[CentOS] (Centos 5.6) Server Time NTP Facility

Wed Aug 31 00:27:23 UTC 2011
Always Learning <centos at u61.u22.net>

On Tue, 2011-08-30 at 20:15 -0400, brian wrote:

> On 08/30/2011 07:58 PM, Always Learning wrote:
> >
> > Curiously examining some of the blocked IP addresses in the daily
> > Logwatch report, I notice strange sites attempting to connect to our
> > servers on port 123 (the time port).
> >
> > I also notice our servers successfully contacting official time
> > references centres which are not those sites trying to connect to us. I
> > notice too the installed time software is listening on every available
> > IP. I can not identity any options in any configuration files to
> > turn-off this listening.
> >
> > Why are unknown sites attempting to connect to our server to, I assume,
> > sample the time and how does one turn-off the software's listening on
> > every IP address, including ?

>    You can use iptables to block that port for all but specified addresses...
>    assuming you have iptables set up to deny (drop) all by default, simply adding
> -A INPUT -s xxx.xxx.xxx.xxx/ -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT

I think the -i eth0 is not needed with only one physical network
interface. I don't use -m tcp and the instruction shown in your example
works well without the -m tcp.

Using IPtables caused the block ports with their IP addresses and their
packet details to appear in Logwatch. As a keen user of IPtables I am
currently looking at blocking some packets on their contents (-m
string ......) before trying the 'bad guy' site IP blocking determined
by hackers packets (-m recent .......)

However I am curious to know why strange sites contact our servers on
port 123 and why the installed Centos time software listens on every
available IP address.

Best regards,

With best regards,