ntp_acc - Access Control Options



The ntpd daemon implements a general purpose address/mask based restriction list. The list contains address/match entries sorted first by increasing address values and and then by increasing mask values. A match occurs when the bitwise AND of the mask and the packet source address is equal to the bitwise AND of the mask and address in the list. The list is searched in order with the last match found defining the restriction flags associated with the entry. Additional information and examples can be found in the Notes on Configuring NTP and Setting up a NTP Subnet page. The restriction facility was implemented in conformance with the access policies for the original NSFnet backbone time servers. Later the facility was expanded to deflect cryptographic and clogging attacks. While this facility may be useful for keeping unwanted or broken or malicious clients from congesting innocent servers, it should not be considered an alternative to the NTP authentication facilities. Source address based restrictions are easily circumvented by a determined cracker.

Clients can be denied service because they are explicitly included in the restrict list created by the restrict command or implicitly as the result of cryptographic or rate limit violations. Cryptographic violations include certificate or identity verification failure; rate limit violations generally result from defective NTP implementations that send packets at abusive rates. Some violations cause denied service only for the offending packet, others cause denied service for a timed period and others cause the denied service for an indefinate period. When a client or network is denied access for an indefinate period, the only way at present to remove the restrictions is by restarting the server.


Ordinarily, packets denied service are simply dropped with no further action except incrementing statistics counters. Sometimes a more proactive response is needed, such as a server message that explicitly requests the client to stop sending and leave a message for the system operator. A special packet format has been created for this purpose called the "kiss-o’-death" (KoD) packet. KoD packets have the leap bits set unsynchronized and stratum set to zero and the reference identifier field set to a four-byte ASCII code. If the noserve or notrust flag of the matching restrict list entry is set, the code is "DENY"; if the limited flag is set and the rate limit is exceeded, the code is "RATE". Finally, if a cryptographic violation occurs, the code is "CRYP".

A client receiving a KoD performs a set of sanity checks to minimize security exposure, then updates the stratum and reference identifier peer variables, sets the access denied (TEST4) bit in the peer flash variable and sends a message to the log. As long as the TEST4 bit is set, the client will send no further packets to the server. The only way at present to recover from this condition is to restart the protocol at both the client and server. This happens automatically at the client when the association times out. It will happen at the server only if the server operator cooperates.


discard [ average avg ][ minimum min ] [ monitor prob ]

Set the parameters of the limited facility which protects the server from client abuse. The average subcommand specifies the minimum average packet spacing, while the minimum subcommand specifies the minimum packet spacing. Packets that violate these minima are discarded and a kiss-o’-death packet returned if enabled. The default minimum average and minimum are 5 and 2, respectively. The monitor subcommand specifies the probability of discard for packets that overflow the rate-control window.

restrict address [mask mask] [flag][...]

The address argument expressed in dotted-quad form is the address of a host or network. Alternatively, the address argument can be a valid host DNS name. The mask argument expressed in dotted-quad form defaults to, meaning that the address is treated as the address of an individual host. A default entry (address, mask is always included and is always the first entry in the list. Note that text string default, with no mask option, may be used to indicate the default entry. In the current implementation, flag always restricts access, i.e., an entry with no flags indicates that free access to the server is to be given. The flags are not orthogonal, in that more restrictive flags will often make less restrictive ones redundant. The flags can generally be classed into two catagories, those which restrict time service and those which restrict informational queries and attempts to do run-time reconfiguration of the server. One or more of the following flags may be specified:


Deny packets of all kinds, including ntpq and ntpdc queries.


If this flag is set when an access violation occurs, a kiss-o’-death (KoD) packet is sent. KoD packets are rate limited to no more than one per second. If another KoD packet occurs within one second after the last one, the packet is dropped


Deny service if the packet spacing violates the lower limits specified in the discard command. A history of clients is kept using the monitoring capability of ntpd. Thus, monitoring is always active as long as there is a restriction entry with the limited flag.


Declare traps set by matching hosts to be low priority. The number of traps a server can maintain is limited (the current limit is 3). Traps are usually assigned on a first come, first served basis, with later trap requestors being denied service. This flag modifies the assignment algorithm by allowing low priority traps to be overridden by later requests for normal priority traps.


Deny ntpq and ntpdc queries which attempt to modify the state of the server (i.e., run time reconfiguration). Queries which return information are permitted.


Deny ntpq and ntpdc queries. Time service is not affected.


Deny packets which would result in mobilizing a new association. This includes broadcast, symmetric-active and manycast client packets when a configured association does not exist.


Deny all packets except ntpq and ntpdc queries.


Decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the ntpdq control message protocol which is intended for use by remote event logging programs.


Deny packets unless the packet is cryptographically authenticated.


This is actually a match algorithm modifier, rather than a restriction flag. Its presence causes the restriction entry to be matched only if the source port in the packet is the standard NTP UDP port (123). Both ntpport and non-ntpport may be specified. The ntpport is considered more specific and is sorted later in the list.


Deny packets that do not match the current NTP version.

Default restriction list entries with the flags ignore, interface, ntpport, for each of the local host’s interface addresses are inserted into the table at startup to prevent the server from attempting to synchronize to its own time. A default entry is also always present, though if it is otherwise unconfigured; no flags are associated with the default entry (i.e., everything besides your own NTP server is unrestricted).



Primary source of documentation: /usr/share/doc/ntp-*

This file was automatically generated from HTML source.

More Linux Commands

khangman(6) The classical hangman game for KDE (Man Page)...
KHangMan is a game based on the well known hangman game. It is aimed for children 6 and above. It has several levels of difficulty: A lot of categories like Ani

manpath(1) - determine search path for manual pages.........
If $MANPATH is set, manpath will simply display its contents and issue a warning. If not, manpath will determine a suitable manual page hierarchy search path an

XDefineCursor(3) - define cursors - Linux manual page.......
If a cursor is set, it will be used when the pointer is in the window. If the cursor is None, it is equivalent to XUndefineCursor. XDefineCursor can generate Ba

sha256sum(1) - compute and check SHA256 message digest......
Print or check SHA256 (256-bit) checksums. With no FILE, or when FILE is -, read standard input. -b, --binary read in binary mode -c, --check read SHA256 sums f

perlintern(1) - autogenerated documentation of purely intern
This file is the autogenerated documentation of functions in the Perl interpreter that are documented using Perls internal documentation format but are not mark

systemd-ask-password-wall.service(8) Query the user for syst
systemd-ask-password-console.service is a system service that queries the user for system passwords (such as hard disk encryption keys and SSL certificate passp

Tcl_HideCommand(3) - manage multiple Tcl interpreters, alias
These procedures are intended for access to the multiple interpreter facility from inside C programs. They enable managing multiple interpreters in a hierarchic

ldapcompare(1) - LDAP compare tool - Linux manual page......
ldapcompare is a shell-accessible interface to the ldap_compare_ext(3) library call. ldapcompare opens a connection to an LDAP server, binds, and performs a com

neato(1) - filter for drawing undirected graphs (Man Page)
These are a collection of programs for drawing graphs. There is actually only one main program; the specific layout algorithms implemented as plugins. Thus, the

XSizeHints(3) - allocate size hints structure and set or rea
The XAllocSizeHints function allocates and returns a pointer to a XSizeHints structure. Note that all fields in the XSizeHints structure are initially set to ze

smilint(1) - syntax and semantic checks of SMIv1/v2 and SPPI
The smilint program is used to check MIB or PIB modules for syntax errors and semantics at some degree. SMIv1/v2 style MIB modules as well as SPPI PIB modules a

zcat(1) - compress or expand files - Linux manual page......
Gzip reduces the size of the named files using Lempel-Ziv coding (LZ77). Whenever possible, each file is replaced by one with the extension .gz, while keeping t

We can't live, work or learn in freedom unless the software we use is free.