Recipe 19.4. Adding Access Controls

Previous page
Table of content
Next page
 < Day Day Up > 

19.4.1 Problem

You want to be sure your local clients look like clients, and not ntp servers. You want them to receive time service only, and from only the specified servers.

19.4.2 Solution

Add some access rules in /etc/ntp.conf, or you may add a couple of iptables rules to the client's firewall to allow time service only, and to disallow everything else.

To use ntp's access controls, add these lines to /etc/ntp.conf:

# default access policy # this denies all ntp traffic that is not # explicitly allowed restrict default ignore     # allow time service from this server # do not allow peering # do not allow runtime configuration changes # do not allow remote logging restrict 192.168.1.101 nopeer nomodify notrap     # we trust localhost restrict 127.0.0.0 mask 255.0.0.0

Remember to restart ntpd after making changes to ntp.conf.

An alternative to adding access rules to ntp.conf is to use these iptables rules. If the client machines are running iptables, add these rules to create a client that accepts only time service and rejects everything else:

iptables -A INPUT -p udp --dport 123 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -p udp --dport 123 -j REJECT

The first rule accepts all responses to sent ntp packets, and the second denies all others. Any host attempting to initiate a connection will be blocked, but responses to the client's own requests will be allowed.

19.4.3 Discussion

Here are some of the ntp.conf configuration options explained:


peer [hostname or IP]

The specified host is polled in symmetric active mode, which means peers synchronize each other. Never peer with a public time server.


server [hostname or IP]

The specified server is polled in client mode, so that only the client machine receives time synchronization.


restrict

Define restrictions on specific hosts, and override defaults. When a default is specified, restrict [host] with no options is the same as allow all [host].


ignore

Ignore all ntp packets.


nomodify

Do not allow runtime configuration changes. Queries that return information are permitted.


nopeer

Do not allow peering. This means the only servers allowed to supply time service are the ones specified by the server directive, and other hosts cannot use use this machine as a time server.


notrap

Do not trap mode 6 control messages. In effect, this disables remote logging.


noquery

Ignore all NTP mode 6 and 7 packets. In other words, do not allow queries, remote logging, or runtime configuration requests. Time service is not affected.

The main reasons for using access controls are to prevent your clients from becoming the timekeepers to the world, and to keep order and sanity in your network.

19.4.4 See Also

  • Your local documentation at /usr/share/doc/ntp-doc/html, or online at http://www.ntp.org/documentation.html

  • The home page for the pool.ntp.org project (http://www.pool.ntp.org)

  • The ntp.org web site (http://www.ntp.org)

  • The Usenet group comp.protocols.time.ntp

     < Day Day Up > 

    Previous page
    Table of content
    Next page
    Linux Cookbook
    Linux Cookbook
    ISBN: 0596006403
    EAN: 2147483647
    Year: 2004
    Pages: 434
    Authors: Carla Schroder
    BUY ON AMAZON
    Java for RPG Programmers, 2nd Edition
    C & Data Structures (Charles River Media Computer Engineering)
    PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
    Cisco CallManager Fundamentals (2nd Edition)
    Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
    Wireless Hacks: Tips & Tools for Building, Extending, and Securing Your Network
    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net
    Privacy policy