FAQ
Curiously examining some of the blocked IP addresses in the daily
Logwatch report, I notice strange sites attempting to connect to our
servers on port 123 (the time port).

I also notice our servers successfully contacting official time
references centres which are not those sites trying to connect to us. I
notice too the installed time software is listening on every available
IP. I can not identity any options in any configuration files to
turn-off this listening.

Why are unknown sites attempting to connect to our server to, I assume,
sample the time and how does one turn-off the software's listening on
every IP address, including 127.0.0.1 ?

Thanks,

Paul.

Search Discussions

  • Brian at Aug 30, 2011 at 8:15 pm

    On 08/30/2011 07:58 PM, Always Learning wrote:
    Curiously examining some of the blocked IP addresses in the daily
    Logwatch report, I notice strange sites attempting to connect to our
    servers on port 123 (the time port).

    I also notice our servers successfully contacting official time
    references centres which are not those sites trying to connect to us. I
    notice too the installed time software is listening on every available
    IP. I can not identity any options in any configuration files to
    turn-off this listening.

    Why are unknown sites attempting to connect to our server to, I assume,
    sample the time and how does one turn-off the software's listening on
    every IP address, including 127.0.0.1 ?

    Thanks,

    Paul.
    You can use iptables to block that port for all but specified addresses...

    assuming you have iptables set up to deny (drop) all by default, simply adding


    -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT


    ...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your
    input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP,
    otherwise). should be enough to get you started on the right track, anyway.
  • Always Learning at Aug 30, 2011 at 8:27 pm

    On Tue, 2011-08-30 at 20:15 -0400, brian wrote:
    On 08/30/2011 07:58 PM, Always Learning wrote:

    Curiously examining some of the blocked IP addresses in the daily
    Logwatch report, I notice strange sites attempting to connect to our
    servers on port 123 (the time port).

    I also notice our servers successfully contacting official time
    references centres which are not those sites trying to connect to us. I
    notice too the installed time software is listening on every available
    IP. I can not identity any options in any configuration files to
    turn-off this listening.

    Why are unknown sites attempting to connect to our server to, I assume,
    sample the time and how does one turn-off the software's listening on
    every IP address, including 127.0.0.1 ?
    You can use iptables to block that port for all but specified addresses...

    assuming you have iptables set up to deny (drop) all by default, simply adding


    -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT
    I think the -i eth0 is not needed with only one physical network
    interface. I don't use -m tcp and the instruction shown in your example
    works well without the -m tcp.

    Using IPtables caused the block ports with their IP addresses and their
    packet details to appear in Logwatch. As a keen user of IPtables I am
    currently looking at blocking some packets on their contents (-m
    string ......) before trying the 'bad guy' site IP blocking determined
    by hackers packets (-m recent .......)

    However I am curious to know why strange sites contact our servers on
    port 123 and why the installed Centos time software listens on every
    available IP address.

    Best regards,

    Paul.
    --
    With best regards,

    Paul.
    England,
    EU.
  • James Hogarth at Aug 31, 2011 at 1:21 am

    However I am curious to know why strange sites contact our servers on
    port 123 and why the installed Centos time software listens on every
    available IP address.
    For your first part either people probing you or have you checked to see if
    a previous admin had joined the ntp.org pool with your hosts?

    For your second part man ntp.conf and look at your ntp.conf configuration.
    If memory serves default is to listen on all addresses and allow sync but no
    query, peer, modify, etc.
    -------------- next part --------------
    An HTML attachment was scrubbed...
    URL: http://lists.centos.org/pipermail/centos/attachments/20110831/7b1275bb/attachment.html
  • Lamar Owen at Aug 31, 2011 at 8:51 am

    On Tuesday, August 30, 2011 08:15:28 PM brian wrote:
    ...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your
    input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP,
    otherwise). should be enough to get you started on the right track, anyway.
    NTP uses UDP. Also, NTP uses addresses in the 127/8 space locally for configuration purposes; see the NTP man pages and the main ntp.org website for thorough documentation on all the options and what those other addresses in 127/8 do.

    This is one of those cases where you read the full upstream documentation set before you change anything; kindof like attempting an automatic transmission rebuild project where the instructions say clearly 'read entire procedure before performing any work' and the instructions mean that very literally.
  • Alexander Dalloz at Aug 31, 2011 at 4:13 am

    Am 31.08.2011 01:58, schrieb Always Learning:

    I also notice our servers successfully contacting official time
    references centres which are not those sites trying to connect to us. I
    notice too the installed time software is listening on every available
    IP. I can not identity any options in any configuration files to
    turn-off this listening.
    ntpd shipping with CentOS 6 has an option "-I iface"; see "man 8 ntpd".
    Edit "/etc/sysconfig/ntpd" accordingly. ntpd shipping with CentOS 5 does
    not have that and thus always binds to all available interfaces.
    Thanks,

    Paul.
    Alexander
  • Always Learning at Aug 31, 2011 at 8:13 am

    On Wed, 2011-08-31 at 10:13 +0200, Alexander Dalloz wrote:

    ntpd shipping with CentOS 6 has an option "-I iface"; see "man 8 ntpd".
    Edit "/etc/sysconfig/ntpd" accordingly. ntpd shipping with CentOS 5 does
    not have that and thus always binds to all available interfaces.
    That explains why I can not find a parameter to turn-off.

    Thank you.

    Paul.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupcentos @
categoriescentos
postedAug 30, '11 at 7:58p
activeAug 31, '11 at 8:51a
posts7
users5
websitecentos.org
irc#centos

People

Translate

site design / logo © 2021 Grokbase