C. Jon Larsen wrote: [snip]
Its interesting to hear what other folks are doing. I had assumed folks normally don't run ntpd on each and every server and that ntpdate + cron was much preferred; maybe I am off-base.
After the last "big" xntpd vulnerability a few years ago, I went through and made sure that I had the permissions set appropriately, restrict <server1> noquery nomodify restrict <server2> noquery nomodify ... restrict 127.0.0.1 nomodify restrict default ignore On UNIXen servers. Of course, I upgraded my daemons where possible, but the vulnerability occurred late enough in the message processing that the approprate restrictions prevented exploit (the packet was dropped before the vulernable code was reached). Of course, there still is the potential for vulnerabilities very, very early in message processing, or in spoofed query responses if someone knows what servers I use and is behind the firewall. But overall, I like it much better than what the UNIX admin here used to do, 0 2 * * * rdate timehost -- Crist J. Clark crist.clark@globalstar.com Globalstar Communications (408) 933-4387