Printable View
Hi,
I have read in a book that unless you have very specific needs(and
your own GPS or atomic clock) running ntpd on your machine can be both
a waste of resource and security risk. for that reason some sysadmins
prefer ntpdate(often in a daily
cronjob) to set their system time via NTP
how valid is this claim ?
annalissa <aarklon@gmail.com> wrote:
[color=blue]
> I have read in a book that unless you have very specific needs(and
> your own GPS or atomic clock) running ntpd on your machine can be both
> a waste of resource and security risk. for that reason some sysadmins
> prefer ntpdate(often in a daily cronjob) to set their system time via
> NTP
>
> how valid is this claim ?[/color]
It's not totally invalid, as ntpd is a daemon that runs in background
accepting network packets. By running ntpd, you effectively turn your
host into a time server. Of course the ISC ntpd can be tuned to allow
access to specific hosts only, or to use cryptographic authentication.
The alternative, OpenNTPD, isn't as flexible and exact, but appears to
be more secure by simplicity. It's from the OpenBSD project, which is
known for highly secure software products.
But nevertheless a daemon is running, which is always a security risk,
no matter which ntpd you use.
Greets,
Ertugrul.
--
nightmare = unsafePerformIO (getWrongWife >>= sex)
annalissa <aarklon@gmail.com> writes:
[color=blue]
>Hi,[/color]
[color=blue]
>I have read in a book that unless you have very specific needs(and
>your own GPS or atomic clock) running ntpd on your machine can be both
>a waste of resource and security risk. for that reason some sysadmins
>prefer ntpdate(often in a daily
>cronjob) to set their system time via NTP[/color]
[color=blue]
>how valid is this claim ?[/color]
Pretty invalid. a)How is it a waste of resources( what reseources) to keep
your time accurate? b) ntpdate is disappearing and will no longer be
supported. c) It is true that any program which listens for incoming
traffic is a potential security hole. But I have never seen a claim of
using the ntp port for breakin.
Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> writes:
[color=blue]
>annalissa <aarklon@gmail.com> wrote:[/color]
[color=blue][color=green]
>> I have read in a book that unless you have very specific needs(and
>> your own GPS or atomic clock) running ntpd on your machine can be both
>> a waste of resource and security risk. for that reason some sysadmins
>> prefer ntpdate(often in a daily cronjob) to set their system time via
>> NTP
>>
>> how valid is this claim ?[/color][/color]
[color=blue]
>It's not totally invalid, as ntpd is a daemon that runs in background
>accepting network packets. By running ntpd, you effectively turn your
>host into a time server. Of course the ISC ntpd can be tuned to allow[/color]
Well, not necessarily. ntpd can act as a server. You can also switch it
off. It also only accepts very specific packet formats.
[color=blue]
>access to specific hosts only, or to use cryptographic authentication.[/color]
[color=blue]
>The alternative, OpenNTPD, isn't as flexible and exact, but appears to
>be more secure by simplicity. It's from the OpenBSD project, which is
>known for highly secure software products.[/color]
[color=blue]
>But nevertheless a daemon is running, which is always a security risk,
>no matter which ntpd you use.[/color]
[color=blue]
>Greets,
>Ertugrul.[/color]
[color=blue]
>--
>nightmare = unsafePerformIO (getWrongWife >>= sex)[/color]
Am Tue, 02 Sep 2008 17:37:25 +0000 schrieb Unruh:
[color=blue]
> annalissa <aarklon@gmail.com> writes:[/color]
[color=blue]
> traffic is a potential security hole. But I have never seen a claim of
> using the ntp port for breakin.[/color]
By the time you can place shellcode on the stack, you are able to start a
shell or similar.
UDP ist stateless so it's pretty simple to spoof those packets.
[url]http://downloads.securityfocus.com/vulnerabilities/exploits/ntpd-exp.c[/url]
cheers