NTP in BLFS 6.3 stable

Bruce Dubbs bruce.dubbs at gmail.com
Wed Apr 22 08:58:41 PDT 2009


richard.melville at ntlworld.com wrote:
> Ive just installed NTP and it's working OK.  I didn't look at the docs until
> after installation and I've just noticed that it can be installed in a chroot
> jail.  As the book doesn't recommend this type of installation can I assume
> that the consensus is that using chroot in this instance is unnecessary.
> 
> I'd really welcome some views as I'm trying to build something that is
> relatively secure.

NTP can be secured in a number of ways.  IMO using chroot is overkill.

My ntp.conf file looks like:

restrict default nomodify nopeer noquery
restrict 127.0.0.1

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org

driftfile /var/cache/ntp.drift
pidfile   /var/run/ntp.pid
---------------
The only change you would need to make is the server commands.  If you have 
fixed servers, it could be made more secure with:

restrict default ignore
restrict chrono.cis.sac.accd.edu  nomodify nopeer noquery
...

instead of the default line I have above.

As some explanation, the only thing the ntp client can do with this 
configuration is send a UDP packet to a server port 123 and receive a single udp 
packet back.  There's not much that can be done in a single UDP packet.  Running 
in chroot would only protect against a programming error in ntpd and that's been 
around for a long time without anything being identified.

   -- Bruce



More information about the blfs-support mailing list