Re: [ntp:questions] Restrict statements and the pool directive
David Woolley david@ex.djwhome.demon.invalid wrote: On 21/12/14 20:10, Rob wrote: What I got from the documentation is that without nopeer a server could setup a peer association. I don't like that. No. Without nopeer, a *client* can't set up a peer session. If you are using a system as a server, it cannot cause you more disruption than if it peered itself with you. The problem here is that the exact significance of being a peer isn't well documented. Exactly. The description in the documentation is unreadable. There is no plain language paragraph after the initial definition that must be in terminology explained elswhere, but has no pointer to there. Until it is, I appears to be better to not use the functionality. After 3 days of finding out how to install updates and where to get updated source, Harlan finally stated on the Pool list: If you have been following BCP and only allow 'query' from trusted hosts you are protected from these attacks. Was it really that hard to write that in the initial publication??? After all, it turned out to be completely unnecessary to update. And with that, everyone would have avoided to run into an issue like this and the matter could have been studied beforehand. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Number of Stratum 1 Stratum 2 Peers
Phil W Lee wrote: I believe it is important to allow negative leap seconds again, in order to allow a dignified recovery from erroneous positive leap seconds. I don't think fake negative leap seconds can (and should) be used to undo the effect of an erroneously applied positive leap second. Martin ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Soekris net4501 help....
I fixed the problem - it seems that the physicaldiskwrite program is more successful than Win32DiskImager at writing the image to a CF card, so I now have the m0n0wall program running showing that the box works, at least. Now does anyone have a working NTP server image I might be able to download and play with for that box? -- Thanks, David Web: http://www.satsignal.eu ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
On 22/12/14 04:02, Paul wrote: And yet people apply critical monthly patches from Microsoft and Oracle all the time without running them through dev and q/a. Not on business critical servers. They may well apply them to general purpose desk top machines, but even then, if they don't have enough diversity, that can be a serious risk. Also, what happens here is more akin to service pack, which is even more likely to get extensive lab testing. I'm not sure if I've had a Microsoft update break anything in my non-critical system use, but I've certainly have had false positives from virus checker updates causing damage which wasted a hour or two on a my home system, but if it had affected an important component on a critical server, or even on all the company workstations, it would be disastrous for the company. Many businesses operate local repositories of Microsoft updates, not just to reduce bandwidth. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
Martin Burnicki martin.burni...@meinberg.de wrote: Rob schrieb: David Woolley david@ex.djwhome.demon.invalid wrote: On 21/12/14 10:48, Rob wrote: People say disable crypto but there is no clear direction in the docs on how to do that. There is no crypto off or disable crypto config directive at first glance. So how is this done? I would assume by not enabling it. Ok, but in that case why the worry about the millions of vulnerable servers on the internet, I think most users who just want to get and serve time don't spend the week of time needed to get the crypto working and to coordinate with other servers doing the same. I think this is because they just didn't understand in which cases these vulnerabilities can be exploited. And of course, the information flow was really bad here, so that it is very hard to figure out which systems are affected. Indeed. Only after 3 days there was a statement on the pool mailing list that the problem only affected servers that can be queried. Well, that had better be stated in the original release, so that 99.9% of the users of ntpd could immediately move it to not for me and not be worried. So for now I presume it is on by default... also because of what I saw in the OpenSUSE example config. (or would the keys config directive be the magic enable crypto directive?) Unfortunately openSUSE has (symmetric keys) crypto enabled to be able to change ntpd's configuration at runtime via ntpq and/or ntpdc commands. E.g. if the dhcp client receives a DHCP option with the IP of an an NTP server it configures ntpd dynamically to use this server. Ok, I always immediately cut out such behaviour after installing a system. I don't want DHCP to modify my NTP settings, or to restart ntpd. (of course the neat thing about the above solution is that it is not required to restart ntpd. in Debian, for example, ntpd is restarted when a DHCP lease with changed ntp option is received) I was amazed to see that when updating ntpd from the OpenSUSE update, the last part of ntp.conf which I commented-out was appended again by the update script. So I removed it again. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
Rob schrieb: David Woolley david@ex.djwhome.demon.invalid wrote: On 21/12/14 10:48, Rob wrote: People say disable crypto but there is no clear direction in the docs on how to do that. There is no crypto off or disable crypto config directive at first glance. So how is this done? I would assume by not enabling it. Ok, but in that case why the worry about the millions of vulnerable servers on the internet, I think most users who just want to get and serve time don't spend the week of time needed to get the crypto working and to coordinate with other servers doing the same. I think this is because they just didn't understand in which cases these vulnerabilities can be exploited. And of course, the information flow was really bad here, so that it is very hard to figure out which systems are affected. So for now I presume it is on by default... also because of what I saw in the OpenSUSE example config. (or would the keys config directive be the magic enable crypto directive?) Unfortunately openSUSE has (symmetric keys) crypto enabled to be able to change ntpd's configuration at runtime via ntpq and/or ntpdc commands. E.g. if the dhcp client receives a DHCP option with the IP of an an NTP server it configures ntpd dynamically to use this server. Martin ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
On Mon, Dec 22, 2014 at 5:27 AM, David Woolley david@ex.djwhome.demon.invalid wrote: On 22/12/14 04:02, Paul wrote: And yet people apply critical monthly patches from Microsoft and Oracle all the time without running them through dev and q/a. Not on business critical servers. Normally I'd say we can agree to disagree but I can say with 100% certainty that your statement is incorrect. Some businesses have sufficient resources to manage zero-day exploints and others don't. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Jesus Christ! - even internet time-sync(NTP) is vulnerable to exploitation?
Harlan Stenn wrote: Under what conditions would someone who is NOT operating an NTP server expect to see external IP's hit his router on port 123? And given that such events are happening, how would you explain that these external IP's have rDNS data that maps them to various.pool.ntp.org? Before we continue, why can't you answer those questions? We're not communicating effectively. Until you answer those questions, no - we're not. I still think you mean: If the answer is the latter, then these may very well be examples of comprimised / trojanized servers performing their own NTP probes under botnet control. Which comes right back to the questions that I posted above that you have not answered. The rDNS of the IP addresses of these hypothetical trojanized servers map to known pool.ntp.org servers. If (as has just been mentioned by Brian Utterback) the IP addresses of the remote machines were forged, then we don't really know the true IP's of the remove machines performing these probes. But if that was not the case, then we have machines that either are or recently were part of the pool of ntp.org servers performing NTP probes on random IP's. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Restrict statements and the pool directive
On Mon, Dec 22, 2014 at 4:14 AM, Rob nom...@example.com wrote: David Woolley david@ex.djwhome.demon.invalid wrote: On 21/12/14 20:10, Rob wrote: What I got from the documentation is that without nopeer a server could setup a peer association. I don't like that. No. Without nopeer, a *client* can't set up a peer session. The problem here is that the exact significance of being a peer isn't well documented. Exactly. The description in the documentation is unreadable. There is no plain language paragraph after the initial definition that must be in terminology explained elswhere, but has no pointer to there. This is true but irrelevant. The udel documentation could use more linking but given a typical configuration you don't need to understand everything to use NTP or the POOL directive. http://www.eecis.udel.edu/~mills/ntp/html/accopt.html#restrict http://www.eecis.udel.edu/~mills/ntp/html/assoc.html#symact http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html#enable (or the equivalents in the html directory). Until it is, I appears to be better to not use the functionality. Didn't we go through this last month too? By the way, if you're only going to believe what you read in the html directory then don't ask questions here -- read the docs. If you are going to ask questions here then do people the courtesy *silently* ignoring their help. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] NTP 4.2.8 for Windows
A new GUI installer with ntp-4.2.8 for Windows is now available at our NTP download page: http://www.meinbergglobal.com/english/sw/ntp.htm#ntp_stable Martin Martin Burnicki wrote: Folks, ntp 4.2.8 has been released and includes a few security fixes. Unfortunatly these fixes which have been included after 4.2.7p485-RC break building the original tarball for Windows. I have a temporary fix for this and compiled 4.2.8 for Windows. A ZIP file with the binaries is available here: http://www.meinberg.de/download/ntp/windows/ntp-4.2.8-stable-debug.zip This also includes the current version of the openSSL DLL. If you already have NTP for Windows installed you can easily upgrade with a few steps: - stop the NTP service - extract the executables from the ZIP archive - copy the extracted executables over the ones existing in the installation folder, e.g. C:\Program files\NTP\bin or C:\Program files (x86)\NTP\bin Please note you may need admin rights (i.e. Run As Administrator ...) to update the files. - start the NTP service We (Meinberg) will try to roll up a new GUI installer on Monday, and of course I will push the patch which fixes the build to the NTP repo. Martin ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] GUI installer with ntp-4.2.8 for Windows now available
Folks, a new GUI installer with ntp-4.2.8 for Windows is now available at Meinberg's NTP download page: http://www.meinbergglobal.com/english/sw/ntp.htm#ntp_stable This also includes the current version v1.0.1j of the openSSL DLL, which also fixes some openSSL vulnerabilities. Martin ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
Rob wrote: Martin Burnicki martin.burni...@meinberg.de wrote: And of course, the information flow was really bad here, so that it is very hard to figure out which systems are affected. Indeed. Only after 3 days there was a statement on the pool mailing list that the problem only affected servers that can be queried. Well, that had better be stated in the original release, so that 99.9% of the users of ntpd could immediately move it to not for me and not be worried. Yes. I agree that this information should have been available immediately with the first alert. This would have avoided much trouble. So for now I presume it is on by default... also because of what I saw in the OpenSUSE example config. (or would the keys config directive be the magic enable crypto directive?) Unfortunately openSUSE has (symmetric keys) crypto enabled to be able to change ntpd's configuration at runtime via ntpq and/or ntpdc commands. E.g. if the dhcp client receives a DHCP option with the IP of an an NTP server it configures ntpd dynamically to use this server. Ok, I always immediately cut out such behaviour after installing a system. That's also what I do. I't interesting to see how the different ways to fiddle with the NTP configuration automatically evolve over time. ;-) I don't want DHCP to modify my NTP settings, or to restart ntpd. (of course the neat thing about the above solution is that it is not required to restart ntpd. in Debian, for example, ntpd is restarted when a DHCP lease with changed ntp option is received) For standard deployments on a huge number of clients the DHCP way very much simplifies installation since you only have to configure the DHCP server. On the other hand, it would be good if there was a simple (easy-to-find) switch where you could disable such automatics. Martin ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
Martin Burnicki martin.burni...@meinberg.de wrote: I don't want DHCP to modify my NTP settings, or to restart ntpd. (of course the neat thing about the above solution is that it is not required to restart ntpd. in Debian, for example, ntpd is restarted when a DHCP lease with changed ntp option is received) For standard deployments on a huge number of clients the DHCP way very much simplifies installation since you only have to configure the DHCP server. On the other hand, it would be good if there was a simple (easy-to-find) switch where you could disable such automatics. Of course DHCP in itself is great, and I like it when devices (and maybe workstations) automatically obtain the local timeserver address. But what I DON'T like is when my carefully configured NTP server with local refclock and configured secondary servers is turned into a client of itself or another local system. I agree that the enable/disable of this feature is often absent or very hard to find. Often you have to edit /etc/dhclient.conf or just remove some script from /etc/dhclient.d but it is dangerous because it may re-appear after a security update. A simple NTP_USE_DHCP=yes that you can set to no when desired in /etc/sysconfig/ntp or /etc/default/ntp would be so much better... ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] Soekris net4501 help....
On Mon, Dec 22, 2014 at 10:24:25AM +, David Taylor wrote: I fixed the problem - it seems that the physicaldiskwrite program is more successful than Win32DiskImager at writing the image to a CF card, so I now have the m0n0wall program running showing that the box works, at least. David, My usual technique for Soekrii is to use a USB Compact Flash adapter plugged into their USB port, with the target media in it, and use a 1-2G CF card with a standard USB install image internally. Their BIOS can boot off of it as long as it's internal, you install to the drive visible via the USB adapter, and then swap the cards back around (don't forget to set any required boot options, and edit fstab so it can find its partitions.) This is useful in environments that can't support PXE. --msa ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
[ntp:questions] ntpq -c sysstats (replacing 'ntpdc -c sysstats') ?
After upgrading to 4.2.8, I'm trying to migrate my use of 'ntpdc -c sysstats' to ntpq. The 4.2.8 source seems to indicate that something like 'ntpq -c sysstats' might be the answer, but ntpq says that the 'sysstats' command is unknown. Any other ideas? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpq -c sysstats (replacing 'ntpdc -c sysstats') ?
Works for me. At least in Win7 Le 22 déc. 2014 à 22:35, irwin.till...@gmail.com a écrit : After upgrading to 4.2.8, I'm trying to migrate my use of 'ntpdc -c sysstats' to ntpq. The 4.2.8 source seems to indicate that something like 'ntpq -c sysstats' might be the answer, but ntpq says that the 'sysstats' command is unknown. Any other ideas? ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] ntpq -c sysstats (replacing 'ntpdc -c sysstats') ?
Never mind. Brain freeze. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
Martin Burnicki writes: Rob wrote: Martin Burnicki martin.burni...@meinberg.de wrote: And of course, the information flow was really bad here, so that it is very hard to figure out which systems are affected. Indeed. Only after 3 days there was a statement on the pool mailing list that the problem only affected servers that can be queried. Well, that had better be stated in the original release, so that 99.9% of the users of ntpd could immediately move it to not for me and not be worried. Yes. I agree that this information should have been available immediately with the first alert. This would have avoided much trouble. And if we had realized all of this at first alert we would have. The announcement came out 3 days' later than I wanted. I'd been working on this for 2 solid weeks by then. -- Harlan Stenn st...@ntp.org http://networktimefoundation.org - be a member! ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
Re: [ntp:questions] What to do for clients less than 4.2.8?
On 2014-12-23, Harlan Stenn st...@ntp.org wrote: Martin Burnicki writes: Rob wrote: Martin Burnicki martin.burni...@meinberg.de wrote: And of course, the information flow was really bad here, so that it is very hard to figure out which systems are affected. Indeed. Only after 3 days there was a statement on the pool mailing list that the problem only affected servers that can be queried. Well, that had better be stated in the original release, so that 99.9% of the users of ntpd could immediately move it to not for me and not be worried. Yes. I agree that this information should have been available immediately with the first alert. This would have avoided much trouble. And if we had realized all of this at first alert we would have. The announcement came out 3 days' later than I wanted. I'd been working on this for 2 solid weeks by then. Thank you very much. ___ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
