Thank you for the quick response! We are currently using these base rules:
restrict default limited kod notrap nopeer restrict 127.0.0.1 server clock.isc.org server bonehed.lcs.mit.edu server time.nist.gov peer xxx1 peer xxx2 peer xxx3 peer xxx4 disable monitor ### This was added recently driftfile /var/lib/ntp/drift keys /etc/ntp/keys logconfig all logfile /var/log/ntp.log We'll add the "noquery" as you suggested to the top line. Would you have any other suggestions for us? Regards HASSAN On Fri, Feb 14, 2014 at 5:29 AM, Anssi Johansson <[email protected]>wrote: > Nyamul Hassan kirjoitti: > > From the documentation, and all literature that I can find on the >> internet, >> it seems any remote client who needs to talk to our NTP servers on UDP >> 123, >> must also originate the request from UDP 123. Considering this, we have >> firewalled any traffic for/from UDP 123 on our servers that does not >> start/end in UDP 123 on the remote machines. >> >> Could someone confirm if this is correct? Or are we blocking legitimate >> reqeusts as well? >> > > You are blocking legitimate requests as well. One example: traffic coming > from behind NAT firewalls. NAT changes the source port to some other port. > > Adding "limited kod" to your "restrict default" line in ntp.conf is > usually a rather good countermeasure. I would also suggest adding "noquery" > to that line to prevent the recent NTP amplification attacks. > > See http://support.ntp.org/bin/view/Support/AccessRestrictions and > http://support.ntp.org/bin/view/Main/SecurityNotice# > DRDoS_Amplification_Attack_using > _______________________________________________ > pool mailing list > [email protected] > http://lists.ntp.org/listinfo/pool > _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
