Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
22.16. Configure NTP
To change the default configuration of the
NTPservice, use a text editor running as
rootuser to edit the
/etc/ntp.conffile. This file is installed together with
ntpdand is configured to use time servers from the Red Hat pool by default. The man page
ntp.conf(5)describes the command options that can be used in the configuration file apart from the access and rate limiting commands which are explained in the
22.16.1. Configure Access Control to an NTP Service
To restrict or control access to the
NTPservice running on a system, make use of the
restrictcommand in the
ntp.conffile. See the commented out example:
# Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
restrictcommand takes the following form:
restrictaddress mask option
where address and mask specify the IP addresses to which you want to apply the restriction, and option is one or more of:
ignore— All packets will be ignored, including
kod— a “Kiss-o'-death” packet is to be sent to reduce unwanted queries.
limited— do not respond to time service requests if the packet violates the rate limit default values or those specified by the
ntpdcqueries are not affected. For more information on the
discardcommand and the default values, see Section 22.16.2, “Configure Rate Limiting Access to an NTP Service”.
lowpriotrap— traps set by matching hosts to be low priority.
nomodify— prevents any changes to the configuration.
ntpdcqueries, but not time queries, from being answered.
nopeer— prevents a peer association being formed.
noserve— deny all packets except
ntpdccontrol message protocol traps.
notrust— deny packets that are not cryptographically authenticated.
ntpport— modify the match algorithm to only apply the restriction if the source port is the standard
version— deny packets that do not match the current
To configure rate limit access to not respond at all to a query, the respective
restrictcommand has to have the
ntpdshould reply with a
restrictcommand needs to have both
ntpdcqueries can be used in amplification attacks (see CVE-2013-5211 for more details), do not remove the
noqueryoption from the
restrict defaultcommand on publicly accessible systems.