[OpenIndiana-discuss] NTP trouble and 123 port
Jim Klimov
jimklimov at cos.ru
Sat Apr 26 12:15:49 UTC 2014
26 апреля 2014 г. 9:52:23 CEST, "Brogyányi József" <brogyi at gmail.com> пишет:
>Ok, but my ISP check my 123 port and he see the 123 port is open. He
>insist to close the 123 port.
>I think I need a cron script what randomly switch the NTP service on
>and
>when the system clock is synchrony then switch it off.
>May be that's enough once a day. So the 123 port is open only a short
>time.
>I understand my server doesn't answer for a bad guys request but the
>port is open.
>
>
>2014.04.26. 2:27 keltezéssel, Gary Mills írta:
>> On Fri, Apr 25, 2014 at 10:53:36PM +0200, Brogyányi József wrote:
>>> **
>>> **I modified the ntp.conf but something is missing.*
>>>
>> [...]
>>> *If enable the ntp then the server is runing on 123 port.*
>> That's okay. `ntpd' must run continuously so that it can modify
>> your system clock, and so that it can periodically poll the four
>> time servers you have listed in the config file.
>>
>> The restrictions for the default network in the config file mean that
>> it won't respond to commands arriving on most network interfaces.
>> That's what prevents the NTP amplification attack. Indeed it's a
>> server, but it's invisible as far as the outside world can tell.
>>
>> It will respond to 127.0.0.1 and ::1 . That's why `ntpq -p' works.
>>
>
>
>_______________________________________________
>OpenIndiana-discuss mailing list
>OpenIndiana-discuss at openindiana.org
>http://openindiana.org/mailman/listinfo/openindiana-discuss
Actually, instead of a service you could then use just ntpdate to pick up external time regularly. Unlike with the service, however, the system won't keep track of your hardware clock drift and try to fix it even when you are disconnected.
You could also use rdate (via old timedate protocol) to similar effect; some time servers serve both.
But why don't you try a firewall instead? ;)
Typically block everything, open what you need. In this case, open outgoing 123/udp from your computer to the world. IIRC the ipfilter should automatically permit returning replies; if not - allow incoming 123/udp from your chosen sources...
Hth, Jim
--
Typos courtesy of K-9 Mail on my Samsung Android
More information about the OpenIndiana-discuss
mailing list