[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: NTP security

On one of my multihomed machines together with authentication I tend to use
something like:

restrict default ignore
restrict ntpserver1 nomodify
restrict ntpserver2 nomodify
restrict ntpserver3 nomodify
restrict network1 mask netmask1 notrust nomodify
restrict network2 mask netmask2 notrust nomodify
restrict network3 mask netmask3

Basically this synchronizes time using the 3 server sources and then via a
broadcast server config it advertises the time to network1, network2, and
network3. network3 however is the only network which administrative
requests may be honored from, or localhost.  See the other popular thread
right now for locking down your interfaces on a ip forwarding machine. <g>
Combined with a packet filter this should offer pretty good protection,
though it will be somthing you have to watch as your server addresses can
change with little warning.

On the subject of securing NTP, has anyone gotten the autokey stuff to work
the version of ntpd in stable?

Jamie Heilman                   http://audible.transient.net/~jamie/
"...thats the metaphorical equivalent of flopping your wedding tackle 
 into a lion's mouth and flicking his lovespuds with a wet towel, pure 
 insanity..."						-Rimmer

Reply to: