Re: NTP insecure defaults

2017-01-09 Thread Teemu Likonen
Mart van de Wege [2017-01-09 08:37:48+01] wrote: > While I like systemd and its related projects, I have not yet switched > to systemd-timesyncd. I switched to systemd-timesyncd yesterday and found it great. It just works and is simpler than alternatives. Recipe: - Remove all other ntp server

Re: NTP insecure defaults

2017-01-08 Thread Mart van de Wege
Henrique de Moraes Holschuh writes: > > For client-only, openntpd is likely a better choice, yes. Better yet, > use "chrony", which is optimized for desktop/laptops (which get > disconnected/powered off/suspended often). > > ntp - time servers, high-precision time clients. >

Re: NTP insecure defaults

2017-01-08 Thread Mart van de Wege
Michael Luecke writes: > On 01/07/2017 09:33 AM, Mart van de Wege wrote: >> Turns out the Debian default is indeed to provide time service if you >> install NTP. Shouldn't that be limited to localhost only, so that an >> admin must deliberately open up the service if they

Re: NTP insecure defaults

2017-01-08 Thread Celejar
On Sat, 7 Jan 2017 09:30:55 -0200 Henrique de Moraes Holschuh wrote: ... > For client-only, openntpd is likely a better choice, yes. Better yet, > use "chrony", which is optimized for desktop/laptops (which get > disconnected/powered off/suspended often). > > ntp - time

Re: NTP insecure defaults

2017-01-07 Thread Henrique de Moraes Holschuh
On Sat, 07 Jan 2017, Eero Volotinen wrote: > Default ntpd does listens allways all interfaces. You need to install You can restrict the standard ntp daemon services, and it won't *reply*. You can also restrict its bind addresses, so it won't listen to every interface it detects. Usually,

Re: NTP insecure defaults

2017-01-07 Thread Eero Volotinen
Hi, Default ntpd does listens allways all interfaces. You need to install openntpd or limit access to ntp port with iptables. -- Eero 2017-01-07 11:40 GMT+02:00 Michael Luecke : > On 01/07/2017 09:33 AM, Mart van de Wege wrote: > >> Turns out the Debian default is indeed

Re: NTP insecure defaults

2017-01-07 Thread Michael Luecke
On 01/07/2017 09:33 AM, Mart van de Wege wrote: Turns out the Debian default is indeed to provide time service if you install NTP. Shouldn't that be limited to localhost only, so that an admin must deliberately open up the service if they want to provide NTP service to the outside world? Did

NTP insecure defaults

2017-01-07 Thread Mart van de Wege
My hosting provider recently pointed my attention to the fact that my Jessie installation was running NTP and listening and responding to the outside world, which is considered a security risk due to the possibility of amplification attack DDoSes. Turns out the Debian default is indeed to provide