discuss: NTP HOWTO updates
Subject:
NTP HOWTO updates
From:
"Timothy M. Lyons" ####@####.####
Date:
10 Jul 2004 17:32:53 -0000
Message-Id: <008a01c466a3$e26b4600$c8320b0a@putnaminv.com>
Avi,
I was just looking over the NTP configuration HOWTO and see that it is
completely lacking any definition of ACL's to prevent unauthorized use
and/or manipulation. I would recommend the addition of ACLS into that
document, we can get into key authentication at a later date.
Hope you don't mind the input.
--Tim
# NTP Server Configuration
# First, Prohibit all access to this service.
restrict default ignore
# Allow access from the Loopback address (127.0.0.1)
restrict 127.0.0.1
# Define your local client subnets for time synchronization - permit sync
only.
# Not we don't trust them for synchronization, allow them to modify the
config, nor
# do we deem it necessary to log every time the client queries for time
(unless
# we are debugging).
restrict 192.168.1.0 mask 255.255.255.248 notrust nomodify notrap
restrict 10.11.12.0 mask 255.255.254.0 notrust nomodify notrap
# Define time servers for this server to sync with. First we need to adjust
the ACL
# to permit synchronization, then we define the servers.
restrict 18.145.0.30 mask 255.255.255.255 nomodify notrap noquery
restrict 132.163.4.100 mask 255.255.255.255 nomodify notrap noquery
restrict 192.5.41.41 mask 255.255.255.255 nomodify notrap noquery
restrict 192.5.41.40 mask 255.255.255.255 nomodify notrap noquery
server 18.145.0.30
server 132.163.4.100
server 192.5.41.41
server 192.5.41.40
Client configuration would be similar except the definitions for local
network would be removed and
the internal servers would be specified. ACL's are good.
