Re: NTP insecure defaults
On Sat, 07 Jan 2017, Eero Volotinen wrote:
> Default ntpd does listens allways all interfaces. You need to install
You can restrict the standard ntp daemon services, and it won't *reply*.
You can also restrict its bind addresses, so it won't listen to every
interface it detects.
Usually, high-gain amplification attacks are the only thing we need to
restrict by default, and those are restricted to localhost by default in
Debian (I don't know since when, but Debian Jessie's defaults are
correct).
> openntpd or limit access to ntp port with iptables.
If you're limiting access to the ntp port, it doesn't matter if you use
secure but incomplete opentpd, or horrid-security-track-record, but
fully-fledged ntpd.
For client-only, openntpd is likely a better choice, yes. Better yet,
use "chrony", which is optimized for desktop/laptops (which get
disconnected/powered off/suspended often).
ntp - time servers, high-precision time clients.
opentpd - always-on medium-precision time clients.
chrony - everything else.
> > On 01/07/2017 09:33 AM, Mart van de Wege wrote:
> >> Turns out the Debian default is indeed to provide time service if you
> >> install NTP. Shouldn't that be limited to localhost only, so that an
We already limit the large-amplification attacks to localhost. Regular
ntp service works out-of-the-box, that means allowing client-server
clock queries. But regular ntp service has a low amplification factor,
so it is usually not considered a problem at the network level.
--
Henrique Holschuh
Reply to: