[CLUE-Tech] NTP Questions
Ed Hill
ed at eh3.com
Sat Jan 12 11:06:35 MST 2002
On Sat, 2002-01-12 at 09:34, Jed S. Baer wrote:
> On Fri, 11 Jan 2002 23:35:26 -0700
> "Jeremy Huber" <jhuber at fallenknight.org> wrote:
>
> > My experiences only: may or may not be true to code
> >
> > a) You shouldn't have to worry about the keys being easily hacked as
> > long as you the authentication (keys) turned off. There's really no
> > reason to have a remote machine fiddling with the time of a server
> > anyway.
>
> Well, I wouldn't put anything past script kiddies.
There have been remote-root exploits with (x)ntpd as recently as Red Hat
7.0: http://www.ciac.org/ciac/bulletins/l-071.shtml
> > b) From what I've seen, if NTPd is way off (more than an hour), or if
> > there's no connection, it'll just die quietly/not bother to change
> > the time. I've never tested to see what happens if it has a
> > connection, then loses it.
>
> Apparently, the daemon still runs, but it gives up on connecting to any of
> the servers, and doesn't re-connect when the network is back up.
I've been using (x)ntpd for years and I do appreciate the convenience.
Recently, the time on my laptop has been way off and I was wondering why
ntp wasn't working. The laptop usually gets connected at least once a
day. And it gets rebooted frequently. So i thought perhaps I should
switch to ntpdate instead of ntpd.
So after some research, it turned out that (1) more-aggressive firewall
rules (RH 7.2 default) were blocking the ntp protocol and (2) some of
the ntp servers that I was using have changed their policies so they
would not respond. I added the following to /etc/sysconfig/ipchains:
# Add ntp-protocol client support
-A output -j ACCEPT -p udp -d 0/0 ntp
-A input -j ACCEPT -p udp -s 0/0 ntp
and then added open-access (stratum 2) clock servers from www.ntp.org to
/etc/ntp.conf and it seems to be working just fine now.
Hope someone else finds this info useful...
Ed
--
Edward H. Hill III, PhD
Post-Doctoral Researcher | Email: ed at eh3.com, ehill at mines.edu
Division of ESE | URL: http://www.eh3.com
Colorado School of Mines | Phone: 303-273-3483
Golden, CO 80401 | Fax: 303-273-3311
GnuPG Key ID: 1E76F123 | Public key: http://www.eh3.com/eh3.gpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://cluedenver.org/pipermail/clue-tech/attachments/20020112/d5f483a5/attachment.bin
More information about the clue-tech
mailing list