Changing the access defaults

[Hal Murray]

esr at thyrsus.com said:
> Out of the box, ntpd ships with anyone on the net able to do anything on the
> to your server - query it, KOD it, peer with it, modify its configuration
> with ntpq, etc. 

No.

It makes sense to let people query your server by default.  (but see below)

I think the peer stuff needs a password by default.  There is a way to 
disable that.  I'll look it up if you can't find it.

It takes a password to modify the config and such.  There is something 
similar to "trusted" that tells it which password(s?) is/are valid to use for 
that.

The real reason for all the restrict stuff was ntpd was used to DDoS other 
systems.  Really old systems made great amplifiers.  I think the current code 
is OK.  It's UDP, so you can use it to redirect attacks, but I don't think a 
default no-restrict system can do much amplification.

It might make sense for the default configuration to not answer any 
unsolicited packets.  That would prevent any use as a DDoS redirector and 
would work fine on most client-only setups at the cost of making things 
harder to monitor and debug.


> 2. We could drop that boilerplate from the configs we ship.  That's a good
> thing, it means less to explain in our HOWTOs and less detail for newbies to
> be confused by. 

No, you still have to explain that stuff.  You are just explaining different 
things to different people.

The default config would have to have a commented out restrict line that 
turned it back into a server and a comment saying uncomment the next line if 
you want this system to be a server.


-- 
These are my opinions.  I hate spam.