0

我的情况是,我为虚拟机配置了许多虚拟网络接口,我的一些网络甚至有两个或更多地址。我不需要ntpd听所有这些接口,但似乎没有限制 ntpd 尝试绑定的接口的选项。除了 ntpd 中的所有这些“安全”选项之外,对于了解其环境的系统管理员来说,最好的安全选项是根本不听接口。例如,根本不监听外部接口会更安全,而是通过 ntp 配置限制访问。

是否有任何已知的 ntpd 软件可以配置为仅侦听选定的接口(任何网络守护程序都应该)

4

1 回答 1

1

有两种简单的方法可以做到这一点,两者都记录在官方 ntp 文档中:

  • 使用-I命令行选项进行 ntpd 调用

    -I [address | interface name]
    
          Open the network address given, or all the addresses associated
          with the given interface name.  This option may appear multiple
          times.  This option also implies not opening other addresses,
          except wildcard and local‐ host.  This option is deprecated.
          Please consider using the configuration file interface command,
          which is more versatile.
    

    来自 ntp's documentation on command line options for ntpd

  • 使用interfacentp.conf 中的指令:

    interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
               address[/prefixlen]]
    
          This command controls which network addresses ntpd opens, and
          whether input is dropped without processing. The first parameter
          determines the action for addresses which match the second
          parameter. That parameter specifies a class of addresses, or a
          specific interface name, or an address. In the address case,
          prefixlen determines how many bits must match for this rule to
          apply. ignore prevents opening matching addresses, drop causes
          ntpd to open the address and drop all received packets without
          examination. Multiple interface commands can be used. The last
          rule which matches a particular address determines the action
          for it. interface commands are disabled if any -I, --interface,
          -L, or --novirtualips command-line options are used. If none of
          those options are used and no interface actions are specified
          in the configuration file, all available network addresses are
          opened. The nic command is an alias for interface.
    

    来自 ntp 关于 misc 配置选项的文档:

于 2015-07-15T21:00:52.223 回答