Re: NTP insecure defaults
Michael Luecke <michael@m-luecke.de> writes:
> On 01/07/2017 09:33 AM, Mart van de Wege wrote:
>> Turns out the Debian default is indeed to provide time service if you
>> install NTP. Shouldn't that be limited to localhost only, so that an
>> admin must deliberately open up the service if they want to provide NTP
>> service to the outside world?
>
> Did you install any package that suggested or depended on the ntp
> package? Because on my system, the ntp package is not installed. ntp
> is handled by systemd-timesyncd. So the current Debian installer does
> not install the ntp by default in my opinion.
>
While I like systemd and its related projects, I have not yet switched
to systemd-timesyncd.
And I was not implying Debian installs ntp by default, merely that the
package comes with IMO insecure defaults.
> I downloaded the ntp_4.2.6.p5+dfsg-7+deb8u2_amd64 package and looked
> into the /etc/ntp.conf and it is restricted to 127.0.0.1 and ::1 by
> default.
>
>> I thought of opening a bug, but I'd like a second opinion
>> first. Thoughts anyone?
>
> I think you should give us a little more details before filing a bug
> report (what did you install, which files did you change, ...).
>
See, that's why I asked for a second opinion.
I explicitly installed the ntp package, and mine came with this as
default:
# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
I commented these out, and left the next stanza, which *is* a
restriction to localhost.
Mart
--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.
Reply to: