Buscar
ApoyoConsolaDesarrolladoresIniciar una pruebaContacto

Este contenido no está disponible en el idioma seleccionado.

22.16. Configure NTP

download PDF
To change the default configuration of the NTP service, use a text editor running as root user to edit the /etc/ntp.conf file. This file is installed together with ntpd and is configured to use time servers from the Red Hat pool by default. The man page ntp.conf(5) describes the command options that can be used in the configuration file apart from the access and rate limiting commands which are explained in the ntp_acc(5) man page.

22.16.1. Configure Access Control to an NTP Service

To restrict or control access to the NTP service running on a system, make use of the restrict command in the ntp.conf file. See the commented out example: 
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
The restrict command takes the following form: 
restrict address mask option
where address and mask specify the IP addresses to which you want to apply the restriction, and option is one or more of:
  • ignore — All packets will be ignored, including ntpq and ntpdc queries.
  • kod — a Kiss-o'-death packet is to be sent to reduce unwanted queries.
  • limited — do not respond to time service requests if the packet violates the rate limit default values or those specified by the discard command. ntpq and ntpdc queries are not affected. For more information on the discard command and the default values, see Section 22.16.2, “Configure Rate Limiting Access to an NTP Service”.
  • lowpriotrap — traps set by matching hosts to be low priority.
  • nomodify — prevents any changes to the configuration.
  • noquery — prevents ntpq and ntpdc queries, but not time queries, from being answered.
  • nopeer — prevents a peer association being formed.
  • noserve — deny all packets except ntpq and ntpdc queries.
  • notrap — prevents ntpdc control message protocol traps.
  • notrust — deny packets that are not cryptographically authenticated.
  • ntpport — modify the match algorithm to only apply the restriction if the source port is the standard NTP UDP port 123.
  • version — deny packets that do not match the current NTP version.
To configure rate limit access to not respond at all to a query, the respective restrict command has to have the limited option. If ntpd should reply with a KoD packet, the restrict command needs to have both limited and kod options.
The ntpq and ntpdc queries can be used in amplification attacks (see CVE-2013-5211 for more details), do not remove the noquery option from the restrict default command on publicly accessible systems.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.