[Pool] Lockdown NTP server completely

Matt Wagner mwaggy at gmail.com
Mon Feb 10 18:19:03 UTC 2014


On Mon, Feb 10, 2014 at 12:14 PM, Scott Baker <bakers at canbytel.com> wrote:

> What's the best way to lockdown NTP on a Linux box (not in the pool). I
> don't want anyone to be able to query it, except my trusted subnet. And
> obviously it needs to fetch time from the pool. I have the following:
>
> # Ignore everything
> restrict default ignore
> restrict -6 default ignore
>
> # Allow local trusted nets
> restrict x.x.x.x mask 255.255.255.0
> restrict y.y.y.y mask 255.255.255.0
> restrict 127.0.0.1
> restrict -6 ::1
>
> driftfile /var/lib/ntp/drift
>
> # Use public servers from the pool.ntp.org project.
> # Please consider joining the pool (http://www.pool.ntp.org/join.html).
> server 0.centos.pool.ntp.org
> server 1.centos.pool.ntp.org
> server 2.centos.pool.ntp.org
>
> This looks like it blocks the server's ability to talk outbound to its
> upstream servers?
>
> :ntpq -pn
>      remote           refid      st t when poll reach   delay   offset
> jitter
>
> ==============================================================================
>  195.222.33.219  .INIT.          16 u    -   64    0    0.000    0.000
> 0.000
>  149.20.68.17    .INIT.          16 u    -   64    0    0.000    0.000
> 0.000
>  62.237.86.234   .INIT.          16 u    -   64    0    0.000    0.000
> 0.000
>

I would implement this at the firewall level, personally, not in ntp.conf.

To do it in ntp.conf, it seems you need to add 'restrict' lines to permit
access to the pool servers you're using. I'd manually select a few servers
and adjust the restrictions to allow access to/from them.

My ntp.conf-fu is weak, but the lack of any restrictions, even 'nomodify'
and the like, on your trusted networks worries me a little. Perhaps you can
trust your LAN (or whatever subnets they are), but I might use the default
restrictions for nomodify/notrap/etc. on them.


More information about the pool mailing list