Re: xntp both serve and client

On 2008-11-06, fenwayfool <peterson.russell@xxxxxxxxx> wrote:

Thanks for the replies everyone. The system I have is an embedded
system and the NTP software was ported (to a non-Linux OS) a while
back so I guess it was called xntp when that work was done. In this
environment, we only use NTP as a client.

The current stable version of the NTP Reference Implementation is
4.2.4p5

I have modified the ntp.config to restrict access... but the port
still shows up on port scans.

ntpd binds UDP port 123 on all interfaces.

The access restrictions don't change this binding.

My problem is, customers... not me... don't like port 123 showing up
as open.

It is up to you to convince your customers that this is not a problem.

The port scan shows that ntpd is listening on 123/UDP. But the port scan
does not show that the Access Restrictions are causing ntpd to drop all
packets except those explicitly allowed.

I suspect this is because they are thinking more along the
lines of a simple SNTP sequence that goes like:

1. open socket (using a random port > 1023 as the source port)
2. send message (port 123 is dest port)
3. wait for reply 4. close socket

ntpd is continuously disciplining the clock and, since it is
continuously running port 123/UDP is continuously bound.

Step #3 has a timeout period associated with it. True, a source port !
= 123 violates the RFC strictly speaking... but it works.

Some time servers will not accept connections when the source port is
not 123.

NTP seems a bit more involved. It even seems like if I configure a
server... and the code has trouble reaching the server... that it may
revert into a "listen to NTP broadcast messages" like mode???

If you tell ntpd to poll certain servers that is what it will do.

If you tell ntpd to listen for broadcast packets that is what it will
do.

There is no facility for the sort of reversion you are suggesting.

--
Steve Kostecke <kostecke@xxxxxxx>
NTP Public Services Project - http://support.ntp.org/
.

Relevant Pages

  • Re: Not able to connect
    ... The ntp.conf file I appended was installed by the Fedora Core 5 installation except for the NIST servers which were added by the system date/time s/w under Fedora Core 5. ... The port number on your system is arbitrary, and is usually chosen at random by your system each time the client program prepares to make a request for the time. ... How can I tell if ntpd is working and keeping the clock synched? ... You may wish to restrict the pool to your geographic area. ...
    (comp.protocols.time.ntp)
  • Re: The libntp resumee...
    ... You will still have to ensure that they do not enable kiss of death on those servers. ... but between 2 queries from the same client the ntpd will have made a certain adjustment. ... It does this by adjusting frequency not by directly adjusting time. ... That's a different model and I think Mr. Unruh already clarified to me that it's not the model that NTP uses. ...
    (comp.protocols.time.ntp)
  • Re: NTPD concurrent clients limit
    ... packet and since these servers vend time to my applications, ... articles about ntp abuse like that series of cheap routers that had an ip ... Considering how adaptive the ntpd software has to be, ... Is this packet also implemented in a "canned" or hardware only ntp ...
    (comp.protocols.time.ntp)
  • Re: [opensuse] OpenSuse 11.1 ntpd host name not found
    ... Is your ntpd running chroot'ed? ... The default is to copy all required files from /etc/ to the chroot at ... Due to the default you must not modify the ntp settings _inside_ the ... servers provided by DHCP. ...
    (SuSE)
  • Re: Time slew doesnt seem to work
    ... I've started ntpd with the -x option and defined at run-time 3 ... The client machine has an offset of +/- 2s with the ntp servers. ... performance for a typical computer clock. ...
    (comp.protocols.time.ntp)