Hello, all. I would like to use ntpd for time sync not rdate or ntpdate. but after installation the ntpd, I found that listened at all interfaces like below. udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 11528/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd Is there any way or option that only listen 127.0.0.1 for security reason? Thanks in advacne. _________________________________________________________________ ???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ?? http://im.msn.co.kr/Univ/ -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20090612/48f6cbb5/attachment-0001.html>
Filipe Brandenburger
2009-Jun-12 03:07 UTC
[CentOS] how to set ntpd listen only 127.0.0.1 ?
Hi, 2009/6/11 MontyRee <chulmin2 at hotmail.com>:> Is there any way or option that only listen 127.0.0.1?I don't think so. NTP is an UDP protocol, and its packets have both source and destination port 123, so the machine that is using NTP to set its own clock (NTP "client") needs to listen on port 123 UDP to receive the replies from the NTP "server".> for security reason?Look into the "restrict" commands in ntp.conf to implement security policies on NTP. You can find information on how it works on "man ntp_acc". If you use a fixed list of NTP servers that have fixed IPs, you can also use iptables to block access to port 123 UDP to all except those hosts. HTH, Filipe
2009/6/12 MontyRee <chulmin2 at hotmail.com>:> Hello, all. > > I would like to use ntpd for time sync not rdate or ntpdate. > > but after installation the ntpd, I found that listened at all interfaces > like below. > > udp 0 0 192.168.111.2:123 > 0.0.0.0:* 11528/ntpd > udp 0 0 xxx.xxx.62.20:123 > 0.0.0.0:* 11528/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* & > nbsp; 11528/ntpd > udp 0 0 0.0.0.0:123 > 0.0.0.0:* 11528/ntpd > > > Is there any way or option that only listen 127.0.0.1 for security reason? > > > Thanks in advacne. > > ________________________________ > ???? ????! ??? ??? ???? ????! ??? ??! 25GB ???? ?! ???? ??? ?? ??! > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos > >You could also ditch the ntp daemon (uncheck it in ntsysv) in favour of running `ntpdate some.time.server` every now and then from cron. e.g. @hourly /usr/sbin/ntpdate ro.pool.ntpdate.org Sure, it might not be as elegant and practical, but it works.
From: MontyRee <chulmin2 at hotmail.com>> I would like to use ntpd for time sync not rdate or ntpdate. > but after installation the ntpd, I found that listened at all interfaces like below. > udp 0 0 192.168.111.2:123 0.0.0.0:* 11528/ntpd > udp 0 0 xxx.xxx.62.20:123 0.0.0.0:* 11528/ntpd > udp 0 0 127.0.0.1:123 0.0.0.0:* & nbsp; 11528/ntpd > udp 0 0 0.0.0.0:123 0.0.0.0:* 11528/ntpd > Is there any way or option that only listen 127.0.0.1 for security reason?Another option would be to firewall the unwanted ports... JD