FAQ
Hello, all.



I would like to use ntpd for time sync not rdate or ntpdate.



but after installation the ntpd, I found that listened at all interfaces like below.



udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd
udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 11528/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd




Is there any way or option that only listen 127.0.0.1 for security reason?





Thanks in advacne.

_________________________________________________________________
???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??
http://im.msn.co.kr/Univ/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.centos.org/pipermail/centos/attachments/20090612/48f6cbb5/attachment.html

Search Discussions

  • Filipe Brandenburger at Jun 12, 2009 at 3:07 am
    Hi,

    2009/6/11 MontyRee <chulmin2 at hotmail.com>:
    Is there any way or option that only listen 127.0.0.1?
    I don't think so. NTP is an UDP protocol, and its packets have both
    source and destination port 123, so the machine that is using NTP to
    set its own clock (NTP "client") needs to listen on port 123 UDP to
    receive the replies from the NTP "server".
    for security reason?
    Look into the "restrict" commands in ntp.conf to implement security
    policies on NTP. You can find information on how it works on "man
    ntp_acc".

    If you use a fixed list of NTP servers that have fixed IPs, you can
    also use iptables to block access to port 123 UDP to all except those
    hosts.

    HTH,
    Filipe
  • MontyRee at Jun 12, 2009 at 4:17 am
    Thanks for your kind answer.




    Look into the "restrict" commands in ntp.conf to implement security
    policies on NTP. You can find information on how it works on "man
    ntp_acc".

    The default restrict config likes below.



    restrict default nomodify notrap noquery


    If I setup ntpd service as a client not server, above options are sufficient?

    I would like to deny any ntpd query packets except reply packets from others because of client.



    but it seems that other clients can query the date.





    Thanks in advance.



    _________________________________________________________________
    ???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??
    http://im.msn.co.kr/Univ/
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20090612/870ac036/attachment.html
  • Filipe Brandenburger at Jun 12, 2009 at 4:37 am
    Hi,

    2009/6/12 MontyRee <chulmin2 at hotmail.com>:
    If I setup ntpd service as a client?not server, above options are
    sufficient?
    I don't know, I never bothered trying to understand how that works...
    I suggest you read "man ntp_acc" if you really want to implement that.
    After you do, please share with us how that works! :-)

    Cheers,
    Filipe
  • Lucian at Jun 12, 2009 at 7:17 am

    2009/6/12 MontyRee <chulmin2 at hotmail.com>:
    Hello, all.

    I would like to use ntpd for time sync not rdate or ntpdate.

    but after installation the ntpd, I found that listened at all interfaces
    like below.

    udp 0 0 192.168.111.2:123
    0.0.0.0:* 11528/ntpd
    udp 0 0 xxx.xxx.62.20:123
    0.0.0.0:* 11528/ntpd
    udp 0 0 127.0.0.1:123 0.0.0.0:* &
    nbsp; 11528/ntpd
    udp 0 0 0.0.0.0:123
    0.0.0.0:* 11528/ntpd


    Is there any way or option that only listen 127.0.0.1 for security reason?


    Thanks in advacne.

    ________________________________
    ???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??!
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    You could also ditch the ntp daemon (uncheck it in ntsysv) in favour
    of running `ntpdate some.time.server` every now and then from cron.
    e.g.
    @hourly /usr/sbin/ntpdate ro.pool.ntpdate.org

    Sure, it might not be as elegant and practical, but it works.
  • Scott Silva at Jun 12, 2009 at 4:49 pm
    on 6-12-2009 12:17 AM Lucian at lastdot.org spake the
    following:
    2009/6/12 MontyRee <chulmin2 at hotmail.com>:
    Hello, all.

    I would like to use ntpd for time sync not rdate or ntpdate.

    but after installation the ntpd, I found that listened at all interfaces
    like below.

    udp 0 0 192.168.111.2:123
    0.0.0.0:* 11528/ntpd
    udp 0 0 xxx.xxx.62.20:123
    0.0.0.0:* 11528/ntpd
    udp 0 0 127.0.0.1:123 0.0.0.0:* &
    nbsp; 11528/ntpd
    udp 0 0 0.0.0.0:123
    0.0.0.0:* 11528/ntpd


    Is there any way or option that only listen 127.0.0.1 for security reason?


    Thanks in advacne.

    ________________________________
    ?????? ????! ????? ????? ?????? ???????! ???? ??! 25GB ????? ??! ?????? ????? ??? ???!
    _______________________________________________
    CentOS mailing list
    CentOS at centos.org
    http://lists.centos.org/mailman/listinfo/centos
    You could also ditch the ntp daemon (uncheck it in ntsysv) in favour
    of running `ntpdate some.time.server` every now and then from cron.
    e.g.
    @hourly /usr/sbin/ntpdate ro.pool.ntpdate.org

    Sure, it might not be as elegant and practical, but it works.
    Don't do that on a server, especially a mail server as you will cause yourself
    a lot of grief as the time makes large jumps around. Many daemons are very
    sensitive to big time jumps either forward or backward.

    Ntpd is very easy to use and you can easily restrict which ports it listens to.

    -------------- next part --------------
    A non-text attachment was scrubbed...
    Name: signature.asc
    Type: application/pgp-signature
    Size: 258 bytes
    Desc: OpenPGP digital signature
    Url : http://lists.centos.org/pipermail/centos/attachments/20090612/e8fbf5a0/attachment.bin
  • John Doe at Jun 12, 2009 at 9:03 am
    From: MontyRee <chulmin2 at hotmail.com>
    I would like to use ntpd for time sync not rdate or ntpdate.
    but after installation the ntpd, I found that listened at all interfaces like below.
    udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd
    udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd
    udp 0 0 127.0.0.1:123 0.0.0.0:* & nbsp; 11528/ntpd
    udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd
    Is there any way or option that only listen 127.0.0.1 for security reason?
    Another option would be to firewall the unwanted ports...

    JD

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedJun 12, '09 at 2:35a
activeJun 12, '09 at 4:49p
posts7
users5
websitecentos.org
irc#centos

People

Translate

site design / logo © 2022 Grokbase