IBM AIX: Disable NTP mode 6 and 7 queries

How To

Summary

NTP mode 6 and 7 queries can be used in denial of service attacks. This document has instructions for disabling support for these queries in the xntpd daemon.

Environment

These instructions only apply to the NTP version 3 daemon.

Steps

Add the following lines to the /etc/ntp.conf file. This disables mode 6 and 7 queries, as well as other vulnerabilities, for all IP addresses, but allows them on the local loopback interface.

restrict default notrust nomodify nopeer noquery notrap
restrict 127.0.0.1

Add restrict and server entries for each trusted NTP server on the network. This overrides the default setting for the specified servers.

server 10.11.12.13
restrict 10.11.12.13 nomodify notrap noquery

Refresh xntpd for the changes to take effect.

refresh -s xntpd

Related Information

ntp.conf File

[{"Line of Business":{"code":"LOB08","label":"Cognitive Systems"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG10","label":"AIX"},"ARM Category":[{"code":"a8m0z000000cvxSAAQ","label":"Communication Applications->NTP\/TIMED"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]

Was this topic helpful?

Document Information

More support for:
AIX

Component:
Communication Applications->NTP/TIMED

Software version:
All Version(s)

Document number:
717709

Modified date:
17 September 2020

UID

ibm10717709

IBM Support

Tips