Securing ntp.conf

[berky]

I'm trying to secure the ntp.conf file on a server.

currently the /etc/ntp.conf file looks like following (except with real ips/networks):

server x.x.x.x

driftfile /etc/ntp.drift

restrict default nomodify notrap nopeer
restrict x.0.0.0 mask 255.0.0.0 nomodify notrap nopeer
restrict 127.0.0.1

tinker panic 0

the problem is the stupid implementation of the 'default' keyword. basically i want the x.0.0.0 network to be able to query the server to set their own time, but i want EVERYONE ELSE to be ignored.

the 'restrict default ignore' statement will ignore EVERYONE, regardless of whether there is a more specific rule or not AND regardless of the order it is in the file.

is what i want possible or do i have it restricted as much as i can?


**
server is running solaris 8 and ntp 4.2.0

 

[berky]

no NTP guru's on the [H] ??

 

[rcolbert]

We're all using the Win32 Time Service built into Active Directory.

 

[deuce868]

We're all using the Win32 Time Service built into Active Directory.

Naw, we just don't lock down ntp with a firewall rule and say anyone internal can use it.

 

[berky]

well, the reason i wanted to lock it down was because it has 2 interfaces. one to the public and another to a private network. i wanted only devices on the private network to be able to sync their time w/the server and ignore anything on the public side.

the box serves as more than just an ntp server, so yes, there is a reason for it having 2 interfaces.

 

[deuce868]

Personally, I would just have a iptables rule to drop any udp 123 connections on the public interface.