Re: [SLUG] NTP

• Next message: lugmail@tampabay.rr.com: "[SLUG] Need help with .bin files!"
• Previous message: Tom Suzda: "Re: [SLUG] OT: Little help?"
• In reply to: steve: "Re: [SLUG] NTP"
• Next in thread: SpamFree: "Re: [SLUG] NTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tuesday 27 May 2003 16:14, steve wrote:
> On Tuesday 27 May 2003 14:49, Doug Koobs wrote:
> > >Basically, your ntp.conf should have only:
> > >
> > >
> > > server sushi.compsci.lyon.edu
> > > server rolex.usg.edu
> >
> > OK, that works! Thanks! It just seems way too simple... Are
> > there any security problems running it like this? It's only a
> > NTP client, not a server...
> >
> > Doug
>
> NTP is known to have it's holes. If you check bugtraq at
> securityfocus.com, search for ntp you'll find a series of
> listings on securing ntp.

As Jennifer Fountain wrote on March 25, 2003:

1) learn the "restrict" line in the configuration file. Your main
  time servers can be locked down tightly.

2) learn the standard authentication tools. These aren't strong,
but are enough to prevent casual access by curious employees or
hostile attackers.

3) consider using the public key authentication scheme as well.
It's not well documented, or probably even compiled in most
releases, but you can run "ntp-genkeys" on your servers to
generate public keys, then add

   "autokey publickey ntpkey_hostname"

to your "server" and "peer" lines to turn it on. (You also need
to provide some standard "crypto" lines above, or just put the
files in the expected places.)

Before YOU deem ntp secure I strongly suggest you do follow a bit of
recent threads at securityfocus. Different people have different
ideas of what is secure so ultimately YOU have to make YOUR
educated decision.

<What cannot be repeated too much, rant>
Authoritarian thinking promotes that you don't think for yourself.
Just see how much "if it's good for so and so it must be good for
me" crap there are. Security is the least understood area about
computers, as is easily observed by the volume of stupid hack-101
type errors made by most programmers. It's too easy to say "Nah I'm
fine!" just because you are too lazy to ensure you actually
understand how it's done.

Keep yourself informed. Look don't listen. Subscribe to a couple of
security lists and just keep an eye on what is popping up. And
check your logs daily.

-- 
Steve
______________________________________________________
(This sig has been left open for your imagination.)

• Next message: lugmail@tampabay.rr.com: "[SLUG] Need help with .bin files!"
• Previous message: Tom Suzda: "Re: [SLUG] OT: Little help?"
• In reply to: steve: "Re: [SLUG] NTP"
• Next in thread: SpamFree: "Re: [SLUG] NTP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:21:12 EDT