Ce contenu n'est pas disponible dans la langue sélectionnée.
22.16. Configure NTP
To change the default configuration of the
NTP
service, use a text editor running as root
user to edit the /etc/ntp.conf
file. This file is installed together with ntpd
and is configured to use time servers from the Red Hat pool by default. The man page ntp.conf(5)
describes the command options that can be used in the configuration file apart from the access and rate limiting commands which are explained in the ntp_acc(5)
man page.
22.16.1. Configure Access Control to an NTP Service
To restrict or control access to the
NTP
service running on a system, make use of the restrict
command in the ntp.conf
file. See the commented out example:
# Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
The
restrict
command takes the following form:
restrict
address mask option
where address and mask specify the IP addresses to which you want to apply the restriction, and option is one or more of:
ignore
— All packets will be ignored, includingntpq
andntpdc
queries.kod
— a “Kiss-o'-death” packet is to be sent to reduce unwanted queries.limited
— do not respond to time service requests if the packet violates the rate limit default values or those specified by thediscard
command.ntpq
andntpdc
queries are not affected. For more information on thediscard
command and the default values, see Section 22.16.2, “Configure Rate Limiting Access to an NTP Service”.lowpriotrap
— traps set by matching hosts to be low priority.nomodify
— prevents any changes to the configuration.noquery
— preventsntpq
andntpdc
queries, but not time queries, from being answered.nopeer
— prevents a peer association being formed.noserve
— deny all packets exceptntpq
andntpdc
queries.notrap
— preventsntpdc
control message protocol traps.notrust
— deny packets that are not cryptographically authenticated.ntpport
— modify the match algorithm to only apply the restriction if the source port is the standardNTP
UDP
port123
.version
— deny packets that do not match the currentNTP
version.
To configure rate limit access to not respond at all to a query, the respective
restrict
command has to have the limited
option. If ntpd
should reply with a KoD
packet, the restrict
command needs to have both limited
and kod
options.
The
ntpq
and ntpdc
queries can be used in amplification attacks (see CVE-2013-5211 for more details), do not remove the noquery
option from the restrict default
command on publicly accessible systems.