[time] ntp client service cut-off policy

Adrian von Bidder avbidder
Thu Dec 21 08:25:39 UTC 2006 

On Thursday 21 December 2006 03:08, ntpadmin at oc9.com wrote:
> if [ count > 500 ] && [ avgint < 60 ]
> then
> start dropping packets
> end

Yo!

I don't remember if I posted this before - I use a similar policy on my 
machine, with this script (below).  I use avgint < 16, count > 1000 and 
last < 60 to block, and unblock clients that don't send any packets for
12 hours.

Steady state is a ntp-filter chain with ca. 20 to 30 entries, I've not
seen a big variance in the number of entries for a long time now.  I 
don't do traffic statistics, so I can't really say what happens, but most 
clients do go away after a while (a few months at most).  If anybody wants
to do some statistics: I've attached logs covering ca. the last 2 years.

The script is obviously not very release-quality (hardcoded path, little 
error handling etc.), but it basically just works.

========
#! /usr/bin/perl -w
# ?2004 Adrian von Bidder <avbidder at fortytwo.ch>
# use/modify/redistribute as you like, but please send enhancements
# back to me, too.

use strict;

open my $log, ">>", "/home/clockmaster/log.firewall"
    or die "opening log file: $!\n";


# remove all entries from ntp-filter with 0 counters
my @ntpfilter = `iptables -Z -xvnL ntp-filter`;
#my @ntpfilter = `iptables -xvnL ntp-filter`;
my (undef, $head) = splice(@ntpfilter, 0, 2);
pop @ntpfilter; # 'zeroing chain'
if ($head ne "    pkts      bytes target     prot opt in     out     source               destination         \n") {
    die "iptables version has changed, probably\n";
}
foreach my $f (@ntpfilter) {
    $f =~ s/^\s+//;
    my ($count, undef, undef, undef, undef,
        undef, undef, $remote, undef) = split /\s+/, $f;
    if ($count == 0) {
        print $log scalar localtime, " ntp-block unblock $remote\n";
        system "iptables -D ntp-filter -s $remote -j DROP";
    }
}

# run monlist
my @ntprun;
do {
    @ntprun = `ntpdc -n -c monlist 2>/dev/null`;
    #@ntprun = `ntpdc -n -c monlist`;
    if ($#ntprun == -1) {
        print $log scalar localtime, " ntp-block ntpdc: fail\n";
        sleep 20;
    }
} while ($#ntprun == -1);
print $log scalar localtime, " ntp-block ntpdc: success\n";

($head, undef) = splice(@ntprun, 0, 2);
if ($head ne "remote address          port local address      count m ver code avgint  lstint\n") {
    die "ntp version has changed, probably\n";
}

# go through monlist output and block everything with
#  - avg < 16
#  - last < 60
#  - count > 1000
foreach my $n (@ntprun) {
    my ($remote, undef, undef, $count,
        undef, undef, undef, $avg, $last) = split /\s+/, $n;
    if ($remote eq '127.0.0.1') {
        next;
    }
    if ($avg < 16 and $last < 60 and $count > 1000) {
        print $log scalar localtime,
            " ntp-block block $remote (count=$count, avg=$avg, last=$last)\n";
        system "iptables -A ntp-filter -s $remote -j DROP";
    }
}

close $log;
========

-- 
Many people are unenthusiastic about your work.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: log.firewall.bz2
Type: application/x-bzip2
Size: 89163 bytes
Desc: not available
Url : http://fortytwo.ch/mailman/pipermail/timekeepers/attachments/20061221/9dae00ad/attachment-0001.bin 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 254 bytes
Desc: not available
Url : http://fortytwo.ch/mailman/pipermail/timekeepers/attachments/20061221/9dae00ad/attachment-0001.pgp

More information about the pool mailing list