HPE Community
Operating System - HP-UX
1823369 Members
2729 Online
109654 Solutions
New Discussion юеВ

Disable NTP - Server Only

 
SOLVED
Go to solution
wurzul
Frequent Advisor

тАО07-20-2009 03:58 AM

тАО07-20-2009 03:58 AM

Disable NTP - Server Only

Hello,

Does anybody know how I can disable NTP server functionality only within HPUX 11.23 / 11.31 ?

For security audit purposes I need to have the NTP client enabled but the NTP server disabled. Is there a way to do this?

I've looked through various documents for hpux xntpd but cannot see a specific option.

Thanks in advance.
0 Kudos
Reply
9 REPLIES 9
James R. Ferguson
Acclaimed Contributor

тАО07-20-2009 04:13 AM

тАО07-20-2009 04:13 AM

Re: Disable NTP - Server Only

Hi:

First NTP isn't a security risk.

Edit '/etc/rc.config.d/netdaemons' and set the NTPDATE_SERVER to null; set XNTPD=0 and set XNTPD_ARGS to null.

Regards!

...JRF...
0 Kudos
Reply
Michal Kapalka (mikap)
Honored Contributor

тАО07-20-2009 04:19 AM

тАО07-20-2009 04:19 AM

Re: Disable NTP - Server Only

hi,

edit this file : /etc/rc.config.d/netdaemons

export NTPDATE_SERVER=
export XNTPD=0
export XNTPD_ARGS=

mikap
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

тАО07-20-2009 04:20 AM

тАО07-20-2009 04:20 AM

Re: Disable NTP - Server Only

Shalom,

I have to agree 100% with JRF. ntp is not a security risk, not at all.

You can cause more problems by disabling time synchronization.

All daemons have control files in /etc/rc.config.d

You can set the start variable to 0 to stop the daemon from starting.

I have serious questions about the security audit that has been done in this case.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
wurzul
Frequent Advisor

тАО07-20-2009 04:23 AM

тАО07-20-2009 04:23 AM

Re: Disable NTP - Server Only


I dont want to disable NTP outright.

I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.

hope this make sense
0 Kudos
Reply
Michal Kapalka (mikap)
Honored Contributor

тАО07-20-2009 04:30 AM

тАО07-20-2009 04:30 AM

Re: Disable NTP - Server Only

hi,

yes it make senc, its a normal procedure if you like to remove ntp server from your network and migrate it to other NTP server.

mikap
0 Kudos
Reply
Ganesan R
Honored Contributor

тАО07-20-2009 05:01 AM

тАО07-20-2009 05:01 AM

Re: Disable NTP - Server Only

Hi,

>>I need to stop NTP from acting as a server.

I still need it to sync. I dont want other clients to be able to sync with it.<<

How the clients will sync with server if you have stopped the NTP server process? It is not possible.

If you have another NTP server then configure the clients to sync with that one and disable NTP server services on this one.
Best wishes,

Ganesh.
0 Kudos
Reply
rick jones
Honored Contributor

тАО07-20-2009 04:25 PM

тАО07-20-2009 04:25 PM

Solution

Re: Disable NTP - Server Only

I've never had to deal with folks insisting that the server portion be disabled, but I suspect some variation on the restrict entry in the config file would do it. Perhaps documented on www.ntp.org somewhere if not in the HP docs?
there is no rest for the wicked yet the virtuous have no pillows
Reply
Armin Kunaschik
Esteemed Contributor

тАО07-21-2009 05:11 AM

тАО07-21-2009 05:11 AM

Re: Disable NTP - Server Only

Rick is right. I'd suggest a ntp.conf like this:
restrict default ignore
restrict 127.0.0.1
restrict your.ntp.server

Maybe it's enough to not allow peers to modify your time with:
restrict 1.2.3.4 mask 255.255.255.0 nomodify

Check the ntp documentation for more detail but take care about the different implementations of "restrict" in NTP v3 (on HP-UX) and NTP 4.x!

My 2 cents,
Armin
And now for something completely different...
0 Kudos
Reply
BUPA IS
Respected Contributor

тАО07-21-2009 09:17 AM

тАО07-21-2009 09:17 AM

Re: Disable NTP - Server Only

Hello,
Armin's statements will work .

The documentation for ntp access control is here

http://www.eecis.udel.edu/~mills/ntp/html/accopt.html

>Maybe it's enough to not allow peers to modify your time with:
>restrict 1.2.3.4 mask 255.255.255.0 nomodify

nomodify will prevent any packets coming from that subnet from modifying this client's time or settings. Queries will be permitted .
The restrict is done by numeric ip address.

restrict 168.24.0.0 mask 255.255.0.0 noquery

Will prevent any client on this subnet from visting this time server for time stamps and status information but a time server on this subnet will be allowed to update it.

Mike
Help is out there always!!!!!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.