Red Hat Bugzilla – Bug 479972
ntpd reveals kernel version on server system
Last modified: 2009-01-14 08:08:43 EST
Description of problem:
If you are allowing other systems to syncronize time from an ntpd timeserver you also automatically give away ntpd server version and the exact kernel version of your server system.
Seems to be the same on Fedora, Redhat 4 and 5.
Steps to Reproduce:
ntpq -c readvar your.ntp.server
processor="i686", system="Linux/2.6.18-92.1.22.el5", leap=00,
There should be a way to turn this behaviour off, or have it turned off permanently.
This can be configured by adding noquery keyword to the restrict command. The default ntp.conf has it included in default restrict, so this shouldn't be a problem:
restrict default kod nomodify notrap nopeer noquery
Maybe you have more restrict commands specified in ntp.conf that allow the clients to query the server?
If the noquery option is used then it's no timeserver anymore.
The problem is that if you allow other hosts to syncronize time you must give away the system information too.
This behaviour seems to compiled in the daemon and cannot be turned off.
It's not good to have the kernel patchlevel on the timeservers accessible for everyone.
One way to solve it might be a patch applied in the ntp source rpm, preventing this information to be sent to the remote server.
No, noquery just denies ntpq and ntpdc queries. See the ntp_acc(5) manpage or documentation in /usr/share/doc/ntp-*.
The default ntp.conf denies the queries and doesn't block serving time.