nanog mailing list archives
Re: OpenNTPProject.org
From: Pete Ashdown <pashdown () xmission com>
Date: Sun, 16 Feb 2014 11:29:17 -0700
Just in case you run a legitimate open NTP server, this iptable stanza helps immensely: ## rate limit ntp $IPTABLES -N NTP $IPTABLES -N BLACKHOLE $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource $IPTABLES -A BLACKHOLE -j DROP $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name ntpv4 --rsource -j BLACKHOLE $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name ntpv4blackhole --rsource -j DROP $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP I've found that blocking TCP destination NTP to client servers/networks blocks legitimate NTP synchronization for their clients. Although I wish they'd all just use my on-network NTP server, I can't assume they will. Does anyone have a list or source of pool and vendor (Apple/Microsoft/etc) servers so I can permit based on source before blocking based on destination port?
Current thread:
- Re: OpenNTPProject.org Pete Ashdown (Feb 16)
- Re: OpenNTPProject.org Pete Ashdown (Feb 16)
- Re: OpenNTPProject.org Brian Rak (Feb 16)
- RE: OpenNTPProject.org Kate Gerry (Feb 16)
- Re: OpenNTPProject.org James R Cutler (Feb 16)
- Re: OpenNTPProject.org George, Wes (Feb 17)
- Re: OpenNTPProject.org Pete Ashdown (Feb 17)
- Re: OpenNTPProject.org Blake Dunlap (Feb 17)
- Re: OpenNTPProject.org Anthony Williams (Feb 17)
- Re: OpenNTPProject.org James R Cutler (Feb 17)
- Re: OpenNTPProject.org Blake Dunlap (Feb 17)
- RE: OpenNTPProject.org Kate Gerry (Feb 16)