FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > CentOS > CentOS

 
 
LinkBack Thread Tools
 
Old 08-30-2011, 11:58 PM
Always Learning
 
Default (Centos 5.6) Server Time NTP Facility

Curiously examining some of the blocked IP addresses in the daily
Logwatch report, I notice strange sites attempting to connect to our
servers on port 123 (the time port).

I also notice our servers successfully contacting official time
references centres which are not those sites trying to connect to us. I
notice too the installed time software is listening on every available
IP. I can not identity any options in any configuration files to
turn-off this listening.

Why are unknown sites attempting to connect to our server to, I assume,
sample the time and how does one turn-off the software's listening on
every IP address, including 127.0.0.1 ?

Thanks,

Paul.






_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 12:15 AM
brian
 
Default (Centos 5.6) Server Time NTP Facility

On 08/30/2011 07:58 PM, Always Learning wrote:
>
> Curiously examining some of the blocked IP addresses in the daily
> Logwatch report, I notice strange sites attempting to connect to our
> servers on port 123 (the time port).
>
> I also notice our servers successfully contacting official time
> references centres which are not those sites trying to connect to us. I
> notice too the installed time software is listening on every available
> IP. I can not identity any options in any configuration files to
> turn-off this listening.
>
> Why are unknown sites attempting to connect to our server to, I assume,
> sample the time and how does one turn-off the software's listening on
> every IP address, including 127.0.0.1 ?
>
> Thanks,
>
> Paul.
>

You can use iptables to block that port for all but specified addresses...

assuming you have iptables set up to deny (drop) all by default, simply adding


-A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT


...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your
input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP,
otherwise). should be enough to get you started on the right track, anyway.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 12:27 AM
Always Learning
 
Default (Centos 5.6) Server Time NTP Facility

On Tue, 2011-08-30 at 20:15 -0400, brian wrote:

> On 08/30/2011 07:58 PM, Always Learning wrote:
> >
> > Curiously examining some of the blocked IP addresses in the daily
> > Logwatch report, I notice strange sites attempting to connect to our
> > servers on port 123 (the time port).
> >
> > I also notice our servers successfully contacting official time
> > references centres which are not those sites trying to connect to us. I
> > notice too the installed time software is listening on every available
> > IP. I can not identity any options in any configuration files to
> > turn-off this listening.
> >
> > Why are unknown sites attempting to connect to our server to, I assume,
> > sample the time and how does one turn-off the software's listening on
> > every IP address, including 127.0.0.1 ?


> You can use iptables to block that port for all but specified addresses...
>
> assuming you have iptables set up to deny (drop) all by default, simply adding
>
>
> -A INPUT -s xxx.xxx.xxx.xxx/255.255.255.0 -i eth0 -p tcp -m tcp --dport 123 -j ACCEPT

I think the -i eth0 is not needed with only one physical network
interface. I don't use -m tcp and the instruction shown in your example
works well without the -m tcp.

Using IPtables caused the block ports with their IP addresses and their
packet details to appear in Logwatch. As a keen user of IPtables I am
currently looking at blocking some packets on their contents (-m
string ......) before trying the 'bad guy' site IP blocking determined
by hackers packets (-m recent .......)

However I am curious to know why strange sites contact our servers on
port 123 and why the installed Centos time software listens on every
available IP address.

Best regards,

Paul.
--
With best regards,

Paul.
England,
EU.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 05:21 AM
James Hogarth
 
Default (Centos 5.6) Server Time NTP Facility

> However I am curious to know why strange sites contact our servers on

> port 123 and why the installed Centos time software listens on every

> available IP address.

>


For your first part either people probing you or have you checked to see if a previous admin had joined the ntp.org pool with your hosts?


For your second part man ntp.conf and look at your ntp.conf configuration. If memory serves default is to listen on all addresses and allow sync but no query, peer, modify, etc.



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 08:13 AM
Alexander Dalloz
 
Default (Centos 5.6) Server Time NTP Facility

Am 31.08.2011 01:58, schrieb Always Learning:

> I also notice our servers successfully contacting official time
> references centres which are not those sites trying to connect to us. I
> notice too the installed time software is listening on every available
> IP. I can not identity any options in any configuration files to
> turn-off this listening.

ntpd shipping with CentOS 6 has an option "-I iface"; see "man 8 ntpd".
Edit "/etc/sysconfig/ntpd" accordingly. ntpd shipping with CentOS 5 does
not have that and thus always binds to all available interfaces.

> Thanks,
>
> Paul.

Alexander
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 12:13 PM
Always Learning
 
Default (Centos 5.6) Server Time NTP Facility

On Wed, 2011-08-31 at 10:13 +0200, Alexander Dalloz wrote:

> ntpd shipping with CentOS 6 has an option "-I iface"; see "man 8 ntpd".
> Edit "/etc/sysconfig/ntpd" accordingly. ntpd shipping with CentOS 5 does
> not have that and thus always binds to all available interfaces.

That explains why I can not find a parameter to turn-off.

Thank you.

Paul.


_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 
Old 08-31-2011, 12:51 PM
Lamar Owen
 
Default (Centos 5.6) Server Time NTP Facility

On Tuesday, August 30, 2011 08:15:28 PM brian wrote:
> ...to your rule list will allow the specified net address(es) to contact you on port 123. the above, of course, assumes your
> input port is eth0 (change that, if different on your system), and that the NTP server uses TCP protocol (change that to UDP,
> otherwise). should be enough to get you started on the right track, anyway.

NTP uses UDP. Also, NTP uses addresses in the 127/8 space locally for configuration purposes; see the NTP man pages and the main ntp.org website for thorough documentation on all the options and what those other addresses in 127/8 do.

This is one of those cases where you read the full upstream documentation set before you change anything; kindof like attempting an automatic transmission rebuild project where the instructions say clearly 'read entire procedure before performing any work' and the instructions mean that very literally.
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
 

Thread Tools




All times are GMT. The time now is 06:02 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org