ntpd and security risk - Security

This is a discussion on ntpd and security risk - Security ; Hi, I have read in a book that unless you have very specific needs(and your own GPS or atomic clock) running ntpd on your machine can be both a waste of resource and security risk. for that reason some sysadmins ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: ntpd and security risk

  1. ntpd and security risk

    Hi,

    I have read in a book that unless you have very specific needs(and
    your own GPS or atomic clock) running ntpd on your machine can be both
    a waste of resource and security risk. for that reason some sysadmins
    prefer ntpdate(often in a daily
    cronjob) to set their system time via NTP

    how valid is this claim ?

  2. Re: ntpd and security risk

    annalissa wrote:

    > I have read in a book that unless you have very specific needs(and
    > your own GPS or atomic clock) running ntpd on your machine can be both
    > a waste of resource and security risk. for that reason some sysadmins
    > prefer ntpdate(often in a daily cronjob) to set their system time via
    > NTP
    >
    > how valid is this claim ?


    It's not totally invalid, as ntpd is a daemon that runs in background
    accepting network packets. By running ntpd, you effectively turn your
    host into a time server. Of course the ISC ntpd can be tuned to allow
    access to specific hosts only, or to use cryptographic authentication.

    The alternative, OpenNTPD, isn't as flexible and exact, but appears to
    be more secure by simplicity. It's from the OpenBSD project, which is
    known for highly secure software products.

    But nevertheless a daemon is running, which is always a security risk,
    no matter which ntpd you use.


    Greets,
    Ertugrul.


    --
    nightmare = unsafePerformIO (getWrongWife >>= sex)


  3. Re: ntpd and security risk

    annalissa writes:

    >Hi,


    >I have read in a book that unless you have very specific needs(and
    >your own GPS or atomic clock) running ntpd on your machine can be both
    >a waste of resource and security risk. for that reason some sysadmins
    >prefer ntpdate(often in a daily
    >cronjob) to set their system time via NTP


    >how valid is this claim ?


    Pretty invalid. a)How is it a waste of resources( what reseources) to keep
    your time accurate? b) ntpdate is disappearing and will no longer be
    supported. c) It is true that any program which listens for incoming
    traffic is a potential security hole. But I have never seen a claim of
    using the ntp port for breakin.



  4. Re: ntpd and security risk

    Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= writes:

    >annalissa wrote:


    >> I have read in a book that unless you have very specific needs(and
    >> your own GPS or atomic clock) running ntpd on your machine can be both
    >> a waste of resource and security risk. for that reason some sysadmins
    >> prefer ntpdate(often in a daily cronjob) to set their system time via
    >> NTP
    >>
    >> how valid is this claim ?


    >It's not totally invalid, as ntpd is a daemon that runs in background
    >accepting network packets. By running ntpd, you effectively turn your
    >host into a time server. Of course the ISC ntpd can be tuned to allow


    Well, not necessarily. ntpd can act as a server. You can also switch it
    off. It also only accepts very specific packet formats.

    >access to specific hosts only, or to use cryptographic authentication.


    >The alternative, OpenNTPD, isn't as flexible and exact, but appears to
    >be more secure by simplicity. It's from the OpenBSD project, which is
    >known for highly secure software products.


    >But nevertheless a daemon is running, which is always a security risk,
    >no matter which ntpd you use.



    >Greets,
    >Ertugrul.



    >--
    >nightmare = unsafePerformIO (getWrongWife >>= sex)



  5. Re: ntpd and security risk

    Am Tue, 02 Sep 2008 17:37:25 +0000 schrieb Unruh:

    > annalissa writes:


    > traffic is a potential security hole. But I have never seen a claim of
    > using the ntp port for breakin.


    By the time you can place shellcode on the stack, you are able to start a
    shell or similar.
    UDP ist stateless so it's pretty simple to spoof those packets.


    http://downloads.securityfocus.com/v...its/ntpd-exp.c


    cheers

+ Reply to Thread