LinuxSupportFAQForm | |
---|---|
SupportProblem | How should NTP be configured on SLC machines? The computer security scan claims it is too open.. |
SupportAnswer |
Canonical information on the use of NTP can be found on the IT-CS NTP page. For SLC machines, the following configuration for machines on the GPN (General purpose network, i.e. not TN) is recommended:
restrict default ignore server 137.138.18.69 restrict 137.138.18.69 mask 255.255.255.255 nomodify notrap noquery server 137.138.16.69 restrict 137.138.16.69 mask 255.255.255.255 nomodify notrap noquery server 137.138.17.69 restrict 137.138.17.69 mask 255.255.255.255 nomodify notrap noquery fudge 127.127.1.0 stratum 10 restrict 127.0.0.1 nomodify notrapOn CDB-managed machines, this can be done via ncm-ntpd (use 1.1.2 or better to get the above restricted behaviour). Failure to restrict NTP properly can lead to remote attackers getting detailed information on the operating system (i.e. kernel version) and host time (helpful for some timing-related attacks), and even modify the machine's clock (which is at least disruptive, and again can be used for some attacks - e.g. re-using expired credentials). |
OsVersion | all |
HardwareArchitecture | any |
ApprovedBySupport | SupportApproved |