[Pool] Lockdown NTP server completely

David Lord david at lordynet.org
Mon Feb 10 18:08:14 UTC 2014


On 10 Feb 2014 at 9:14, Scott Baker wrote:

> What's the best way to lockdown NTP on a Linux box (not in the pool). I
> don't want anyone to be able to query it, except my trusted subnet. And
> obviously it needs to fetch time from the pool. I have the following:
> 
> # Ignore everything
> restrict default ignore
> restrict -6 default ignore
> 
> # Allow local trusted nets
> restrict x.x.x.x mask 255.255.255.0
> restrict y.y.y.y mask 255.255.255.0
> restrict 127.0.0.1
> restrict -6 ::1
> 
> driftfile /var/lib/ntp/drift
> 
> # Use public servers from the pool.ntp.org project.
> # Please consider joining the pool (http://www.pool.ntp.org/join.html).
> server 0.centos.pool.ntp.org
> server 1.centos.pool.ntp.org
> server 2.centos.pool.ntp.org
> 
> This looks like it blocks the server's ability to talk outbound to its
> upstream servers?

I had similar rules for many years but after both my firewall
and modem failed I was not able to connect to many sites with
my new setup. 

I'd had IPv6 enabled via tunnel to my isp and the replacement
modem didn't pass tunneled IPv6.

I now have "server -4" until I get around to getting IPv6
working again.


David


> 
> :ntpq -pn
>      remote           refid      st t when poll reach   delay   offset 
> jitter
> ==============================================================================
>  195.222.33.219  .INIT.          16 u    -   64    0    0.000    0.000  
> 0.000
>  149.20.68.17    .INIT.          16 u    -   64    0    0.000    0.000  
> 0.000
>  62.237.86.234   .INIT.          16 u    -   64    0    0.000    0.000  
> 0.000
> 
> -- 
> Scott Baker - Canby Telcom 
> System Administrator - RHCE - 503.266.8253
> 
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool

-- 
David Lord <david at lordynet.org>
<ftp://ftp.lordynet.org/pub/pgpkeys/david@lordynet.org>
<http://www.lordynet.org/pub/pgpkeys/david@lordynet.org>





More information about the pool mailing list