Re: [chrony-users] Disabling peers+dmpeers+monlist |
[ Thread Index |
Date Index
| More chrony.tuxfamily.org/chrony-users Archives
]
- To: chrony-users@xxxxxxxxxxxxxxxxxxxx
- Subject: Re: [chrony-users] Disabling peers+dmpeers+monlist
- From: Miroslav Lichvar <mlichvar@xxxxxxxxxx>
- Date: Mon, 12 Oct 2020 15:39:24 +0200
- Authentication-results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=mlichvar@xxxxxxxxxx
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1602509970; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=aIu4I5oZF9naCdkhiuuTEQHrU+gqBynLfBJrHu5OoMY=; b=LnJQCSeRZHEoatI6Rw4BYeyf1Hd75PoYUD5bN1E/qYwHYYW9gPhwv9kNBBT3W9RiVWvKE/ fG4E69QeuF+BoMVsCqoemuODzmR0/D/RMUr6EIHGLyBxvUDw0pP/SIPB9VuXBBDid7L5yX Ka/e4kRR1ZiNC7U0eXXPLwoQwG6VpfE=
On Mon, Oct 12, 2020 at 02:26:37PM +0100, Dominik Vogt wrote:
> Hi folks,
>
> some local security manual requires that the commands "peers",
> "dmpeers" and "monlist" are disabled on an ntp server to be set
> up. While these are mentioned in the ntpdc documentation, there's
> nothing in the chrony* manuals (we use RHEL 8 that comes with
> chrony).
>
> 1. Are these commands ntpd specific or also supported by chronlyd?
The commands (and the whole mode 6/7 protocols) are specific to
ntpd, but chronyc has its own protocol with similar commands, e.g.
sources and clients.
>
> 2a. If so, how can they be disabled? Can this be tested using
> chronyc?
The remote access is disabled by default. You would need to configure
chronyd to listen on 0.0.0.0 and/or ::/0 with the bindcmdaddress
directive and then allow some addresses with the cmdallow directive to
actually make chronyd respond to a remote chronyc request. You can
test it with: chronyc -h $ADDR tracking. Normally there should be no
response.
However, unlike the ntpd mode 6/7 protocol, the chronyd<->chronyc
protocol doesn't allow any amplification, so it's not a concern with
respect to the distributed denial-of-service attacks.
--
Miroslav Lichvar
--
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx
with "help" in the subject.
Trouble? Email listmaster@xxxxxxxxxxxxxxxxxxxx.