3

I am confused as to what is the default access policy of an ntp server. According to the ntp_acc man page, access can only be denied if specifically blacklisted.

Clients can be denied service because they are explicitly included in the restrict list created by the restrict command or implicitly as the result of cryptographic or rate limit violations.

To test if I am correct, I ran the following command on an ntp server that didn't have any restrict policy against the client and I was able to successfully query the server.

[root@localhost ~]# ntpdate -q 192.168.122.50
server 192.168.122.50, stratum 3, offset 6.177375, delay 0.02585
 4 Nov 20:51:40 ntpdate[2259]: step time server 192.168.122.50 offset 6.177375 sec

This proved my theory that ntp default allows all queries to the server but not necessarily all types of ntp traffic to the server.

So here are my question(s):

  1. Is all access to an ntp server really unrestricted or is just queries?
  2. Can a ntp client modify the time of an ntp server (I would guess this could be done by spoofing yourself as one of the ntp's server's servers but I am not sure)?
Jason Zhu
  • 261

1 Answers1

2

The default configuration files for most distributions I have worked have specified included restrict specification. These can be updated as required for your requirements. NTP.org has documentation on configuration of Access Restrictions for a number of cases.

According to the NTP Access Control Commands and Options documentation the default access is unrestricted from all remote hosts.

Default restriction list entries with the flags ignore, ntpport, for each of the local host's interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).

BillThor
  • 8,965