I have a clean install of Debian with the NTP client. I was given settings to secure secure my NTP client configuration. I know how to add them to the /etc/ntp.conf file but I am not if settings need to be merged or overwritten, if order matters, or how duplicate settings are handled.
This is the default /etc/ntp.conf file that comes with the package:
cat /etc/ntp.conf | egrep -v '^#|^$'
driftfile /var/lib/ntp/ntp.drift statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable pool 0.debian.pool.ntp.org iburst pool 1.debian.pool.ntp.org iburst pool 2.debian.pool.ntp.org iburst pool 3.debian.pool.ntp.org iburst restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited restrict 127.0.0.1 restrict ::1 restrict source notrap nomodify noquery
These are the settings I was told to use:
#creates file to adjust the default system clock value after a service interruption/restart driftfile /var/lib/ntp/drift #access controls to reduce unwanted queries (kod) #prevent alteration of configuration file (nomodify) #prevent nptdc from being used for control message protocol traps (notrap) #prevent peer queries (nopeer) #prevent ntpq and ntpdc queries from being answered (noquery) restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery #restrict NTP access to localhost restrict 127.0.0.1 restrict -6 ::1 #point to NIST time servers use fastest method to collect time server time.nist.gov iburst #point to localhost if access is lost to NTP servers/pools fudge 127.127.1.0 stratum 10 #mitigates CVE-2013-5211 disable monitor
For some of them, like driftfile, I figured out they need to be over-written. I am not sure of the ones that remain. Are they needed or do I replace them? If I keep them, does order matter?
Based on my understanding, these are the settings I know need to be there based on merging the default options and what I was provided:
# creates file to adjust the default system clock value after a service interruption/restart driftfile /var/lib/ntp/drift # access control configuration restrict -4 default kod notrap nomodify nopeer noquery limited restrict -6 default kod notrap nomodify nopeer noquery limited # restrict NTP access to localhost restrict 127.0.0.1 restrict -6 ::1 # point to NIST time servers use fastest method to collect time server time.nist.gov iburst # point to localhost if access is lost to NTP servers/pools fudge 127.127.1.0 stratum 10 # mitigates CVE-2013-5211 disable monitor
These are the leftover settings from the default file but I'm not sure what to do with them:
statistics loopstats peerstats clockstats filegen loopstats file loopstats type day enable filegen peerstats file peerstats type day enable filegen clockstats file clockstats type day enable restrict source notrap nomodify noquery
To add further to John Mahowald's answer: the recommended configuration you were given is old and shouldn't be followed. The default configuration supplied by Debian/Ubuntu is designed to be as secure as possible given the NTP vulnerabilities we know about to date, and you should make the minimal changes to it possible.
The only thing in the proposed configuration which might be significant to you is the selection of NIST's time servers. If you want to use them, you should use the
pooldirective rather than justserver. Thepooldirective enablesntpdto stop using servers if they are unresponsive or serving bad time, so you should nearly always use it in preference toserver.So overall, the only thing you might consider adding to the default configuration is:
The statistics lines you highlighted don't have any effect unless you uncomment this line:
And the last one is very important, because it enables you to use pools:
You should make sure that line is left in place.
If you have a complete set of directives you want to set, just replace the distro's ntp.conf. But you don't need to as they have equivalent security:
Personal annoyances with your proposed NTP config:
A server with address beginning with 127.127.1. is the Undisciplined Local Clock. Its use is not recommended, it does not add anything, confuses people, and orphan mode is better.
You don't need to use the NIST Internet time service to get a reliable clock. You can if you wish, and they appreciate using the time.nist.gov global load balancer. However, the NTP Pool Project takes load off of reference clocks, and performs adequately for many use cases.
The content of
driftfiledoes not add / remove any security, it is simply a location for NTP to store data. Use the distribution default value for it.Otherwise all the left out settings are not needed, they are statistics features that are not needed for normal operation.