Tighten default restrictions for ntpd(8) server and provide a link
to NTP access restriction documentation. The new default restrictions would allow only time queries from a remote system and will KoD all other requests, but still allow localhost to do make all requests. These restrictions are also recommended for all Internet-facing public NTP servers. This changeset is intended for an instant MFC to stable/10 and releng/10.0.
This commit is contained in:
parent
fafe884473
commit
b2c730e011
34
etc/ntp.conf
34
etc/ntp.conf
@ -17,7 +17,7 @@
|
||||
# users with a static IP and good upstream NTP servers to add a server
|
||||
# to the pool. See http://www.pool.ntp.org/join.html if you are interested.
|
||||
#
|
||||
# The option `iburst' is used for faster initial synchronisation.
|
||||
# The option `iburst' is used for faster initial synchronization.
|
||||
#
|
||||
server 0.freebsd.pool.ntp.org iburst
|
||||
server 1.freebsd.pool.ntp.org iburst
|
||||
@ -35,21 +35,37 @@ server 2.freebsd.pool.ntp.org iburst
|
||||
# server 2.CC.pool.ntp.org iburst
|
||||
|
||||
#
|
||||
# Security: Only accept NTP traffic from the following hosts.
|
||||
# The following configuration example only accepts traffic from the
|
||||
# above defined servers.
|
||||
# Security:
|
||||
#
|
||||
# By default, only allow time queries and block all other requests
|
||||
# from unauthenticated clients.
|
||||
#
|
||||
# See http://support.ntp.org/bin/view/Support/AccessRestrictions
|
||||
# for more information.
|
||||
#
|
||||
restrict default kod nomodify notrap nopeer noquery
|
||||
restrict -6 default kod nomodify notrap nopeer noquery
|
||||
#
|
||||
# Alternatively, the following rules would block all unauthorized access.
|
||||
#
|
||||
#restrict default ignore
|
||||
#restrict -6 default ignore
|
||||
#
|
||||
# In this case, all remote NTP time servers also need to be explicitly
|
||||
# allowed or they would not be able to exchange time information with
|
||||
# this server.
|
||||
#
|
||||
# Please note that this example doesn't work for the servers in
|
||||
# the pool.ntp.org domain since they return multiple A records.
|
||||
# (This is the reason that by default they are commented out)
|
||||
#
|
||||
#restrict default ignore
|
||||
#restrict 0.pool.ntp.org nomodify nopeer noquery notrap
|
||||
#restrict 1.pool.ntp.org nomodify nopeer noquery notrap
|
||||
#restrict 2.pool.ntp.org nomodify nopeer noquery notrap
|
||||
#restrict 127.0.0.1
|
||||
#restrict -6 ::1
|
||||
#restrict 127.127.1.0
|
||||
#
|
||||
# The following settings allow unrestricted access from the localhost
|
||||
restrict 127.0.0.1
|
||||
restrict -6 ::1
|
||||
restrict 127.127.1.0
|
||||
|
||||
#
|
||||
# If a server loses sync with all upstream servers, NTP clients
|
||||
|
Loading…
Reference in New Issue
Block a user