TWiki> LinuxSupport Web>LinuxSupport>LinuxSupportFAQ>NtpRecommendedConfig (2008-11-07, JanIven) EditAttachPDF
Linux Support FAQ entry 07 Nov 2008, logged in as JanIven
LinuxSupportFAQForm
SupportProblem How should NTP be configured on SLC machines? The computer security scan claims it is too open..
SupportAnswer Canonical information on the use of NTP can be found on the IT-CS NTP page. For SLC machines, the following configuration for machines on the GPN (General purpose network, i.e. not TN) is recommended: 

restrict default ignore
server   137.138.18.69
restrict 137.138.18.69 mask 255.255.255.255 nomodify notrap noquery
server   137.138.16.69
restrict 137.138.16.69 mask 255.255.255.255 nomodify notrap noquery
server   137.138.17.69
restrict 137.138.17.69 mask 255.255.255.255 nomodify notrap noquery
fudge    127.127.1.0 stratum 10
restrict 127.0.0.1 nomodify notrap

On CDB-managed machines, this can be done via ncm-ntpd (use 1.1.2 or better to get the above restricted behaviour).

Failure to restrict NTP properly can lead to remote attackers getting detailed information on the operating system (i.e. kernel version) and host time (helpful for some timing-related attacks), and even modify the machine's clock (which is at least disruptive, and again can be used for some attacks - e.g. re-using expired credentials).

OsVersion all
HardwareArchitecture any
ApprovedBySupport SupportApproved
Edit | Attach | Watch | Print version | History: r1 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r1 - 2008-11-07 - JanIven
 
    • Cern Search Icon Cern Search
    • TWiki Search Icon TWiki Search
    • Google Search Icon Google Search

    LinuxSupport All webs login

This site is powered by the TWiki collaboration platform Powered by PerlCopyright &© 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
or Ideas, requests, problems regarding TWiki? use Discourse or Send feedback