topic Re: Disable NTP - Server Only in Operating System - HP-UX

Disable NTP - Server Only

wurzul — Mon, 20 Jul 2009 10:58:07 GMT

Hello,

Does anybody know how I can disable NTP server functionality only within HPUX 11.23 / 11.31 ?

For security audit purposes I need to have the NTP client enabled but the NTP server disabled. Is there a way to do this?

I've looked through various documents for hpux xntpd but cannot see a specific option.

Thanks in advance.

Re: Disable NTP - Server Only

James R. Ferguson — Mon, 20 Jul 2009 11:13:19 GMT

Hi:

First NTP isn't a security risk.

Edit '/etc/rc.config.d/netdaemons' and set the NTPDATE_SERVER to null; set XNTPD=0 and set XNTPD_ARGS to null.

Regards!

...JRF...

Re: Disable NTP - Server Only

Michal Kapalka (mikap) — Mon, 20 Jul 2009 11:19:08 GMT

hi,

edit this file : /etc/rc.config.d/netdaemons

export NTPDATE_SERVER=
export XNTPD=0
export XNTPD_ARGS=

mikap

Re: Disable NTP - Server Only

Steven E. Protter — Mon, 20 Jul 2009 11:20:44 GMT

Shalom,

I have to agree 100% with JRF. ntp is not a security risk, not at all.

You can cause more problems by disabling time synchronization.

All daemons have control files in /etc/rc.config.d

You can set the start variable to 0 to stop the daemon from starting.

I have serious questions about the security audit that has been done in this case.

SEP

Re: Disable NTP - Server Only

wurzul — Mon, 20 Jul 2009 11:23:16 GMT

I dont want to disable NTP outright.

I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.

hope this make sense

Re: Disable NTP - Server Only

Michal Kapalka (mikap) — Mon, 20 Jul 2009 11:30:03 GMT

hi,

yes it make senc, its a normal procedure if you like to remove ntp server from your network and migrate it to other NTP server.

mikap

Re: Disable NTP - Server Only

Ganesan R — Mon, 20 Jul 2009 12:01:16 GMT

Hi,

>>I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.<<

How the clients will sync with server if you have stopped the NTP server process? It is not possible.

If you have another NTP server then configure the clients to sync with that one and disable NTP server services on this one.

Re: Disable NTP - Server Only

rick jones — Mon, 20 Jul 2009 23:25:19 GMT

I've never had to deal with folks insisting that the server portion be disabled, but I suspect some variation on the restrict entry in the config file would do it. Perhaps documented on www.ntp.org somewhere if not in the HP docs?

Re: Disable NTP - Server Only

Armin Kunaschik — Tue, 21 Jul 2009 12:11:33 GMT

Rick is right. I'd suggest a ntp.conf like this:
restrict default ignore
restrict 127.0.0.1
restrict your.ntp.server

Maybe it's enough to not allow peers to modify your time with:
restrict 1.2.3.4 mask 255.255.255.0 nomodify

Check the ntp documentation for more detail but take care about the different implementations of "restrict" in NTP v3 (on HP-UX) and NTP 4.x!

My 2 cents,
Armin

Re: Disable NTP - Server Only

BUPA IS — Tue, 21 Jul 2009 16:17:22 GMT

Hello,
Armin's statements will work .

The documentation for ntp access control is here

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html

>Maybe it's enough to not allow peers to modify your time with:
>restrict 1.2.3.4 mask 255.255.255.0 nomodify

nomodify will prevent any packets coming from that subnet from modifying this client's time or settings. Queries will be permitted .
The restrict is done by numeric ip address.

restrict 168.24.0.0 mask 255.255.0.0 noquery

Will prevent any client on this subnet from visting this time server for time stamps and status information but a time server on this subnet will be allowed to update it.

Mike