...
The Prevention
--------------
1. If you plan to continue running NTP, ensure it is upgraded to 4.2.6, or later. ITS Networking operates two NTPv4 (NTP version 4) free of charge: 128.83.185.40 (ntp1.utexas.edu) or 128.83.185.41 (ntp2.utexas.edu)
2. Review NTP access restrictions and adjust as needed. Refer to the following
resources: http://support.ntp.org/bin/view/Support/AccessRestrictions
| Panel |
|---|
...
Example 1: |
...
edit /etc/inet/ntp.client -> ntp.conf |
...
added: |
...
#added for DDoS prevention - don't allow any machine, except those w/o flags |
...
restrict default notrust nomodify |
...
noquery |
...
restrict 127.0.0.1 |
...
Example 2 (with additional comments): # Permit time synchronization with our time source, but do not# permit the source to query or modify the service on this system.restrict default ignorerestrict -6 default ignore #restrict default kod nomodify notrap nopeer noquery#restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could# be tightened as well, but to do so would effect some of# the administrative functions.restrict 127.0.0.1server 128.83.185.40restrict 128.83.185.40 |
...
nomodify notrap nopeer noqueryserver 128.83.185.41restrict 128.83.185. |
...
41 nomodify notrap nopeer noquery ~~~~~~~~``default servers are commented out# Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.centos.pool.ntp.org iburst #server 1.centos.pool.ntp.org iburst #server 2.centos.pool.ntp.org iburst #server 3.centos.pool.ntp.org iburst |
Implement Deny Hosts
| Anchor | ||||
|---|---|---|---|---|
|
...