[CLUE-Tech] NTP Questions

Ed Hill ed at eh3.com
Sat Jan 12 11:06:35 MST 2002 

On Sat, 2002-01-12 at 09:34, Jed S. Baer wrote:
> On Fri, 11 Jan 2002 23:35:26 -0700
> "Jeremy Huber" <jhuber at fallenknight.org> wrote:
> 
> > My experiences only: may or may not be true to code
> > 
> > a) You shouldn't have to worry about the keys being easily hacked as
> > long as you the authentication (keys) turned off.  There's really no
> > reason to have a remote machine fiddling with the time of a server
> > anyway.
> 
> Well, I wouldn't put anything past script kiddies.

There have been remote-root exploits with (x)ntpd as recently as Red Hat
7.0: http://www.ciac.org/ciac/bulletins/l-071.shtml


> > b) From what I've seen, if NTPd is way off (more than an hour), or if
> > there's no connection, it'll just die quietly/not bother to change
> > the time.  I've never tested to see what happens if it has a
> > connection, then loses it.
> 
> Apparently, the daemon still runs, but it gives up on connecting to any of
> the servers, and doesn't re-connect when the network is back up.


I've been using (x)ntpd for years and I do appreciate the convenience. 
Recently, the time on my laptop has been way off and I was wondering why
ntp wasn't working.  The laptop usually gets connected at least once a
day.  And it gets rebooted frequently.  So i thought perhaps I should
switch to ntpdate instead of ntpd.

So after some research, it turned out that (1) more-aggressive firewall
rules (RH 7.2 default) were blocking the ntp protocol and (2) some of
the ntp servers that I was using have changed their policies so they
would not respond.  I added the following to /etc/sysconfig/ipchains:

  #  Add ntp-protocol client support
  -A output -j ACCEPT  -p udp -d 0/0 ntp
  -A input  -j ACCEPT  -p udp -s 0/0 ntp

and then added open-access (stratum 2) clock servers from www.ntp.org to
/etc/ntp.conf and it seems to be working just fine now.

Hope someone else finds this info useful...

Ed


-- 
Edward H. Hill III, PhD
Post-Doctoral Researcher   |  Email:       ed at eh3.com, ehill at mines.edu
Division of ESE            |  URL:         http://www.eh3.com
Colorado School of Mines   |  Phone:       303-273-3483
Golden, CO  80401          |  Fax:         303-273-3311
GnuPG Key ID:  1E76F123    |  Public key:  http://www.eh3.com/eh3.gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20020112/d5f483a5/attachment.bin

More information about the clue-tech mailing list