Re: NTP security

To: debian-security@lists.debian.org
Subject: Re: NTP security
From: Jamie Heilman <jamie@audible.transient.net>
Date: Mon, 12 Mar 2001 15:45:57 -0800
Message-id: <[🔎] 20010312154557.A29884@audible.transient.net>
In-reply-to: <p05001900b6d306ff0e20@[192.168.128.101]>; from kevin@vanhaaren.net on Mon, Mar 12, 2001 at 05:25:01PM -0600
References: <[🔎] DH2MOD.A.KzH.8Tfq6@murphy> <p05001900b6d306ff0e20@[192.168.128.101]>

On one of my multihomed machines together with authentication I tend to use
something like:

restrict default ignore
restrict ntpserver1 nomodify
restrict ntpserver2 nomodify
restrict ntpserver3 nomodify
restrict network1 mask netmask1 notrust nomodify
restrict network2 mask netmask2 notrust nomodify
restrict network3 mask netmask3
restrict 127.0.0.1

Basically this synchronizes time using the 3 server sources and then via a
broadcast server config it advertises the time to network1, network2, and
network3. network3 however is the only network which administrative
requests may be honored from, or localhost.  See the other popular thread
right now for locking down your interfaces on a ip forwarding machine. <g>
Combined with a packet filter this should offer pretty good protection,
though it will be somthing you have to watch as your server addresses can
change with little warning.

On the subject of securing NTP, has anyone gotten the autokey stuff to work
the version of ntpd in stable?

-- 
Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer

Reply to:

References:
- NTP security
  - From: Piotr Tarnowski <piotr_tarnowski@wp.pl>
- Re: NTP security
  - From: Kevin van Haaren <kevin@vanhaaren.net>

Prev by Date: Re: NTP security
Next by Date: Re: 127.0.0.0/8 addresses from the network
Previous by thread: Re: NTP security
Next by thread: Is it possible to chroot scp?
Index(es):
- Date
- Thread