Hello, all.
I would like to use ntpd for time sync not rdate or ntpdate.
but after installation the ntpd, I found that listened at all interfaces like below.
udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 11528/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd
Is there any way or option that only listen 127.0.0.1 for security reason?
Thanks in advacne.
_________________________________________________________________ 대딩들의 인맥관리! 윈도우 라이브 메신저로 해결하자! 채팅은 기본! 25GB 자료실은 덤! 대딩들의 아지트 윈메 클럽 http://im.msn.co.kr/Univ/
Hi,
2009/6/11 MontyRee chulmin2@hotmail.com:
Is there any way or option that only listen 127.0.0.1?
I don't think so. NTP is an UDP protocol, and its packets have both source and destination port 123, so the machine that is using NTP to set its own clock (NTP "client") needs to listen on port 123 UDP to receive the replies from the NTP "server".
for security reason?
Look into the "restrict" commands in ntp.conf to implement security policies on NTP. You can find information on how it works on "man ntp_acc".
If you use a fixed list of NTP servers that have fixed IPs, you can also use iptables to block access to port 123 UDP to all except those hosts.
HTH, Filipe
Thanks for your kind answer.
Look into the "restrict" commands in ntp.conf to implement security policies on NTP. You can find information on how it works on "man ntp_acc".
The default restrict config likes below.
restrict default nomodify notrap noquery
If I setup ntpd service as a client not server, above options are sufficient?
I would like to deny any ntpd query packets except reply packets from others because of client.
but it seems that other clients can query the date.
Thanks in advance.
_________________________________________________________________ 대딩들의 인맥관리! 윈도우 라이브 메신저로 해결하자! 채팅은 기본! 25GB 자료실은 덤! 대딩들의 아지트 윈메 클럽 http://im.msn.co.kr/Univ/
Hi,
2009/6/12 MontyRee chulmin2@hotmail.com:
If I setup ntpd service as a client not server, above options are sufficient?
I don't know, I never bothered trying to understand how that works... I suggest you read "man ntp_acc" if you really want to implement that. After you do, please share with us how that works! :-)
Cheers, Filipe
2009/6/12 MontyRee chulmin2@hotmail.com:
Hello, all.
I would like to use ntpd for time sync not rdate or ntpdate.
but after installation the ntpd, I found that listened at all interfaces like below.
udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* & nbsp; 11528/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd
Is there any way or option that only listen 127.0.0.1 for security reason?
Thanks in advacne.
대딩들의 인맥관리! 윈도우 라이브 메신저로 해결하자! 채팅은 기본! 25GB 자료실은 덤! 대딩들의 아지트 윈메 클럽! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You could also ditch the ntp daemon (uncheck it in ntsysv) in favour of running `ntpdate some.time.server` every now and then from cron. e.g. @hourly /usr/sbin/ntpdate ro.pool.ntpdate.org
Sure, it might not be as elegant and practical, but it works.
on 6-12-2009 12:17 AM Lucian@lastdot.org spake the following:
2009/6/12 MontyRee chulmin2@hotmail.com:
Hello, all.
I would like to use ntpd for time sync not rdate or ntpdate.
but after installation the ntpd, I found that listened at all interfaces like below.
udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* & nbsp; 11528/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd
Is there any way or option that only listen 127.0.0.1 for security reason?
Thanks in advacne.
������ �θư�! ����� ���̺� ����� �ذ�����! ä��� �⺻! 25GB �ڷ��� ��! ������ ����Ʈ ��� Ŭ��! _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You could also ditch the ntp daemon (uncheck it in ntsysv) in favour of running `ntpdate some.time.server` every now and then from cron. e.g. @hourly /usr/sbin/ntpdate ro.pool.ntpdate.org
Sure, it might not be as elegant and practical, but it works.
Don't do that on a server, especially a mail server as you will cause yourself a lot of grief as the time makes large jumps around. Many daemons are very sensitive to big time jumps either forward or backward.
Ntpd is very easy to use and you can easily restrict which ports it listens to.
From: MontyRee chulmin2@hotmail.com
I would like to use ntpd for time sync not rdate or ntpdate. but after installation the ntpd, I found that listened at all interfaces like below. udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* & nbsp; 11528/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd Is there any way or option that only listen 127.0.0.1 for security reason?
Another option would be to firewall the unwanted ports...
JD
-
Filipe Brandenburger -
John Doe -
Lucian@lastdot.org -
MontyRee -
Scott Silva