cancel
Showing results for 
Search instead for 
Did you mean: 
bornheim
Level 7

7.4.2.11.0: "ntpq -p" no longer works

Hi,

we are monitoring our Web Gateway for several parameters. One parameter is that the output of "ntpq -p" should be something meaningful indicating that Web Gateway is connected to one or more NTP servers.

Since the update to 7.4.2.11.0 the output is:

# time ntpq -p

localhost: timed out, nothing received

***Request timed out

real    0m10.011s

user    0m0.000s

sys     0m0.000s

Sniffing around with strace a bit lead to

connect(3, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("127.0.0.1")}, 16) = 0

sendto(3, "\26\1\0\1\0\0\0\0\0\0\0\0", 12, 0, NULL, 0) = 12

select(4, [3], NULL, NULL, {5, 0})      = 0 (Timeout)

NTPQ connects to 127.0.0.1:123, sends some data, then waits for an answer and runs into a timeout. On the receiving end (NTPD) I see the data coming in but it does not bother with an answer. The reason is in /etc/ntp.conf:

restrict default kod nomodify notrap nopeer noquery

Removing the "noquery" part and restarting ntpd solves the problem. Actually, a global "noquery" is a bit harsh. If you insist on it then please add

restrict 127.0.0.1

restrict ::1

which lifts the restriction for localhost.

Kind regards,

Robert

0 Kudos
4 Replies
bornheim
Level 7

Re: 7.4.2.11.0: "ntpq -p" no longer works

HI,

pushing the topic ... had the same problem when updating to 7.5.

Kind regards,

Robert

0 Kudos
rh0
Level 7

Re: 7.4.2.11.0: "ntpq -p" no longer works

The problem with allowing queries from 127.0.0.1 is that you can potentially send packets from external sources with spoofed source IP 127.0.0.1 via UDP. Since there have been multiple vulnerabilities in the past related to status queries we decided to add noquery to the configuration.

Regards,

Ralf

0 Kudos
bornheim
Level 7

Re: 7.4.2.11.0: "ntpq -p" no longer works

Hi Ralf,

traffic from 127.0.0.1 shouldn't get through the internet facing router in the first place. A network admin allowing this is a $INSERT_YOUR_FAVORITE_INSULT_HERE.

Anyway: how do you propose we monitor the NTP status? In any corporate environment monitoring the NTP status is crucial to external auditors because they insist that logs are in sync. Actually, I concur.

Consider this a request to expose NTP to a set of configurable IP addresses.

Kind regards,

Robert

0 Kudos
rh0
Level 7

Re: 7.4.2.11.0: "ntpq -p" no longer works

Yes, most routers or firewalls would not allow such packets, but we know about deployments where we can't rely on that.

Ideally ntpd would provide unix domain socket for queries, but I don't think that's implemented. We need to look into the code to find out what other option we might have. May I ask you to open a feature request for this?

Thanks,

Ralf

0 Kudos