[Pool] Lockdown NTP server completely
david at lordynet.org
Mon Feb 10 18:08:14 UTC 2014
On 10 Feb 2014 at 9:14, Scott Baker wrote:
> What's the best way to lockdown NTP on a Linux box (not in the pool). I
> don't want anyone to be able to query it, except my trusted subnet. And
> obviously it needs to fetch time from the pool. I have the following:
> # Ignore everything
> restrict default ignore
> restrict -6 default ignore
> # Allow local trusted nets
> restrict x.x.x.x mask 255.255.255.0
> restrict y.y.y.y mask 255.255.255.0
> restrict 127.0.0.1
> restrict -6 ::1
> driftfile /var/lib/ntp/drift
> # Use public servers from the pool.ntp.org project.
> # Please consider joining the pool (http://www.pool.ntp.org/join.html).
> server 0.centos.pool.ntp.org
> server 1.centos.pool.ntp.org
> server 2.centos.pool.ntp.org
> This looks like it blocks the server's ability to talk outbound to its
> upstream servers?
I had similar rules for many years but after both my firewall
and modem failed I was not able to connect to many sites with
my new setup.
I'd had IPv6 enabled via tunnel to my isp and the replacement
modem didn't pass tunneled IPv6.
I now have "server -4" until I get around to getting IPv6
> :ntpq -pn
> remote refid st t when poll reach delay offset
> 22.214.171.124 .INIT. 16 u - 64 0 0.000 0.000
> 126.96.36.199 .INIT. 16 u - 64 0 0.000 0.000
> 188.8.131.52 .INIT. 16 u - 64 0 0.000 0.000
> Scott Baker - Canby Telcom
> System Administrator - RHCE - 503.266.8253
> pool mailing list
> pool at lists.ntp.org
David Lord <david at lordynet.org>
More information about the pool