ntp.conf: disable monitor and restrict limited incompatible options?

thirdm · 05-04-2016, 07:39 AM

Hi, I recently switched back to ntp from openntp by taking the 4.2.8p7 update. I noticed this error in syslog:

ntpd[753]: restrict: 'monitor' cannot be disabled while 'limited' is enabled

Seems like the limited flag to restrict needs the monitor feature:

ntp.conf(5):

Quote:

limited
Deny service if the packet spacing violates the
lower limits specified in the discard command. A
history of clients is kept using the monitoring
capability of ntpd(1). Thus, monitoring is always
active as long as there is a restriction entry with
the limited flag.

StreamThreader · 05-05-2016, 04:06 AM

Show you ntpd.conf, if you want disable monitor you need remove ACL restrict limited flag.

thirdm · 05-05-2016, 07:01 AM

I did that, but the ntp.conf as I got it came that way I believe. Thought someone might be interested, maybe fix it. Others aren't seeing this?

tronayne · 05-05-2016, 11:38 AM

From stable NTP default configuration file:

Quote:

# to cause a denial of service attack (CVE-2013-5211). Future versions of
# NTP will remove this command.
# (this feature was disabled by default with ntpd 4.2.7p230)
disable monitor

The two sections of /etc/ntp.conf having to do with limited would be

Quote:

#
# Don't serve time or stats to anyone else by default (more secure)
restrict default limited kod nomodify notrap nopeer noquery
restrict -6 default limited kod nomodify notrap nopeer noquery

#
# Use these lines instead if you do want to serve time and stats to
# other machines on the network:
#restrict default limited kod nomodify notrap nopeer
#restrict -6 default limited kod nomodify notrap nopeer

Note that no such errors occur using the (edited) default file provided with Slackware.

Hope this helps some.

thirdm · 05-05-2016, 03:33 PM

Quote:

Originally Posted by tronayne

Note that no such errors occur using the (edited) default file provided with Slackware.

What do you mean by edited default file? I can indeed get rid of the error by removing the limited flag from those restrict lines. But when you say "edited" you mean some other unrelated edits and you really can have disable monitor and restrict limited without a syslog error?

thirdm · 05-05-2016, 04:49 PM

I dunno, I just can't get it into my head how this could not be a problem for anyone else. Probably a symptom of sitting at home with a fever but I resorted to reading source code. ntp source code makes me feel 16 again. That is to say it makes me PROTO_MINSANE:
(ntp.h)
...
#define PROTO_MINSANE 16
...

So if you have "restrict ... limited ..." you end up calling inc_res_limited() in ntp_restrict.c. First time that's called it calls mon_start(), passing mode of MON_RES. That mode is a sneaky way of turning on monitoring against your other conf file setting. Look back at ntp.h:

/*
* Values used with mon_enabled to indicate reason for enabling monitoring
*/
#define MON_OFF 0x00 /* no monitoring */
#define MON_ON 0x01 /* monitoring explicitly enabled */
#define MON_RES 0x02 /* implicit monitoring for RES_LIMITED */

This is the way you get to the warning message in proto_config() (ntp_proto.c):

Code:

	case PROTO_MONITOR:	/* monitoring (monitor) */
		if (value)
			mon_start(MON_ON);
		else {
			mon_stop(MON_ON);
			if (mon_enabled)
				msyslog(LOG_WARNING,
					"restrict: 'monitor' cannot be disabled while 'limited' is enabled");
		}
		break;

You get in here via ntp_config.c's apply_enable_disable():

Code:

		case T_Monitor:
			proto_config(PROTO_MONITOR, enable, 0., NULL);
			break;

So value above would be false if you have monitor disable. Therefore mon_stop(MON_ON) gets called but afterwords mon_enabled is still non-zero (it's MON_RES).

So how the heck are you guys not seeing this warning message in syslog?

tronayne · 05-06-2016, 07:12 AM

Quote:

Originally Posted by thirdm

What do you mean by edited default file? I can indeed get rid of the error by removing the limited flag from those restrict lines. But when you say "edited" you mean some other unrelated edits and you really can have disable monitor and restrict limited without a syslog error?

That wasn't real clear, I suppose.

The file supplied with the Slackware NTP package, /etc/ntp.conf, has commented lines for the pool servers:

Code:

#
# NTP server (list one or more) to synchronize with:
#server 0.pool.ntp.org iburst
#server 1.pool.ntp.org iburst
#server 2.pool.ntp.org iburst
#server 3.pool.ntp.org iburst

You need to uncomment "one or more" (I use three).

Also, there are sections that you may want to edit (by adding or deleting the # characters); specifically the sections that control serving time to your LAN.

I just note that using the default file with three server lines uncommented will work just fine; you don't need to fiddle with anything else unless you want to serve time to other machines on your network.

Sorry for the confusion.

thirdm · 05-06-2016, 09:45 AM

Quote:

Originally Posted by tronayne

I just note that using the default file with three server lines uncommented will work just fine; you don't need to fiddle with anything else unless you want to serve time to other machines on your network.

This is the part I'm surprised about. It seems to me it will work, yes, but with this warning in syslog and with the monitoring statistics gathering enabled. Maybe the confusion here is that I'm considering a warning like this in the log a problem and you're not. But I kind of get the impression you don't see the warning.

If you have restrict default limited ... and disable monitor both set in /etc/ntp.conf, what do you get from the following command? This is what I get after removing the restrict limited flag:

$ /usr/sbin/ntpq -c monstats
enabled: 0x0
...

If I add the limited flag to any restrict line and restart I instead see the following:

$ /usr/sbin/ntpq -c monstats
enabled: 0x2
...

I also find it puzzling that under a comment saying "Don't serve time or stats to anyone else by default" we have this rate limiting feature turned on. If we're not serving clients why rate limit?

tronayne · 05-06-2016, 10:53 AM

No, I do not see the problem you describe (and never have if I remember correctly).

I do enable logging but have abandoned enabling statistics (which are pretty much useless unless you're providing time to the Internet or intranet in a large server farm -- I do provide time to my LAN on a server garden [4 machines including the primary server]). I have always found that simpler is better and I tend to not enable a lot of stuff that I really don't need. When NTP works, it works and that's that.

My configuration for logging and statistics:

Code:

# Log file
logfile /var/log/ntp.log
# Log file config
#logconfig=+clockall +peerall +sysall +syncall

# Statistics
#statsdir /var/log/ntpstats
#statistics loopstats
#filegen loopstats file loops type day link enable

Note that the log file is just the log, no extras (they're commented out) and the statistics are all just commented out. You turn that stuff on and you get lots of information in the logs (and statistics in multiple files), most of it not worth bothering with unless there is a problem with some server somewhere that needs attention -- you can tell if a server has a problem simply by looking at the time on the server (it's probably drifted from your main service, a pretty good indicator).

The "Don't server time or stats to anyone else" is, simply, more secure. If you're open to the Internet, it is possible, not probable but possible, that some outside script kiddie might just try to get into you system via the NTP ports. Just extra insurance.

Hope this helps some.