On Mon, Feb 10, 2014 at 12:14 PM, Scott Baker <[email protected]> wrote:
> What's the best way to lockdown NTP on a Linux box (not in the pool). I > don't want anyone to be able to query it, except my trusted subnet. And > obviously it needs to fetch time from the pool. I have the following: > > # Ignore everything > restrict default ignore > restrict -6 default ignore > > # Allow local trusted nets > restrict x.x.x.x mask 255.255.255.0 > restrict y.y.y.y mask 255.255.255.0 > restrict 127.0.0.1 > restrict -6 ::1 > > driftfile /var/lib/ntp/drift > > # Use public servers from the pool.ntp.org project. > # Please consider joining the pool (http://www.pool.ntp.org/join.html). > server 0.centos.pool.ntp.org > server 1.centos.pool.ntp.org > server 2.centos.pool.ntp.org > > This looks like it blocks the server's ability to talk outbound to its > upstream servers? > > :ntpq -pn > remote refid st t when poll reach delay offset > jitter > > ============================================================================== > 195.222.33.219 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > 149.20.68.17 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > 62.237.86.234 .INIT. 16 u - 64 0 0.000 0.000 > 0.000 > I would implement this at the firewall level, personally, not in ntp.conf. To do it in ntp.conf, it seems you need to add 'restrict' lines to permit access to the pool servers you're using. I'd manually select a few servers and adjust the restrictions to allow access to/from them. My ntp.conf-fu is weak, but the lack of any restrictions, even 'nomodify' and the like, on your trusted networks worries me a little. Perhaps you can trust your LAN (or whatever subnets they are), but I might use the default restrictions for nomodify/notrap/etc. on them. _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
