Bug 1103485

Summary: 'disable monitor' does not work
Product: [Fedora] Fedora Reporter: udo <udovdh>
Component: ntpAssignee: Miroslav Lichvar <mlichvar>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 20CC: mlichvar, pertusus
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-02 13:30:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description udo 2014-06-01 12:51:00 UTC
Description of problem:
To mitigate security issues we need to use the 'disable monitor' command in ntp.conf according to info as found at https://isc.sans.org/forums/diary/NTP+reflection+attack/17300.
Yet after changing the config and restarting ntpd the monitor command still works. What is wrong? Config? ntpd?

Version-Release number of selected component (if applicable):
ntp-4.2.6p5-18.fc20.i686

How reproducible:
Just configure ntpd as usual but also add a line with 'disable monitor' in ntp.conf.

Actual results:
monitor command still works

Expected results:
monitor command disabled

Additional info:
# grep -v ^# /etc/ntp.conf


server 127.127.20.0 minpoll 4
fudge 127.127.20.0 flag3 1 flag2 0 flag1 1 time1 0.00000006 time2 0.160

disable monitor

restrict default nomodify notrap nopeer kod limited # notrust
restrict -6 default nomodify notrap nopeer kod limited # notrust

server surfplank2
server ntp.xs4all.nl
server ntp2.xs4all.nl
server ntp0.nl.net
server ntp2.nl.net
server keetweej.vanheusden.com
server ntp.nmi.nl

driftfile /var/lib/ntp/drift
broadcastdelay  0.008
logconfig -syncstatus -sysevents
logfile /dev/log

discard average 5 minimum 2

restrict 127.127.0.0      mask 255.255.0.0  nopeer # internal clocks
restrict 127.0.0.1        mask 255.255.255.255 # accept local network
restrict ::1        		# accept local network
restrict 192.168.10.0 mask 255.255.255.0 nomodify notrap nopeer # notrust

statistics loopstats
statsdir /var/log/ntp/
filegen peerstats file peers type day link disable
filegen loopstats file loops type day enable

Comment 1 udo 2014-06-01 12:53:50 UTC
Is https://bugzilla.redhat.com/show_bug.cgi?id=1047855 related?

Comment 2 Miroslav Lichvar 2014-06-02 13:30:45 UTC
The monitoring facility is enabled when a restrict line uses the limited option, it takes precedence over the "disable monitor" directive.

If this is a public NTP server and you can't use noquery in the default restriction, I'd suggest to consider removing the limited option, it usually causes more problems than it solves.

Comment 3 Miroslav Lichvar 2014-06-13 10:57:08 UTC
FWIW, I've proposed to log a warning to syslog when disable monitor doesn't disable the monitoring facility due to restrict limited being used in the config.

http://bugs.ntp.org/show_bug.cgi?id=2612

Comment 4 udo 2014-06-13 16:02:29 UTC
> http://bugs.ntp.org/show_bug.cgi?id=2612

Good idea!