I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf
file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf
file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited restrict 127.0.0.1 restrict ::1 restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart driftfile /var/lib/ntp/drift #access controls to reduce unwanted queries (kod) #prevent alteration of configuration file (nomodify) #prevent nptdc from being used for control message protocol traps (notrap) #prevent peer queries (nopeer) #prevent ntpq and ntpdc queries from being answered (noquery) restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery #restrict NTP access to localhost restrict 127.0.0.1 restrict -6 ::1 #point to NIST time servers use fastest method to collect time server time.nist.gov iburst #point to localhost if access is lost to NTP servers/pools fudge 127.127.1.0 stratum 10 #mitigates CVE-2013-5211 disable monitor
For some of them, like driftfile
, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart driftfile /var/lib/ntp/drift # access control configuration restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited # restrict NTP access to localhost restrict 127.0.0.1 restrict -6 ::1 # point to NIST time servers use fastest method to collect time server time.nist.gov iburst # point to localhost if access is lost to NTP servers/pools fudge 127.127.1.0 stratum 10 # mitigates CVE-2013-5211 disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable restrict source notrap nomodify noquery
Best Answer
To add further to John Mahowald's answer: the recommended configuration you were given is old and shouldn't be followed. The default configuration supplied by Debian/Ubuntu is designed to be as secure as possible given the NTP vulnerabilities we know about to date, and you should make the minimal changes to it possible.
The only thing in the proposed configuration which might be significant to you is the selection of NIST's time servers. If you want to use them, you should use the
pool
directive rather than justserver
. Thepool
directive enablesntpd
to stop using servers if they are unresponsive or serving bad time, so you should nearly always use it in preference toserver
.So overall, the only thing you might consider adding to the default configuration is:
The statistics lines you highlighted don't have any effect unless you uncomment this line:
And the last one is very important, because it enables you to use pools:
You should make sure that line is left in place.