ntp.conf: disable monitor and restrict limited incompatible options?
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ntp.conf: disable monitor and restrict limited incompatible options?
Hi, I recently switched back to ntp from openntp by taking the 4.2.8p7 update. I noticed this error in syslog:
ntpd[753]: restrict: 'monitor' cannot be disabled while 'limited' is enabled
Seems like the limited flag to restrict needs the monitor feature:
ntp.conf(5):
Quote:
limited
Deny service if the packet spacing violates the
lower limits specified in the discard command. A
history of clients is kept using the monitoring
capability of ntpd(1). Thus, monitoring is always
active as long as there is a restriction entry with
the limited flag.
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
From stable NTP default configuration file:
Quote:
# to cause a denial of service attack (CVE-2013-5211). Future versions of
# NTP will remove this command.
# (this feature was disabled by default with ntpd 4.2.7p230)
disable monitor
The two sections of /etc/ntp.conf having to do with limited would be
Quote:
#
# Don't serve time or stats to anyone else by default (more secure)
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery
#
# Use these lines instead if you do want to serve time and stats to
# other machines on the network:
#restrict default limited kod nomodify notrap nopeer
#restrict -6 default limited kod nomodify notrap nopeer
Note that no such errors occur using the (edited) default file provided with Slackware.
Note that no such errors occur using the (edited) default file provided with Slackware.
What do you mean by edited default file? I can indeed get rid of the error by removing the limited flag from those restrict lines. But when you say "edited" you mean some other unrelated edits and you really can have disable monitor and restrict limited without a syslog error?
Last edited by thirdm; 05-05-2016 at 03:45 PM.
Reason: Be more reasonable
I dunno, I just can't get it into my head how this could not be a problem for anyone else. Probably a symptom of sitting at home with a fever but I resorted to reading source code. ntp source code makes me feel 16 again. That is to say it makes me PROTO_MINSANE:
(ntp.h)
...
#define PROTO_MINSANE 16
...
So if you have "restrict ... limited ..." you end up calling inc_res_limited() in ntp_restrict.c. First time that's called it calls mon_start(), passing mode of MON_RES. That mode is a sneaky way of turning on monitoring against your other conf file setting. Look back at ntp.h:
/*
* Values used with mon_enabled to indicate reason for enabling monitoring
*/
#define MON_OFF 0x00 /* no monitoring */
#define MON_ON 0x01 /* monitoring explicitly enabled */
#define MON_RES 0x02 /* implicit monitoring for RES_LIMITED */
This is the way you get to the warning message in proto_config() (ntp_proto.c):
Code:
case PROTO_MONITOR: /* monitoring (monitor) */
if (value)
mon_start(MON_ON);
else {
mon_stop(MON_ON);
if (mon_enabled)
msyslog(LOG_WARNING,
"restrict: 'monitor' cannot be disabled while 'limited' is enabled");
}
break;
You get in here via ntp_config.c's apply_enable_disable():
Code:
case T_Monitor:
proto_config(PROTO_MONITOR, enable, 0., NULL);
break;
So value above would be false if you have monitor disable. Therefore mon_stop(MON_ON) gets called but afterwords mon_enabled is still non-zero (it's MON_RES).
So how the heck are you guys not seeing this warning message in syslog?
Last edited by thirdm; 05-05-2016 at 04:51 PM.
Reason: Give them some formatting
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
Quote:
Originally Posted by thirdm
What do you mean by edited default file? I can indeed get rid of the error by removing the limited flag from those restrict lines. But when you say "edited" you mean some other unrelated edits and you really can have disable monitor and restrict limited without a syslog error?
That wasn't real clear, I suppose.
The file supplied with the Slackware NTP package, /etc/ntp.conf, has commented lines for the pool servers:
Code:
#
# NTP server (list one or more) to synchronize with:
#server 0.pool.ntp.org iburst
#server 1.pool.ntp.org iburst
#server 2.pool.ntp.org iburst
#server 3.pool.ntp.org iburst
You need to uncomment "one or more" (I use three).
Also, there are sections that you may want to edit (by adding or deleting the # characters); specifically the sections that control serving time to your LAN.
I just note that using the default file with three server lines uncommented will work just fine; you don't need to fiddle with anything else unless you want to serve time to other machines on your network.
I just note that using the default file with three server lines uncommented will work just fine; you don't need to fiddle with anything else unless you want to serve time to other machines on your network.
This is the part I'm surprised about. It seems to me it will work, yes, but with this warning in syslog and with the monitoring statistics gathering enabled. Maybe the confusion here is that I'm considering a warning like this in the log a problem and you're not. But I kind of get the impression you don't see the warning.
If you have restrict default limited ... and disable monitor both set in /etc/ntp.conf, what do you get from the following command? This is what I get after removing the restrict limited flag:
$ /usr/sbin/ntpq -c monstats
enabled: 0x0
...
If I add the limited flag to any restrict line and restart I instead see the following:
$ /usr/sbin/ntpq -c monstats
enabled: 0x2
...
I also find it puzzling that under a comment saying "Don't serve time or stats to anyone else by default" we have this rate limiting feature turned on. If we're not serving clients why rate limit?
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
Rep:
No, I do not see the problem you describe (and never have if I remember correctly).
I do enable logging but have abandoned enabling statistics (which are pretty much useless unless you're providing time to the Internet or intranet in a large server farm -- I do provide time to my LAN on a server garden [4 machines including the primary server]). I have always found that simpler is better and I tend to not enable a lot of stuff that I really don't need. When NTP works, it works and that's that.
My configuration for logging and statistics:
Code:
# Log file
logfile /var/log/ntp.log
# Log file config
#logconfig=+clockall +peerall +sysall +syncall
# Statistics
#statsdir /var/log/ntpstats
#statistics loopstats
#filegen loopstats file loops type day link enable
Note that the log file is just the log, no extras (they're commented out) and the statistics are all just commented out. You turn that stuff on and you get lots of information in the logs (and statistics in multiple files), most of it not worth bothering with unless there is a problem with some server somewhere that needs attention -- you can tell if a server has a problem simply by looking at the time on the server (it's probably drifted from your main service, a pretty good indicator).
The "Don't server time or stats to anyone else" is, simply, more secure. If you're open to the Internet, it is possible, not probable but possible, that some outside script kiddie might just try to get into you system via the NTP ports. Just extra insurance.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.