Tips:
1. Edita el archivo de ntp aseguarase que tiene las restricciones
restrict default ignore restrict -6 default ignore
2. Deshabilitar el monitor para la vulnerabilidad CVE-2013-5211
disable monitor
3. Usar nomodify nopeer noquery notrap para cada IP o servidor que se conecta al servidor ntp NTP y también hacer las restricciones en el cliente para que los servidores no hagen ninguna consulta al cliente.
restrict 200.148.5.9 nomodify nopeer noquery notrap restrict 192.168.123.0 mask 255.255.255.0 nomodify nopeer noquery notrap
Ejemplo de configuración de Servidor NTP.
#Deafult policy, deny any restrict default ignore restrict -6 default ignore # For local IPs allow all restrict 127.0.0.1 restrict -6 ::1 restrict 192.168.123.2 #For the local machine we want to allow all time, query and administrative access. That is, not to list any restrictions: keys /etc/ntp.keys trustedkey 1 requestkey 1 #Backup time source when none of the real sources are available. server 127.127.1.0 fudge 127.127.1.0 stratum 10 #NTP servers server 200.148.5.9 iburst server 0.pool.ntp.org iburst #Disable any operation from NTP server restrict 200.148.5.9 nomodify nopeer noquery notrap restrict 0.pool.ntp.org nomodify nopeer noquery notrap # Allow ntp sync from internal IPs #Public IPs restrict 200.148.5.0 mask 255.255.255.0 nomodify nopeer noquery notrap restrict 189.144.62.0 mask 255.255.255.0 nomodify nopeer noquery notrap #Internal networs restrict 192.168.123.0 mask 255.255.255.0 nomodify nopeer noquery notrap restrict 10.10.0.0 mask 255.255.0.0 nomodify nopeer noquery notrap # Disable the monitoring facility to prevent amplification attacks using ntpdc # monlist command when default restrict does not include the noquery flag. See # CVE-2013-5211 for more details. disable monitor
Ejemplo de configuración de Cliente NTP
#Deafult policy, deny any restrict default ignore restrict -6 default ignore driftfile /var/lib/ntp/drift/ntp.drift logfile /var/log/ntp # For local IPs of I200 allow all restrict 127.0.0.1 restrict -6 ::1 #NTP server for LAN server 192.168.123.2 iburst server 10.10.31.1 iburst restrict 192.168.123.2 nomodify nopeer noquery notrap restrict 10.10.31.1 nomodify nopeer noquery notrap # Disable the monitoring facility to prevent amplification attacks using ntpdc # monlist command when default restrict does not include the noquery flag. See # CVE-2013-5211 for more details. disable monitor