[Pool] Lockdown NTP server completely

Scott Baker bakers at canbytel.com
Mon Feb 10 17:14:53 UTC 2014


What's the best way to lockdown NTP on a Linux box (not in the pool). I
don't want anyone to be able to query it, except my trusted subnet. And
obviously it needs to fetch time from the pool. I have the following:

# Ignore everything
restrict default ignore
restrict -6 default ignore

# Allow local trusted nets
restrict x.x.x.x mask 255.255.255.0
restrict y.y.y.y mask 255.255.255.0
restrict 127.0.0.1
restrict -6 ::1

driftfile /var/lib/ntp/drift

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org

This looks like it blocks the server's ability to talk outbound to its
upstream servers?

:ntpq -pn
     remote           refid      st t when poll reach   delay   offset 
jitter
==============================================================================
 195.222.33.219  .INIT.          16 u    -   64    0    0.000    0.000  
0.000
 149.20.68.17    .INIT.          16 u    -   64    0    0.000    0.000  
0.000
 62.237.86.234   .INIT.          16 u    -   64    0    0.000    0.000  
0.000

-- 
Scott Baker - Canby Telcom 
System Administrator - RHCE - 503.266.8253



More information about the pool mailing list