NTS update

[Gary E. Miller]

Yo Hal!

On Thu, 21 Mar 2019 13:23:53 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> >> No, it's the far end IP address and the local interface you use to
> >> get there.  
> > Look again:
> > 2019-03-20T18:11:14 ntpd[3117]: NTSs: TCP accept-ed from
> > [2001:470:e815::%3= =3D 589492224]:50860  
> 
> > What IPv6 address do you think that is?  
> 
> Maybe it's truncated?

That would still be broken...

> I haven't figured out what's going on in this area.  The IPv4 stuff
> looks reasonable.  The printout is in libntp.  I don't know how well
> tested that is. There may be a copy that isn't long enough for IPv6
> addresses.  I'll go scan the NTS code.

Thanks.  Funny what you find once you start looking...

> Beware, there are a lot of bad-guys out there poking around.  You
> will get crap in your log files.  Grep your log files for "failed".
> I haven't seen any IPv6 examples yet.

I run fail2ban, and a long blacklist on my gateway router.

Not seen any NTPD abuse yet.  Several hits a second on ssh, pop, imap,
etc.

> If you want a sensible example to check, best to find the log entry
> from when one of your other systems connected.

Been there, done that, still confused.

> [=3D crap]
> > Ah, right.  See attached.  
> 
> It was a big/long gpsd log file.  Was there something in particular I
> was supposed to look for?

Yeah, the munged IPv6 logs that do not tell me the remote IPv6 address.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190321/95b3f6d1/attachment.bin>