Bug 1103485 - 'disable monitor' does not work
Summary: 'disable monitor' does not work
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: ntp
Version: 20
Hardware: i686
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Miroslav Lichvar
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-01 12:51 UTC by udo
Modified: 2014-06-13 16:02 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2014-06-02 13:30:45 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description udo 2014-06-01 12:51:00 UTC 
Description of problem:
To mitigate security issues we need to use the 'disable monitor' command in ntp.conf according to info as found at https://isc.sans.org/forums/diary/NTP+reflection+attack/17300.
Yet after changing the config and restarting ntpd the monitor command still works. What is wrong? Config? ntpd?

Version-Release number of selected component (if applicable):
ntp-4.2.6p5-18.fc20.i686

How reproducible:
Just configure ntpd as usual but also add a line with 'disable monitor' in ntp.conf.

Actual results:
monitor command still works

Expected results:
monitor command disabled

Additional info:
# grep -v ^# /etc/ntp.conf


server 127.127.20.0 minpoll 4
fudge 127.127.20.0 flag3 1 flag2 0 flag1 1 time1 0.00000006 time2 0.160

disable monitor

restrict default nomodify notrap nopeer kod limited # notrust
restrict -6 default nomodify notrap nopeer kod limited # notrust

server surfplank2
server ntp.xs4all.nl
server ntp2.xs4all.nl
server ntp0.nl.net
server ntp2.nl.net
server keetweej.vanheusden.com
server ntp.nmi.nl

driftfile /var/lib/ntp/drift
broadcastdelay  0.008
logconfig -syncstatus -sysevents
logfile /dev/log

discard average 5 minimum 2

restrict 127.127.0.0      mask 255.255.0.0  nopeer # internal clocks
restrict 127.0.0.1        mask 255.255.255.255 # accept local network
restrict ::1        		# accept local network
restrict 192.168.10.0 mask 255.255.255.0 nomodify notrap nopeer # notrust

statistics loopstats
statsdir /var/log/ntp/
filegen peerstats file peers type day link disable
filegen loopstats file loops type day enable
Comment 1 udo 2014-06-01 12:53:50 UTC 
Is https://bugzilla.redhat.com/show_bug.cgi?id=1047855 related?
Comment 2 Miroslav Lichvar 2014-06-02 13:30:45 UTC 
The monitoring facility is enabled when a restrict line uses the limited option, it takes precedence over the "disable monitor" directive.

If this is a public NTP server and you can't use noquery in the default restriction, I'd suggest to consider removing the limited option, it usually causes more problems than it solves.
Comment 3 Miroslav Lichvar 2014-06-13 10:57:08 UTC 
FWIW, I've proposed to log a warning to syslog when disable monitor doesn't disable the monitoring facility due to restrict limited being used in the config.

http://bugs.ntp.org/show_bug.cgi?id=2612
Comment 4 udo 2014-06-13 16:02:29 UTC 
> http://bugs.ntp.org/show_bug.cgi?id=2612

Good idea!
Note You need to log in before you can comment on or make changes to this bug.