To change the default configuration of the
NTP service, use a text editor running as
root user to edit the
/etc/ntp.conf file. This file is installed together with
ntpd and is configured to use time servers from the Red Hat pool by default. The man page
ntp.conf(5) describes the command options that can be used in the configuration file apart from the access and rate limiting commands which are explained in the
ntp_acc(5) man page.
22.16.1. Configure Access Control to an NTP Service
To restrict or control access to the
service running on a system, make use of the
command in the
file. See the commented out example:
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrict command takes the following form:
restrict address mask option
specify the IP addresses to which you want to apply the restriction, and option
is one or more of:
ignore — All packets will be ignored, including
kod — a “Kiss-o'-death” packet is to be sent to reduce unwanted queries.
lowpriotrap — traps set by matching hosts to be low priority.
nomodify — prevents any changes to the configuration.
noquery — prevents
ntpdc queries, but not time queries, from being answered.
nopeer — prevents a peer association being formed.
noserve — deny all packets except
notrap — prevents
ntpdc control message protocol traps.
notrust — deny packets that are not cryptographically authenticated.
ntpport — modify the match algorithm to only apply the restriction if the source port is the standard
version — deny packets that do not match the current
To configure rate limit access to not respond at all to a query, the respective
restrict command has to have the
limited option. If
ntpd should reply with a
KoD packet, the
restrict command needs to have both
queries can be used in amplification attacks (see CVE-2013-5211
for more details), do not remove the
option from the
command on publicly accessible systems.