I’ve only just noticed that in the last few months I’ve started getting lots of errors from ntpd about ‘Invalid-NAK’:
Jul 15 11:56:00 electra ntpd[687]: Invalid-NAK error at 1638 109.74.206.120<-5.150.101.130
Jul 15 11:56:05 electra ntpd[687]: Invalid-NAK error at 1643 109.74.206.120<-86.63.7.233
Jul 15 11:56:27 electra ntpd[687]: Invalid-NAK error at 1666 109.74.206.120<-5.150.101.130
Is this to do with clients attempting NTP authentication? I don’t have that setup, so I’m assuming this is why - what are other server operators doing wrt NTP auth? I didn’t see any note in the configuration recommendations about authentication.
In the past we have quietly dropped those packets. I came to the conclusion that if one doesn’t know about abuse, the problem can easily grow until it is overwhelming. So now we say something. You may do whatever you want with this information. A future NTP release will likely offer better control over this sort of reporting.
But what do we know? Given this message is reported when there is no association to be demobilized, and given 4.2.8p7 resolved the bug you referred to, what is the danger or issue that merits the operator’s attention?
You haven’t answered the question of why it might be interesting to the operator, or even explained what an Invalid NAK is. I don’t see how the readers of this thread are supposed to make that local policy choice, given the cryptic message and your lack of advice on handling it. I know I find it useless clutter on a pool server getting ~1.5 Mbps of NTP requests, and there’s no mechanism to quiet it. It’s also duplicative of another message which appears the first 15 times it occurs, before thankfully being shut up until an intervening event resets the counter:
20 Feb 16:52:44 ntpd[15804]: 0.0.0.0 041c 8c bad_auth Invalid_NAK
20 Feb 16:52:44 ntpd[15804]: Invalid-NAK error at 9735 192.168.201.101<-72.240.53.26
20 Feb 16:53:50 ntpd[15804]: 0.0.0.0 042c 8c bad_auth Invalid_NAK
20 Feb 16:53:50 ntpd[15804]: Invalid-NAK error at 9802 192.168.201.101<-72.240.53.26
That first message could easily be changed to include the remote IP, at which point the second message is more appropriate for -D debug output, as it happens with every such packet, effectively a DoS opportunity against the ntp log/syslog.
I didn’t see anybody ask what a Crypto-NAK was. An invalid Crypto-NAK should never occur, so if we get one it’s an indication of a problem.
The messages help with the local policy choice in that they tell you where they are coming from (unless somebody is forging the source address).
If the first and third lines of your example above of the “duplicative other message which appears the first 15 times it occurs”, I’d disagree, as those lines do not say anything about who is sending them.
But it’s clear you don’t want to see them, and we need a way to let folks control whether or not they see these messages.
I also know you don’t care to see the “seconds since startup” count (the 9735 and 9802 in the 2nd and 4th lines of your example above), and I find them to be very useful when examining other logs (rawstats, etc) to identify what’s going on.
The log messages do not mention Crypto-NAK, one refers to Invalid_NAK the other to Invalid-NAK. If these are indeed Crypto-NAK, I’m guessing they are relevant only if Autokey is in use. Is there any reason (other than your general interest in logging when seeing curious packets) these messages should be logged if Autokey is not in use?
Those other logs don’t prefix each line with the date and time. Logging to syslog/ntp.log the time since startup is duplicative as it’s easy to find the associated startup time in the same logfile.
In the meantime, as the two IPs are responsible for all of the attempts I’ve blocked them at the firewall level. Thanks for the responses and input on this!