[OpenIndiana-discuss] NTP trouble and 123 port

Gary Mills gary_mills at fastmail.fm
Sat Apr 26 13:35:11 UTC 2014


On Sat, Apr 26, 2014 at 09:52:23AM +0200, Brogyányi József wrote:
> Ok, but my ISP check my 123 port and he see the 123 port is open. He
> insist to close the 123 port.
> I think I need a cron script what randomly switch the NTP service on
> and when the system clock is synchrony then switch it off.
> May be that's enough once a day. So the 123 port is open only a short time.
> I understand my server doesn't answer for a bad guys request but the
> port is open.

I just tested my desktop system with the UDP port scanner at:

    https://pentest-tools.com/discovery-probing/udp-port-scanner-online-nmap

I asked it to check four ports: 53 111 123 514.  It reported that all
of them were `open|filtered', meaning that it sent a UDP packet to
each port but got no response back.  I am using ipfilter (the illumos
firewall) to block incoming packets to port 111, but not for the
others.  My ISP may be filtering them as well.  I am running services
that listen on each of those ports.  In any case, I'd say that this is
adequate.

My understanding is that port checkers consider a port to be closed
when they get an `ICMP port unreachable' packet back when they send a
UDP packet to that port.  You may be able to arrange this with
ipfilter, but I don't know how to do that.  It would have to permit
UDP queries and responses when they originate locally, but reject UDP
packets when they originate externally.  Maybe somebody else can tell
us how to do this with ipfilter.

There's no point in running the NTP service occasionally, in the way
that you describe.  You could, however, run `ntpdate' once an hour
from the root crontab.  The man page describes it quite well.  That
would likely do all you need for a desktop system.

-- 
-Gary Mills-		-refurb-		-Winnipeg, Manitoba, Canada-



More information about the OpenIndiana-discuss mailing list