1ntp_acc(5) File Formats Manual ntp_acc(5)
2
6 ntp_acc - Access Control Options
7
10 The ntpd daemon implements a general purpose address/mask based
11 restriction list. The list contains address/match entries sorted first
12 by increasing address values and and then by increasing mask values. A
13 match occurs when the bitwise AND of the mask and the packet source
14 address is equal to the bitwise AND of the mask and address in the
15 list. The list is searched in order with the last match found defining
16 the restriction flags associated with the entry. Additional information
17 and examples can be found in the Notes on Configuring NTP and Setting
18 up a NTP Subnet page. The restriction facility was implemented in con‐
19 formance with the access policies for the original NSFnet backbone time
20 servers. Later the facility was expanded to deflect cryptographic and
21 clogging attacks. While this facility may be useful for keeping
22 unwanted or broken or malicious clients from congesting innocent
23 servers, it should not be considered an alternative to the NTP authen‐
24 tication facilities. Source address based restrictions are easily cir‐
25 cumvented by a determined cracker.
26 Clients can be denied service because they are explicitly included in
28 the restrict list created by the restrict command or implicitly as the
29 result of cryptographic or rate limit violations. Cryptographic viola‐
30 tions include certificate or identity verification failure; rate limit
31 violations generally result from defective NTP implementations that
32 send packets at abusive rates. Some violations cause denied service
33 only for the offending packet, others cause denied service for a timed
34 period and others cause the denied service for an indefinate period.
35 When a client or network is denied access for an indefinate period, the
36 only way at present to remove the restrictions is by restarting the
37 server.
38
41 Ordinarily, packets denied service are simply dropped with no further
42 action except incrementing statistics counters. Sometimes a more proac‐
43 tive response is needed, such as a server message that explicitly
44 requests the client to stop sending and leave a message for the system
45 operator. A special packet format has been created for this purpose
46 called the "kiss-o'-death" (KoD) packet. KoD packets have the leap bits
47 set unsynchronized and stratum set to zero and the reference identifier
48 field set to a four-byte ASCII code. If the noserve or notrust flag of
49 the matching restrict list entry is set, the code is "DENY"; if the
50 limited flag is set and the rate limit is exceeded, the code is "RATE".
51 Finally, if a cryptographic violation occurs, the code is "CRYP".
52 A client receiving a KoD performs a set of sanity checks to minimize
54 security exposure, then updates the stratum and reference identifier
55 peer variables, sets the access denied (TEST4) bit in the peer flash
56 variable and sends a message to the log. As long as the TEST4 bit is
57 set, the client will send no further packets to the server. The only
58 way at present to recover from this condition is to restart the proto‐
59 col at both the client and server. This happens automatically at the
60 client when the association times out. It will happen at the server
61 only if the server operator cooperates.
62
65 discard [ average avg ][ minimum min ] [ monitor prob ]
66 Set the parameters of the limited facility which protects the
67 server from client abuse. The average subcommand specifies the
68 minimum average packet spacing, while the minimum subcommand
69 specifies the minimum packet spacing. Packets that violate
70 these minima are discarded and a kiss-o'-death packet returned
71 if enabled. The default minimum average and minimum are 5 and
72 2, respectively. The monitor subcommand specifies the probabil‐
73 ity of discard for packets that overflow the rate-control win‐
74 dow.
75 restrict address [mask mask] [flag][...]
77 The address argument expressed in dotted-quad form is the
78 address of a host or network. Alternatively, the address argu‐
79 ment can be a valid host DNS name. The mask argument expressed
80 in dotted-quad form defaults to 255.255.255.255, meaning that
81 the address is treated as the address of an individual host. A
82 default entry (address 0.0.0.0, mask 0.0.0.0) is always
83 included and is always the first entry in the list. Note that
84 text string default, with no mask option, may be used to indi‐
85 cate the default entry. In the current implementation, flag
86 always restricts access, i.e., an entry with no flags indicates
87 that free access to the server is to be given. The flags are
88 not orthogonal, in that more restrictive flags will often make
89 less restrictive ones redundant. The flags can generally be
90 classed into two catagories, those which restrict time service
91 and those which restrict informational queries and attempts to
92 do run-time reconfiguration of the server. One or more of the
93 following flags may be specified:
94 ignore Deny packets of all kinds, including ntpq and ntpdc
96 queries.
97 kod If this flag is set when an access violation occurs, a
99 kiss-o'-death (KoD) packet is sent. KoD packets are
100 rate limited to no more than one per second. If another
101 KoD packet occurs within one second after the last one,
102 the packet is dropped
103 limited Deny service if the packet spacing violates the lower
105 limits specified in the discard command. A history of
106 clients is kept using the monitoring capability of
107 ntpd. Thus, monitoring is always active as long as
108 there is a restriction entry with the limited flag.
109 lowpriotrap
111 Declare traps set by matching hosts to be low priority.
112 The number of traps a server can maintain is limited
113 (the current limit is 3). Traps are usually assigned on
114 a first come, first served basis, with later trap
115 requestors being denied service. This flag modifies the
116 assignment algorithm by allowing low priority traps to
117 be overridden by later requests for normal priority
118 traps.
119 nomodify
121 Deny ntpq and ntpdc queries which attempt to modify the
122 state of the server (i.e., run time reconfiguration).
123 Queries which return information are permitted.
124 noquery Deny ntpq and ntpdc queries. Time service is not
126 affected.
127 nopeer Deny packets which would result in mobilizing a new
129 association. This includes broadcast, symmetric-active
130 and manycast client packets when a configured associa‐
131 tion does not exist.
132 noserve Deny all packets except ntpq and ntpdc queries.
134 notrap Decline to provide mode 6 control message trap service
136 to matching hosts. The trap service is a subsystem of
137 the ntpdq control message protocol which is intended
138 for use by remote event logging programs.
139 notrust Deny packets unless the packet is cryptographically
141 authenticated.
142 ntpport This is actually a match algorithm modifier, rather
144 than a restriction flag. Its presence causes the
145 restriction entry to be matched only if the source port
146 in the packet is the standard NTP UDP port (123). Both
147 ntpport and non-ntpport may be specified. The ntpport
148 is considered more specific and is sorted later in the
149 list.
150 version Deny packets that do not match the current NTP version.
152 Default restriction list entries with the flags ignore, interface, ntp‐
154 port, for each of the local host's interface addresses are inserted
155 into the table at startup to prevent the server from attempting to syn‐
156 chronize to its own time. A default entry is also always present,
157 though if it is otherwise unconfigured; no flags are associated with
158 the default entry (i.e., everything besides your own NTP server is
159 unrestricted).
160
163 ntp.conf(5)
164 Primary source of documentation: /usr/share/doc/ntp-*
166 This file was automatically generated from HTML source.
168 ntp_acc(5)