Welcome to WebmasterWorld Guest from

Forum Moderators: bakedjake

Message Too Old, No Replies

Plugging NTP Security Holes

4:00 pm on Feb 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 12, 2002
votes: 0

We got a notice from ScanAlert saying that our mail server (FreeBSD) has a security issue with the NTP port, and offers this as a fix:

Quickfix: Set NTP to restrict default access to ignore all info packets: restrict default ignore

Will this disable the ability for servers to time sync? It seems to me (being a non- *nix person) that this command will effectively render server to server time sync useless? What are my options?

4:10 pm on Feb 27, 2007 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Apr 22, 2002
votes: 0

This may help:
[freebsd.org...] Controlling Access to Your Server
By default, your NTP server will be accessible to all hosts on the Internet. The restrict option in /etc/ntp.conf allows you to control which machines can access your server.
If you want to deny all machines from accessing your NTP server, add the following line to /etc/ntp.conf:
restrict default ignore

If you only want to allow machines within your own network to synchronize their clocks with your server, but ensure they are not allowed to configure the server or used as peers to synchronize against, add
restrict mask nomodify notrap

instead, where is an IP address on your network and is your network's netmask.
/etc/ntp.conf can contain multiple restrict options. For more details, see the Access Control Support subsection of ntp.conf(5).


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members