HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
cancel
Showing results for 
Search instead for 
Did you mean: 

Disable NTP - Server Only

 
SOLVED
Go to solution
wurzul
Frequent Advisor

Disable NTP - Server Only

Hello,

Does anybody know how I can disable NTP server functionality only within HPUX 11.23 / 11.31 ?

For security audit purposes I need to have the NTP client enabled but the NTP server disabled. Is there a way to do this?

I've looked through various documents for hpux xntpd but cannot see a specific option.

Thanks in advance.
9 REPLIES
James R. Ferguson
Acclaimed Contributor

Re: Disable NTP - Server Only

Hi:

First NTP isn't a security risk.

Edit '/etc/rc.config.d/netdaemons' and set the NTPDATE_SERVER to null; set XNTPD=0 and set XNTPD_ARGS to null.

Regards!

...JRF...
Michal Kapalka (mikap)
Honored Contributor

Re: Disable NTP - Server Only

hi,

edit this file : /etc/rc.config.d/netdaemons

export NTPDATE_SERVER=
export XNTPD=0
export XNTPD_ARGS=

mikap
Steven E. Protter
Exalted Contributor

Re: Disable NTP - Server Only

Shalom,

I have to agree 100% with JRF. ntp is not a security risk, not at all.

You can cause more problems by disabling time synchronization.

All daemons have control files in /etc/rc.config.d

You can set the start variable to 0 to stop the daemon from starting.

I have serious questions about the security audit that has been done in this case.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
wurzul
Frequent Advisor

Re: Disable NTP - Server Only


I dont want to disable NTP outright.

I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.

hope this make sense
Michal Kapalka (mikap)
Honored Contributor

Re: Disable NTP - Server Only

hi,

yes it make senc, its a normal procedure if you like to remove ntp server from your network and migrate it to other NTP server.

mikap
Ganesan R
Honored Contributor

Re: Disable NTP - Server Only

Hi,

>>I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.<<

How the clients will sync with server if you have stopped the NTP server process? It is not possible.

If you have another NTP server then configure the clients to sync with that one and disable NTP server services on this one.
Best wishes,

Ganesh.
rick jones
Honored Contributor
Solution

Re: Disable NTP - Server Only

I've never had to deal with folks insisting that the server portion be disabled, but I suspect some variation on the restrict entry in the config file would do it. Perhaps documented on www.ntp.org somewhere if not in the HP docs?
there is no rest for the wicked yet the virtuous have no pillows
Armin Kunaschik
Esteemed Contributor

Re: Disable NTP - Server Only

Rick is right. I'd suggest a ntp.conf like this:
restrict default ignore
restrict 127.0.0.1
restrict your.ntp.server

Maybe it's enough to not allow peers to modify your time with:
restrict 1.2.3.4 mask 255.255.255.0 nomodify

Check the ntp documentation for more detail but take care about the different implementations of "restrict" in NTP v3 (on HP-UX) and NTP 4.x!

My 2 cents,
Armin
And now for something completely different...
BUPA IS
Respected Contributor

Re: Disable NTP - Server Only

Hello,
Armin's statements will work .

The documentation for ntp access control is here

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html

>Maybe it's enough to not allow peers to modify your time with:
>restrict 1.2.3.4 mask 255.255.255.0 nomodify

nomodify will prevent any packets coming from that subnet from modifying this client's time or settings. Queries will be permitted .
The restrict is done by numeric ip address.

restrict 168.24.0.0 mask 255.255.0.0 noquery

Will prevent any client on this subnet from visting this time server for time stamps and status information but a time server on this subnet will be allowed to update it.

Mike
Help is out there always!!!!!