671.559 2.638 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
On Mon, Apr 28, 2014 at 08:15:50AM -0400, Gary Gendel wrote: On sort of the same topic. I've set up ntpd as a client, similar to what you described but I can't seem to get it to work. ntpq -p always shows all the peers in INIT state with a stratum of 16. (That's not exactly true, every once in a while I get an ipv6 peer through my 4to6 tunnel to initialize but that's a rare occurrence). That can happen if the initial time on your machine is too far away from the time known to the NTP peers. You might have to set it by hand first. You could also investigate further by running ntpd with debugging turned on or by looking at an NTP packet trace. -- -Gary Mills--refurb--Winnipeg, Manitoba, Canada- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
Ok, but my ISP check my 123 port and he see the 123 port is open. He insist to close the 123 port. I think I need a cron script what randomly switch the NTP service on and when the system clock is synchrony then switch it off. May be that's enough once a day. So the 123 port is open only a short time. I understand my server doesn't answer for a bad guys request but the port is open. 2014.04.26. 2:27 keltezéssel, Gary Mills írta: On Fri, Apr 25, 2014 at 10:53:36PM +0200, Brogyányi József wrote: ** **I modified the ntp.conf but something is missing.* [...] *If enable the ntp then the server is runing on 123 port.* That's okay. `ntpd' must run continuously so that it can modify your system clock, and so that it can periodically poll the four time servers you have listed in the config file. The restrictions for the default network in the config file mean that it won't respond to commands arriving on most network interfaces. That's what prevents the NTP amplification attack. Indeed it's a server, but it's invisible as far as the outside world can tell. It will respond to 127.0.0.1 and ::1 . That's why `ntpq -p' works. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
26 апреля 2014 г. 9:52:23 CEST, Brogyányi József bro...@gmail.com пишет: Ok, but my ISP check my 123 port and he see the 123 port is open. He insist to close the 123 port. I think I need a cron script what randomly switch the NTP service on and when the system clock is synchrony then switch it off. May be that's enough once a day. So the 123 port is open only a short time. I understand my server doesn't answer for a bad guys request but the port is open. 2014.04.26. 2:27 keltezéssel, Gary Mills írta: On Fri, Apr 25, 2014 at 10:53:36PM +0200, Brogyányi József wrote: ** **I modified the ntp.conf but something is missing.* [...] *If enable the ntp then the server is runing on 123 port.* That's okay. `ntpd' must run continuously so that it can modify your system clock, and so that it can periodically poll the four time servers you have listed in the config file. The restrictions for the default network in the config file mean that it won't respond to commands arriving on most network interfaces. That's what prevents the NTP amplification attack. Indeed it's a server, but it's invisible as far as the outside world can tell. It will respond to 127.0.0.1 and ::1 . That's why `ntpq -p' works. ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss Actually, instead of a service you could then use just ntpdate to pick up external time regularly. Unlike with the service, however, the system won't keep track of your hardware clock drift and try to fix it even when you are disconnected. You could also use rdate (via old timedate protocol) to similar effect; some time servers serve both. But why don't you try a firewall instead? ;) Typically block everything, open what you need. In this case, open outgoing 123/udp from your computer to the world. IIRC the ipfilter should automatically permit returning replies; if not - allow incoming 123/udp from your chosen sources... Hth, Jim -- Typos courtesy of K-9 Mail on my Samsung Android ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
On Fri, Apr 25, 2014 at 11:15:31AM +0200, Jozsef Brogyanyi wrote: I have trouble with 123 port. I wanted to set a NTP client not a server. I received an e-mail my ISP with a complain. Someone use my server 123 port. I'll bounce you the message I sent to this mailing list in February. It explains how to avoid the NTP amplification exploit that your ISP complained about. My NTP settings is the next: cp /etc/inet/ntp.client /etc/inet/ntp.conf nano /etc/inet/ntp.conf Insert these lines. May be the these are not good. server 0.hu.pool.ntp.org iburst server 1.hu.pool.ntp.org iburst server 2.hu.pool.ntp.org iburst server 3.hu.pool.ntp.org iburst I don't know what `iburst' means, but `man ntpd' describes it partially. I don't use it. svcadm enable ntp svcs ntp svcs -x ntp ntpq -p How can I solve this problem if I need the NTP client? Here are the non-comment lines from my ntp.conf: $ egrep -v '^#|^$' /etc/inet/ntp.conf restrict default kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap nopeer restrict 127.0.0.1 restrict -6 ::1 server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org driftfile /var/ntp/ntp.drift statsdir /var/ntp/ntpstats/ filegen peerstats file peerstats type day enable filegen loopstats file loopstats type day enable You likely won't need the `192.168.0.0' line. That's for my private network. It works: $ ntpq -p remote refid st t when poll reach delay offset jitter == +time.netspectru 208.90.144.523 u 489 512 377 34.1300.809 0.739 *penguin.hopcoun 209.51.161.238 2 u 140 512 377 31.1450.683 1.324 -mongrel.ahem.ca 208.81.2.13 2 u 144 512 377 24.124 -9.238 4.130 +mirror.mountain 200.98.196.212 2 u 508 512 377 31.8671.559 2.638 -- -Gary Mills--refurb--Winnipeg, Manitoba, Canada- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
Hi Jozsef, On 2014-04-25 11:15, Jozsef Brogyanyi wrote: I have trouble with 123 port. I wanted to set a NTP client not a server. I received an e-mail my ISP with a complain. Someone use my server 123 port. My NTP settings is the next: cp /etc/inet/ntp.client /etc/inet/ntp.conf nano /etc/inet/ntp.conf In /etc/inet you set up services/servers you connect to using inetd. In this way, any client can use your server as a time-server. You need to make the changes to /etc/ntp.conf and enable the ntp service. HTH, kind regards, Edgar. -- Edgar Matzinger \\\|/// \\ - - // ( @ @ ) ---oOOo-(_)-oOOo-- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
On Fri, 25 Apr 2014, Edgar Matzinger wrote: You need to make the changes to /etc/ntp.conf and enable the ntp service. Gary Mills advice is the correct advice to follow. It is not very clear to people who just want local time service that starting ntpd is starting a server which will respond to the world by default. Bob -- Bob Friesenhahn bfrie...@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/ GraphicsMagick Maintainer,http://www.GraphicsMagick.org/ ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
Hi Bob, Bob Friesenhahn wrote: Gary Mills advice is the correct advice to follow. You're correct. I don't get that SUN has put those files in a non-standard location But, that's my opinion... Kind regard, -- Edgar Matzinger \\\|/// \\ - - // ( @ @ ) ---oOOo-(_)-oOOo-- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
On 04/25/14 11:06 AM, Edgar Matzinger wrote: You're correct. I don't get that SUN has put those files in a non-standard location It was the SVR4 standard once upon a time, but since no one uses any other SVR4-based OS'es any more, all SVR4isms now seem like Sunisms. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
Gary and Bob Thank you your configuration file. I'll have to modify my old OI or upgrade to the latest. standard NTP query program - Ver. 4.2.5p200 On Fri, Apr 25, 2014 at 11:15:31AM +0200, Jozsef Brogyanyi wrote: I have trouble with 123 port. I wanted to set a NTP client not a server. I received an e-mail my ISP with a complain. Someone use my server 123 port. I'll bounce you the message I sent to this mailing list in February. It explains how to avoid the NTP amplification exploit that your ISP complained about. My NTP settings is the next: cp /etc/inet/ntp.client /etc/inet/ntp.conf nano /etc/inet/ntp.conf Insert these lines. May be the these are not good. server 0.hu.pool.ntp.org iburst server 1.hu.pool.ntp.org iburst server 2.hu.pool.ntp.org iburst server 3.hu.pool.ntp.org iburst I don't know what `iburst' means, but `man ntpd' describes it partially. I don't use it. svcadm enable ntp svcs ntp svcs -x ntp ntpq -p How can I solve this problem if I need the NTP client? Here are the non-comment lines from my ntp.conf: $ egrep -v '^#|^$' /etc/inet/ntp.conf restrict default kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap nopeer restrict 127.0.0.1 restrict -6 ::1 server 0.pool.ntp.org server 1.pool.ntp.org server 2.pool.ntp.org server 3.pool.ntp.org driftfile /var/ntp/ntp.drift statsdir /var/ntp/ntpstats/ filegen peerstats file peerstats type day enable filegen loopstats file loopstats type day enable You likely won't need the `192.168.0.0' line. That's for my private network. It works: $ ntpq -p remote refid st t when poll reach delay offset jitter == +time.netspectru 208.90.144.523 u 489 512 377 34.1300.809 0.739 *penguin.hopcoun 209.51.161.238 2 u 140 512 377 31.1450.683 1.324 -mongrel.ahem.ca 208.81.2.13 2 u 144 512 377 24.124 -9.238 4.130 +mirror.mountain 200.98.196.212 2 u 508 512 377 31.8671.559 2.638 ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
*Gary** ** **I modified the ntp.conf but something is missing.* /root@openindiana:/home/brogyi# egrep -v '^#|^$' /etc/inet/ntp.conf// // // restrict default kod nomodify notrap nopeer noquery// // restrict 192.168.1.104 mask 255.255.255.0 nomodify notrap nopeer// // restrict 127.0.0.1// // restrict -6 ::1// // server 0.hu.pool.ntp.org// // server 1.hu.pool.ntp.org// // server 2.hu.pool.ntp.org// // server 3.hu.pool.ntp.org// // driftfile /var/ntp/ntp.drift// // statsdir /var/ntp/ntpstats/// // filegen peerstats file peerstats type day enable// // filegen loopstats file loopstats type day enable// //root@openindiana:/home/brogyi# ntpq -p// //ntpq: read: Connection refused// //root@openindiana:/home/brogyi# netstat -an | grep 123// //root@openindiana:/home/brogyi#/ *If enable the ntp then the server is runing on 123 port.* /root@openindiana:/home/brogyi# svcadm enable ntp// //root@openindiana:/home/brogyi# ntpq -p// // remote refid st t when poll reach delay offset jitter// //==// // smn.pecs.hpc.ni 185.219.2.2142 u5 641 11.971 -210.17 0.001// // manager-vlan87. 192.53.103.108 2 u4 641 10.434 -207.97 0.001// // service0-eth4.d 195.111.98.172 u3 641 15.687 -208.81 0.001// // yikes.bl2.tolna 130.149.17.8 2 u2 641 18.914 -209.35 0.001// //root@openindiana:/home/brogyi# netstat -an | grep 123// // *.123 Idle// // *.123 Idle// //127.0.0.1.123 Idle// //192.168.1.104.123 Idle// //*.123 Idle// //::1.123 Idle// //fe80::225:22ff:fec4:8826.123 Idle rge0// / *Where is the bug?** * ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss
Re: [OpenIndiana-discuss] NTP trouble and 123 port
On Fri, Apr 25, 2014 at 10:53:36PM +0200, Brogyányi József wrote: ** **I modified the ntp.conf but something is missing.* [...] *If enable the ntp then the server is runing on 123 port.* That's okay. `ntpd' must run continuously so that it can modify your system clock, and so that it can periodically poll the four time servers you have listed in the config file. The restrictions for the default network in the config file mean that it won't respond to commands arriving on most network interfaces. That's what prevents the NTP amplification attack. Indeed it's a server, but it's invisible as far as the outside world can tell. It will respond to 127.0.0.1 and ::1 . That's why `ntpq -p' works. -- -Gary Mills--refurb--Winnipeg, Manitoba, Canada- ___ OpenIndiana-discuss mailing list OpenIndiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss