Re: [chrony-users] Run chrony without acting as a NTP server

[ Thread Index | Date Index | More Archives ]

On Wed, 8 Jan 2014, wilhelm schuster wrote:

On Wed, Jan 8, 2014 at 7:56 PM, Bill Unruh <unruh@xxxxxxxxxxxxxx> wrote:
Why does it matter? Anyway, look at the deny
command. deny all

Thank you for the tip.

An open port does not mean anything except to tell the system
"If some packet has that port address, send it to chrony for
taking care of it."

That is right - it might not be a problem. I was just cautious about having
open ports (maybe there is a security hole on chrony) and also was
comparing chrony to openntpd which one can configure to not listen on any
network interface.

Ssure, it is certainly something to worry about. However, chrony operates with
a very well defined packet structure, and throws away anything that does not
comply with that structure. AFAIK no security hole has been found in chrony.
That of course does not mean that nothing could be. There are two things--
unless you are running a pure local refclock system, chrony needs access to
the net. Secondly, if there is something in the configuration of chrony itself
then in order to apply that configuration, chrony itself must have already
received that packet to examine. Ie, the port must already be open, and the OS
delivering stuff to chrony.

I do not think that there is anything you can do to tell chrony not to listen
to port 123, but there may be and I have forgotten.

Note that you CAN use the port directive to tell chrony to listen to
a non-standard port, rather than 123. Thus noone else in the world would then
know which port to attack. With the directive port 0 not even you would know,
since chrony would ask the kernel for a random port.

Anyway, thank you for your help.

Sincerely, Wilhelm Schuster.

William G. Unruh   |  Canadian Institute for|     Tel: +1(604)822-3273
Physics&Astronomy  |     Advanced Research  |     Fax: +1(604)822-5324
UBC, Vancouver,BC  |   Program in Cosmology |     unruh@xxxxxxxxxxxxxx
Canada V6T 1Z1     |      and Gravity       |

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject. For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+