securing/hardening ntp client on Linux servers - config fileLinux hardening - web serversBlocking ntp client...
Why won't the strings command stop?
ESPP--any reason not to go all in?
“I had a flat in the centre of town, but I didn’t like living there, so …”
The need of reserving one's ability in job interviews
Can a space-faring robot still function over a billion years?
In the world of The Matrix, what is "popping"?
Sundering Titan and basic normal lands and snow lands
Affine transformation of circular arc in 3D
The past tense for the quoting particle って
Under what conditions would I NOT add my Proficiency Bonus to a Spell Attack Roll (or Saving Throw DC)?
Iron deposits mined from under the city
What is the purpose of a disclaimer like "this is not legal advice"?
What is the oldest European royal house?
Create chunks from an array
Is there a math equivalent to the conditional ternary operator?
Plagiarism of code by other PhD student
Is being socially reclusive okay for a graduate student?
If nine coins are tossed, what is the probability that the number of heads is even?
Was it really inappropriate to write a pull request for the company I interviewed with?
A bug in Excel? Conditional formatting for marking duplicates also highlights unique value
Are there other characters in the Star Wars universe who had damaged bodies and needed to wear an outfit like Darth Vader?
What can I do if someone tampers with my SSH public key?
Paper published similar to PhD thesis
What is the meaning of option 'by' in TikZ Intersections
securing/hardening ntp client on Linux servers - config file
Linux hardening - web serversBlocking ntp client from listeningCompare two NTP serversSecuring NTP: which method to use?NTP: ntpdate to sync time between the PCs on a private networkSetting up NTP serversNTP client on CentOS 5 fails behind Cisco ASA firewallntp authentication - MD5 - freeBSDSecuring my NTP configurationNTP listen broadcast IP
I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
#access controls to reduce unwanted queries (kod)
#prevent alteration of configuration file (nomodify)
#prevent nptdc from being used for control message protocol traps (notrap)
#prevent peer queries (nopeer)
#prevent ntpq and ntpdc queries from being answered (noquery)
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
#point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
#point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
#mitigates CVE-2013-5211
disable monitor
For some of them, like driftfile, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
# access control configuration
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
# point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
# point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
# mitigates CVE-2013-5211
disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict source notrap nomodify noquery
linux debian security ntp hardening
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
add a comment |
I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
#access controls to reduce unwanted queries (kod)
#prevent alteration of configuration file (nomodify)
#prevent nptdc from being used for control message protocol traps (notrap)
#prevent peer queries (nopeer)
#prevent ntpq and ntpdc queries from being answered (noquery)
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
#point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
#point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
#mitigates CVE-2013-5211
disable monitor
For some of them, like driftfile, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
# access control configuration
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
# point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
# point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
# mitigates CVE-2013-5211
disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict source notrap nomodify noquery
linux debian security ntp hardening
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
add a comment |
I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
#access controls to reduce unwanted queries (kod)
#prevent alteration of configuration file (nomodify)
#prevent nptdc from being used for control message protocol traps (notrap)
#prevent peer queries (nopeer)
#prevent ntpq and ntpdc queries from being answered (noquery)
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
#point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
#point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
#mitigates CVE-2013-5211
disable monitor
For some of them, like driftfile, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
# access control configuration
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
# point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
# point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
# mitigates CVE-2013-5211
disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict source notrap nomodify noquery
linux debian security ntp hardening
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
#access controls to reduce unwanted queries (kod)
#prevent alteration of configuration file (nomodify)
#prevent nptdc from being used for control message protocol traps (notrap)
#prevent peer queries (nopeer)
#prevent ntpq and ntpdc queries from being answered (noquery)
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
#restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
#point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
#point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
#mitigates CVE-2013-5211
disable monitor
For some of them, like driftfile, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart
driftfile /var/lib/ntp/drift
# access control configuration
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited
# restrict NTP access to localhost
restrict 127.0.0.1
restrict -6 ::1
# point to NIST time servers use fastest method to collect time
server time.nist.gov iburst
# point to localhost if access is lost to NTP servers/pools
fudge 127.127.1.0 stratum 10
# mitigates CVE-2013-5211
disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
restrict source notrap nomodify noquery
linux debian security ntp hardening
linux debian security ntp hardening
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
asked 5 mins ago
IMTheNachoManIMTheNachoMan
1409
1409
add a comment |
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f957302%2fsecuring-hardening-ntp-client-on-linux-servers-config-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f957302%2fsecuring-hardening-ntp-client-on-linux-servers-config-file%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
