untherstand NTP ACLs

rysic · November 3, 2011, 10:00pm

I’m trying to configure NTP server. It is working but working is not enough i think. It is good to have some security introduced, so I try to understand how can I restrict that server. I found that handbook:
Clock Synchronization with NTP
It is for FreeBSD but I think that NTP have to behave the same there.

There is:

restrict default ignore

Note: This will also prevent access from your server to any servers listed in your local configuration. If you need to synchronise your NTP server with an external NTP server you should allow the specific server. See the ntp.conf(5) manual for more information.

So I tried to use:

restrict default ignore

in my cfg file and server can connect to other server using command

rcntp ntptimeset

Why it is possible? Isn’t command restrict default ignore restricting that?

I can’t also understand why when I add that to cfg:


restrict 10.50.12.0 mask 255.255.255.0 noquery

network 10.50.12.0/24 can query NTP server.

May by that are stupid question but I can’t find easy answers how ACLs in NTP are working. If order is important…
I just want to create very easy ACL - permit local NTP server to ask one external server about time and permit local network to ask local server about time.

Thank you in advance!

hcvv · November 4, 2011, 2:10pm

I try to understand what you wrote, but imho I am missing information. Or this may be much beyond my (basic) NTPP knowledge.

E.g. when your citation says “This will also prevent access from your server to any servers listed in your local configuration”. You do not tell how you interprete this, I guess they mean with “your server to any servers” to say “your server, acting as a client, to any servers”. And what is the meaning of “local configuration” Is there an other one?

You mentioning ntptimesetin a command is not very illustrating because we do not know what the IP address is and thus not if it is in your LAN or not.

While it looks logical to me that you want to restrict service requests to your local LAN, I guess that

restrict 10.50.12.0 mask 255.255.255.0

would do that. As the man page says:

noquery
Deny ntpq(8) and ntpdc(8) queries. Time service is not
affected.

I guess that any system in 10.50.12.0/24 can still sync time with your server. Or do I misineterprete here?

rysic · November 4, 2011, 5:33pm

OK! Let’s focus first on that:


server 1.pool.ntp.org
restrict default ignore

That is from my ntp.cfg file. And I can do:

# rcntp ntptimeset
 4 Nov 17:32:18 sntp[7815]: Started sntp
2011-11-04 17:32:18.115542 (-0100) -0.015233 +/- 0.047501 secs
2011-11-04 17:32:18.150776 (-0100) +0.004910 +/- 0.017456 secs
2011-11-04 17:32:18.207153 (-0100) +0.010290 +/- 0.008636 secs
Time synchronized with  1.pool.ntp.org

Why? Why it is possible when default is to ignore everything?

BTW. Local means in local network.

hcvv · November 4, 2011, 5:59pm

IMHO because you configured your NTP client to use 1.pool.ntp.org to use as a server. Which it dully does.

And you configured your NTP server to ignore clients, but you did not test that using a client.

Again imho NTP server and NTP client, while being located in the same system and even being executed by the same program (ntpd) are different things with their own configuration.

rysic · November 4, 2011, 7:48pm

OK! Now I get it! restrict is only for clients!

hcvv · November 4, 2011, 7:58pm

Of course, what is the use of restricting your servers, when you do not want to use them, don’t use them. And let them do the restrictions.

rysic · November 4, 2011, 8:36pm

I though like that because of that:

This will also prevent access from your server to any servers listed in your local configuration

Now I have:


restrict default ignore
restrict 10.50.0.0. mask 255.255.0.0

Thank you very much!

rysic · November 4, 2011, 8:51pm

Only one more question If I use noquery, clients from network 10.50.0.0/16 can still ask server about time.


restrict default ignore
restrict 10.50.0.0. mask 255.255.0.0 noquery

Why it is possible? Isn’t ntptimeset using standard qieries - ntpq?

As you wrote

noquery
Deny ntpq(8) and ntpdc(8) queries. Time service is not
affected.

What does it mean “Time service is not affected”?

hcvv · November 4, 2011, 8:52pm

You are welcome.

I allready hinted at that info being a bit ununderstandable to me.

What you have now seems reasonable to me. And when it works as you intends then we do even understand it correctly

rysic · November 4, 2011, 9:02pm

I discovered that ntptimeset is something different than ntpq. In example “ntpq readlist” is not working when I use noquery.

rysic · November 4, 2011, 9:24pm

So I think that the best security from NTP I can get (for user hosts time requests) is when I use:

restrict 10.50.0.0 mask 255.255.0.0 noquery nomodify nopeer