Arch Linux

Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!
Tasklist

FS#41699 - [ntp] Implement more secure NTP configuration.

Attached to Project: Arch Linux
Opened by Wyatt J. Brown (sushidude) - Tuesday, 26 August 2014, 11:28 GMT
Last edited by Gaetan Bisson (vesath) - Friday, 05 September 2014, 16:28 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Gaetan Bisson (vesath)
Architecture All
Severity Medium
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
The present NTP configuration file in Arch has misleading comments and is not as secure as possible.

I prepared a new configuration which is a combination of those from Arch, Gentoo, and Ubuntu. It contains more informative comments, additional NTP servers, a more restrictive default server, and an optional client only setting.


Additional info:
* package version(s)
ntp 4.2.7.p465-1
* config and/or log files etc.
# DHCP clients can append or replace NTP configuration files.
# You should consult your DHCP client documentation about its default behavior and how to change it.
# For additional information on configuration see:
# - the ntp.conf man page
# - http://support.ntp.org/bin/view/Support/GettingStarted
# - https://wiki.archlinux.org/index.php/Network_Time_Protocol_daemon

# Associate to public NTP pool servers; see http://www.pool.ntp.org/
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

# If you want to deny all machines (including your own) from accessing the NTP server, uncomment:
#restrict default ignore


# Default configuration:
# - Allow only time queries, at a limited rate, sending KoD when in excess.
# - Allow all local queries (IPv4, IPv6)
restrict default kod limited nomodify nopeer noquery notrap
restrict 127.0.0.1
restrict ::1

# Location of drift file
driftfile /var/lib/ntp/ntp.drift
This task depends upon

Closed by  Gaetan Bisson (vesath)
Friday, 05 September 2014, 16:28 GMT
Reason for closing:  Implemented
Additional comments about closing:  in SVN
Comment by Gaetan Bisson (vesath) - Tuesday, 26 August 2014, 19:40 GMT
Before implementing this, I have two questions:

What are the DHCP servers you refer to; do they modify or replace /etc/ntp.conf (if not, what other configuration file)?

Why add a fourth server entry; aren't three supposed to be enough?
Comment by Gaetan Bisson (vesath) - Tuesday, 26 August 2014, 19:55 GMT
Also, what about using the following as the default?

restrict default ignore
restrict 127.0.0.1
restrict ::1

That's definitely the most secure and I believe the common case is users that only wish to sync one machine.
Comment by Wyatt J. Brown (sushidude) - Wednesday, 27 August 2014, 07:43 GMT
>What are the DHCP servers you refer to; do they modify or replace /etc/ntp.conf (if not, what other configuration file)?
DHCP option number 42 allows for specifying NTP servers.
https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml
http://support.ntp.org/bin/view/Support/ConfiguringNTP#Section_6.12.


>Why add a fourth server entry; aren't three supposed to be enough?
The NTP pool project recommends four.
http://www.pool.ntp.org/en/use.html
Almost every other distribution uses four. The only exception that I know of is Ubuntu, which uses five.
Adding a fourth server allows for the NTPD to choose from a larger list of servers, potentially allowing it utilize a more accurate time source. The additional bandwidth usage is minimal.


>Also, what about using the following as the default?
>That's definitely the most secure and I believe the common case is users that only wish to sync one machine.
Preventing other computers from querying time does not make it more secure. The restrict options are mostly there to help prevent NTP reflection and amplification attacks.
The configuration by default works as a secure server and client, so almost no one should have to edit it. In the rare case that it is necessary to prevent time queries, there is that option to uncomment.
I don't know of any other distribution that has NTPD configured just to be a client by default.
Comment by Gaetan Bisson (vesath) - Friday, 29 August 2014, 02:31 GMT
Regarding the DCHP/NTP interaction, the ntp.org link reads "Your ntpd must be told to use /etc/ntp.conf.dhcp if it exists." The default configuration of our NTP package knows nothing of this file, so I think we can omit the DHCP comment entirely. If a user adds an option to ntp.conf (or a command line option to ntpd) to read ntp.conf.dhcp, it's their responsibility to know what they are doing.

As for the other two points, thanks for your explanations, I've commited changes to our SVN. I've omitted the commented "default ignore" line, though, since you convinced me that it has virtually no advantage over your proposed "restrict" setting.

Loading...