info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Unknown peer listed in ntpq -p output
29 views
Skip to first unread message
A C
Apr 22, 2022, 2:10:31 PM4/22/22
to
Hello,
Recently I was looking at the output of the ntpq -np command on a stratum 2 server I manage and noticed an IP I did not recognized in the output. (The 3 usual stratum 1s were there, but then a fourth one (a stratum 3) was also listed.) That fourth entry is listed as a stratum 3, and the associations details show that it is using NTP authentication, so I assume this is a legitimate client that is using a symmetric key to authenticate with my NTP server.
I double checked my /etc/ntp.conf and indeed this IP is not in the NTP configuration file, and appears in the ntpq output some time after the ntpd is restarted.
My ntp stratum 2 server is configured with the "restrict default nomodify notrap nopeer noquery" so I assume that external clients cannot add servers to the list using tools such as ntpq/ntpdc.
Is there any other method that someone could use to modify the list of peers that my ntpq command reports (maybe undocumented)?
If a client is using symetric key authentication with my server, would this change the restrictions in any way, possibly allowing that client to make modifications to my running ntpd?
I'm not sure what else I should do at this point in order to troubleshoot this... :-(
I'm running ntpd 4.2.6p5, on CentOS 7.9.2009
Thanks,
Andre
Thanks,
Andre
Recently I was looking at the output of the ntpq -np command on a stratum 2 server I manage and noticed an IP I did not recognized in the output. (The 3 usual stratum 1s were there, but then a fourth one (a stratum 3) was also listed.) That fourth entry is listed as a stratum 3, and the associations details show that it is using NTP authentication, so I assume this is a legitimate client that is using a symmetric key to authenticate with my NTP server.
I double checked my /etc/ntp.conf and indeed this IP is not in the NTP configuration file, and appears in the ntpq output some time after the ntpd is restarted.
My ntp stratum 2 server is configured with the "restrict default nomodify notrap nopeer noquery" so I assume that external clients cannot add servers to the list using tools such as ntpq/ntpdc.
Is there any other method that someone could use to modify the list of peers that my ntpq command reports (maybe undocumented)?
If a client is using symetric key authentication with my server, would this change the restrictions in any way, possibly allowing that client to make modifications to my running ntpd?
I'm not sure what else I should do at this point in order to troubleshoot this... :-(
I'm running ntpd 4.2.6p5, on CentOS 7.9.2009
Thanks,
Andre
Thanks,
Andre
Miroslav Lichvar
Apr 25, 2022, 3:44:37 AM4/25/22
to
On 2022-04-22, A C <443...@gmail.com> wrote:
> Recently I was looking at the output of the ntpq -np command on a
> stratum 2 server I manage and noticed an IP I did not recognized in
> the output. (The 3 usual stratum 1s were there, but then a fourth one
> (a stratum 3) was also listed.) That fourth entry is listed as a
> stratum 3, and the associations details show that it is using NTP
> authentication, so I assume this is a legitimate client that is using
> a symmetric key to authenticate with my NTP server.
> Recently I was looking at the output of the ntpq -np command on a
> stratum 2 server I manage and noticed an IP I did not recognized in
> the output. (The 3 usual stratum 1s were there, but then a fourth one
> (a stratum 3) was also listed.) That fourth entry is listed as a
> stratum 3, and the associations details show that it is using NTP
> authentication, so I assume this is a legitimate client that is using
> a symmetric key to authenticate with my NTP server.
> My ntp stratum 2 server is configured with the "restrict default
> nomodify notrap nopeer noquery" so I assume that external clients
> cannot add servers to the list using tools such as ntpq/ntpdc.
If they have a valid key, they can create symmetric associations
> nomodify notrap nopeer noquery" so I assume that external clients
> cannot add servers to the list using tools such as ntpq/ntpdc.
with your server by specifying your server as a peer in their config.
You would need to have the "noepeer" option in the restrictions to
prevent that, but this option is not supported in the ntp package you
are using.
--
Miroslav Lichvar
0 new messages