Re: [chrony-users] Disabling peers+dmpeers+monlist

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ] 

On Mon, Oct 12, 2020 at 02:26:37PM +0100, Dominik Vogt wrote:
> Hi folks,
> 
> some local security manual requires that the commands "peers",
> "dmpeers" and "monlist" are disabled on an ntp server to be set
> up.  While these are mentioned in the ntpdc documentation, there's
> nothing in the chrony* manuals (we use RHEL 8 that comes with
> chrony).
> 
> 1. Are these commands ntpd specific or also supported by chronlyd?

The commands (and the whole mode 6/7 protocols) are specific to
ntpd, but chronyc has its own protocol with similar commands, e.g.
sources and clients.
> 
> 2a. If so, how can they be disabled?  Can this be tested using
> chronyc?

The remote access is disabled by default. You would need to configure
chronyd to listen on 0.0.0.0 and/or ::/0 with the bindcmdaddress
directive and then allow some addresses with the cmdallow directive to
actually make chronyd respond to a remote chronyc request. You can
test it with: chronyc -h $ADDR tracking. Normally there should be no
response.

However, unlike the ntpd mode 6/7 protocol, the chronyd<->chronyc
protocol doesn't allow any amplification, so it's not a concern with
respect to the distributed denial-of-service attacks.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/