Reason for upgrade
Solve the known vulnerabilities of ntp
Vulnerability information
NTP 'ntp_request.c' remote denial of service vulnerability (CVE-2013-5211): In ntpd versions before NTP 4.2.7p26, the monlist of ntp_request.c allows remote attackers to exploit this vulnerability to cause denial of service by forging REQ_MON_GETLIST or REQ_MON_GETLIST_1 requests. Service (traffic amplification).
Upgrade process
Package preparation
- ntp-4.2.8p15.tar.gz
download address: https://www.eecis.udel.edu/~ntp/ntp_spool//ntp4/ntp-4.2/
Dependency package
- libcap-devel
- libcap
- glic-devel
Configuration backup
cp -ar /etc/ntp /etc/ntp.bak`date +%Y%m%d`
cp /etc/ntp.conf /etc/ntp.conf.bak`date +%Y%m%d`
cp /etc/sysconfig/ntpd /etc/sysconfig/ntpd.bak`date +%Y%m%d`
cp /etc/sysconfig/ntpdate /etc/sysconfig/ntpdate.bak`date +%Y%m%d`
cp /usr/lib/systemd/system/ntpd.service /usr/lib/systemd/system/ntpd.service.bak
cp /usr/lib/systemd/system/ntpdate.service /usr/lib/systemd/system/ntpdate.service.bak
Uninstall old version ntp
yum remove -y ntp ntpdate
Unzip, compile, and install the new version
tar zxvf ntp-4.2.8p15.tar.gz
cd ntp-4.2.8p15
./configure --prefix=/usr --bindir=/usr/sbin --sysconfdir=/etc --enable-linuxcaps --with-lineeditlibs=readline --enable-all-clocks --enable-parse-clocks --enable-clockctl && make
make install && install -v -o ntp -g ntp -d /var/lib/ntp
Configuration restore
mv /etc/ntp.bak`date +%Y%m%d` /etc/ntp
mv /etc/ntp.conf.bak20230615 /etc/ntp.conf
mv /etc/sysconfig/ntpd.bak`date +%Y%m%d` /etc/sysconfig/ntpd
mv /etc/sysconfig/ntpdate.bak`date +%Y%m%d` /etc/sysconfig/ntpdate
mv /usr/lib/systemd/system/ntpd.service.bak /usr/lib/systemd/system/ntpd.service
mv /usr/lib/systemd/system/ntpdate.service.bak /usr/lib/systemd/system/ntpdate.service
Start service
systemctl daemon-reload
systemctl start ntpd
View the upgraded version
ntpd --version
Frequently asked questions during the upgrade process
Missing gcc compilation environment
The following prompt appears when executing ./configure. This is because the system lacks the gcc compilation environment and needs to install gcc first.
/usr/bin/ld: cannot find -lcap
When executing ./configure, an error message appears: /usr/bin/ld: cannot find -lcap because libcap-devel is not installed on the system.
Install libcap-devel, you can use offline rpm installation, you can also use yum installation
yum install -y libcap-devel