Curiously examining some of the blocked IP addresses in the daily Logwatch report, I notice strange sites attempting to connect to our servers on port 123 (the time port). I also notice our servers successfully contacting official time references centres which are not those sites trying to connect to us. I notice too the installed time software is listening on every available IP. I can not identity any options in any configuration files to turn-off this listening. Why are unknown sites attempting to connect to our server to, I assume, sample the time and how does one turn-off the software's listening on every IP address, including 127.0.0.1 ? Thanks, Paul.
On 08/30/2011 07:58 PM, Always Learning wrote:> > Curiously examining some of the blocked IP addresses in the daily > Logwatch report, I notice strange sites attempting to connect to our > servers on port 123 (the time port). > > I also notice our servers successfully contacting official time > references centres which are not those sites trying to connect to us. I > notice too the installed time software is listening on every available > IP. I can not identity any options in any configuration files to > turn-off this listening. > > Why are unknown sites attempting to connect to our server to, I assume, > sample the time and how does one turn-off the software's listening on > every IP address, including 127.0.0.1 ? > > Thanks, > > Paul. >You can use iptables to block that port for all but specified addresses... assuming you have iptables set up to deny (drop) all by default, simply adding -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT ...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP, otherwise). should be enough to get you started on the right track, anyway.
Am 31.08.2011 01:58, schrieb Always Learning:> I also notice our servers successfully contacting official time > references centres which are not those sites trying to connect to us. I > notice too the installed time software is listening on every available > IP. I can not identity any options in any configuration files to > turn-off this listening.ntpd shipping with CentOS 6 has an option "-I iface"; see "man 8 ntpd". Edit "/etc/sysconfig/ntpd" accordingly. ntpd shipping with CentOS 5 does not have that and thus always binds to all available interfaces.> Thanks, > > Paul.Alexander
On Tuesday, August 30, 2011 08:15:28 PM brian wrote:> ...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your > input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP, > otherwise). should be enough to get you started on the right track, anyway.NTP uses UDP. Also, NTP uses addresses in the 127/8 space locally for configuration purposes; see the NTP man pages and the main ntp.org website for thorough documentation on all the options and what those other addresses in 127/8 do. This is one of those cases where you read the full upstream documentation set before you change anything; kindof like attempting an automatic transmission rebuild project where the instructions say clearly 'read entire procedure before performing any work' and the instructions mean that very literally.