0

我的情况是,我为虚拟机配置了许多虚拟网络接口,我的一些网络甚至有两个或更多地址。我不需要ntpd听所有这些接口,但似乎没有限制 ntpd 尝试绑定的接口的选项。除了 ntpd 中的所有这些“安全”选项之外,对于了解其环境的系统管理员来说,最好的安全选项是根本不听接口。例如,根本不监听外部接口会更安全,而是通过 ntp 配置限制访问。

是否有任何已知的 ntpd 软件可以配置为仅侦听选定的接口(任何网络守护程序都应该)

4

1 回答 1

1

有两种简单的方法可以做到这一点,两者都记录在官方 ntp 文档中:

  • 使用-I命令行选项进行 ntpd 调用

    -I [address | interface name]

      Open the network address given, or all the addresses associated
      with the given interface name.  This option may appear multiple
      times.  This option also implies not opening other addresses,
      except wildcard and local‐ host.  This option is deprecated.
      Please consider using the configuration file interface command,
      which is more versatile.

    来自 ntp's documentation on command line options for ntpd

  • 使用interfacentp.conf 中的指令:

    interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
           address[/prefixlen]]

      This command controls which network addresses ntpd opens, and
      whether input is dropped without processing. The first parameter
      determines the action for addresses which match the second
      parameter. That parameter specifies a class of addresses, or a
      specific interface name, or an address. In the address case,
      prefixlen determines how many bits must match for this rule to
      apply. ignore prevents opening matching addresses, drop causes
      ntpd to open the address and drop all received packets without
      examination. Multiple interface commands can be used. The last
      rule which matches a particular address determines the action
      for it. interface commands are disabled if any -I, --interface,
      -L, or --novirtualips command-line options are used. If none of
      those options are used and no interface actions are specified
      in the configuration file, all available network addresses are
      opened. The nic command is an alias for interface.

    来自 ntp 关于 misc 配置选项的文档:

于 2015-07-15T21:00:52.223 回答