Here are the commands for that. Apparently restrict is replaced with deny.
deny [<subnet>] Deny access to subnet as a default
deny all [<subnet>] Deny access to subnet and all children
On 12/27/2016 09:07 AM, Robert Moskowitz wrote:
'Modern' NTP allows for all sorts of updates to NTP servers, with all
sorts of attacks. So to prevent even local hosts from making changes
to your NTP server, there is the restrict instead of allow command.
Its intent is to limit what the server will accept from a host in the
address range instead of allowing any command from within that range.
I use this on my Centos6 servers.
I guess I will have to register to the chronyd list and ask there.
thanks
On 12/27/2016 08:49 AM, David Both wrote:
AFAIK the only thing needed to make your host an NTP server using
chrony is to set the allow line to the network address in CIDR format
of the network you want to be served, and uncomment it. The restart
chronyd. You also need to ensure that port 123 (NTP) is open to your
internal network on your filrewall.
I have a CentOS 6 box that is an NTP server for my network. CentOS 7
works the same way.
On 12/27/2016 08:25 AM, Fred Smith wrote:
On Mon, Dec 26, 2016 at 11:04:22PM -0500, Robert Moskowitz wrote:
This is for centos 7 that has chronyd 2.1.1
I am looking into how to use chronyd as my local ntp server.
On my old servers with ntpd I had local access control lines like:
restrict 192.168.128.0 mask 255.255.255.0 nomodify notrap
But in looking for documentation on chronyd I did not find anything
on this at:
https://chrony.tuxfamily.org/doc/2.1/manual.html
In the actual /etc/chronyd.conf there is the sample line:
# Allow NTP client access from local network.
#allow 192.168/16
Does this allow only allow queries? Does chronyd support the
'restrict' option?
Robert:
Years back I used to use Chrony for that purpose (when I was running
Smoothwall on an old PC instead of a commercial router, as I am now)
and it did the job remarkably well.
One of the designgoals of Chrony was to support networks or computers
that are NOT connected full-time, so that time stayed somewhere near
correct even if offline for hours or days.
But that having been so long ago, now, I don't remember the details.
I also don't remember what the "restrict" directive for ntpd does.
(to give you an idea of how long ago that was it was when I had a
Red Hat
7.2 or 7.3 workstation as my home PC--pre-RHEL. I could compile
things on
that RH box, tar up the necessary results and take that file to the
smoothwall box and untar them and with small configuration: voila!)
there used to be a chrony mailing list where one could ask such
questions,
but I haven't seen traffic on it in years, so it may no longer exist.
Fred
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
--
*********************************************************
David P. Both
*********************************************************
"I'd put my money on the sun and solar energy. What a
source of power! I hope we don't have to wait until oil
and coal run out before we tackle that."
- Thomas Edison, in conversation with Henry Ford and
Harvey Firestone, 1931
*********************************************************
--
*********************************************************
David P. Both, RHCE
Millennium Technology Consulting LLC
Raleigh, NC, USA
919-389-8678
dboth@xxxxxxxxxxxxxxxxxxxxxxxxx
www.millennium-technology.com
www.databook.bz - Home of the DataBook for Linux
DataBook is a Registered Trademark of David Both
*********************************************************
This communication may be unlawfully collected and stored by the National
Security Agency (NSA) in secret. The parties to this email do not
consent to the
retrieving or storing of this communication and any related metadata, as
well as
printing, copying, re-transmitting, disseminating, or otherwise using
it. If you
believe you have received this communication in error, please delete it
immediately.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
