4 Replies Latest reply on Oct 29, 2015 7:33 AM by rh0

    7.4.2.11.0: "ntpq -p" no longer works

    bornheim

      Hi,

       

      we are monitoring our Web Gateway for several parameters. One parameter is that the output of "ntpq -p" should be something meaningful indicating that Web Gateway is connected to one or more NTP servers.

       

      Since the update to 7.4.2.11.0 the output is:

       

      # time ntpq -p

      localhost: timed out, nothing received

      ***Request timed out

       

      real    0m10.011s

      user    0m0.000s

      sys     0m0.000s

       

       

      Sniffing around with strace a bit lead to

       

      connect(3, {sa_family=AF_INET, sin_port=htons(123), sin_addr=inet_addr("127.0.0.1")}, 16) = 0

      sendto(3, "\26\1\0\1\0\0\0\0\0\0\0\0", 12, 0, NULL, 0) = 12

      select(4, [3], NULL, NULL, {5, 0})      = 0 (Timeout)

       

      NTPQ connects to 127.0.0.1:123, sends some data, then waits for an answer and runs into a timeout. On the receiving end (NTPD) I see the data coming in but it does not bother with an answer. The reason is in /etc/ntp.conf:

       

      restrict default kod nomodify notrap nopeer noquery

       

      Removing the "noquery" part and restarting ntpd solves the problem. Actually, a global "noquery" is a bit harsh. If you insist on it then please add

       

      restrict 127.0.0.1

      restrict ::1

       

      which lifts the restriction for localhost.

       

      Kind regards,

      Robert

        • 1. Re: 7.4.2.11.0: "ntpq -p" no longer works
          bornheim

          HI,

           

          pushing the topic ... had the same problem when updating to 7.5.

           

          Kind regards,

          Robert

          • 2. Re: 7.4.2.11.0: "ntpq -p" no longer works
            rh0

            The problem with allowing queries from 127.0.0.1 is that you can potentially send packets from external sources with spoofed source IP 127.0.0.1 via UDP. Since there have been multiple vulnerabilities in the past related to status queries we decided to add noquery to the configuration.

             

            Regards,

            Ralf

            • 3. Re: 7.4.2.11.0: "ntpq -p" no longer works
              bornheim

              Hi Ralf,

               

              traffic from 127.0.0.1 shouldn't get through the internet facing router in the first place. A network admin allowing this is a $INSERT_YOUR_FAVORITE_INSULT_HERE.

               

              Anyway: how do you propose we monitor the NTP status? In any corporate environment monitoring the NTP status is crucial to external auditors because they insist that logs are in sync. Actually, I concur.

               

              Consider this a request to expose NTP to a set of configurable IP addresses.

               

              Kind regards,

              Robert

              • 4. Re: 7.4.2.11.0: "ntpq -p" no longer works
                rh0

                Yes, most routers or firewalls would not allow such packets, but we know about deployments where we can't rely on that.

                 

                Ideally ntpd would provide unix domain socket for queries, but I don't think that's implemented. We need to look into the code to find out what other option we might have. May I ask you to open a feature request for this?

                 

                Thanks,

                Ralf