NTP in BLFS 6.3 stable
bruce.dubbs at gmail.com
Wed Apr 22 08:58:41 PDT 2009
richard.melville at ntlworld.com wrote:
> Ive just installed NTP and it's working OK. I didn't look at the docs until
> after installation and I've just noticed that it can be installed in a chroot
> jail. As the book doesn't recommend this type of installation can I assume
> that the consensus is that using chroot in this instance is unnecessary.
> I'd really welcome some views as I'm trying to build something that is
> relatively secure.
NTP can be secured in a number of ways. IMO using chroot is overkill.
My ntp.conf file looks like:
restrict default nomodify nopeer noquery
The only change you would need to make is the server commands. If you have
fixed servers, it could be made more secure with:
restrict default ignore
restrict chrono.cis.sac.accd.edu nomodify nopeer noquery
instead of the default line I have above.
As some explanation, the only thing the ntp client can do with this
configuration is send a UDP packet to a server port 123 and receive a single udp
packet back. There's not much that can be done in a single UDP packet. Running
in chroot would only protect against a programming error in ntpd and that's been
around for a long time without anything being identified.
More information about the blfs-support