我的情况是,我为虚拟机配置了许多虚拟网络接口,而我的一些网络甚至有两个或更多地址。我不需要ntpd来监听所有这些接口,但似乎没有选项来限制ntpd尝试绑定的接口。
除了ntpd中的所有这些“security”选项,对于了解其环境的系统管理员来说,最好的安全选项是不要完全监听接口。例如,根本不监听外部接口,但通过ntp配置限制访问会更安全。
是否有任何已知的ntpd软件可以配置为仅侦听选定的接口(任何网络守护程序应该如此)?
答案 0 :(得分:1)
有两种简单的方法可以做到这一点,这两种方法都记录在官方的ntp文档中:
使用-I命令行选项进行ntpd调用
-I [address | interface name]
Open the network address given, or all the addresses associated
with the given interface name. This option may appear multiple
times. This option also implies not opening other addresses,
except wildcard and local‐ host. This option is deprecated.
Please consider using the configuration file interface command,
which is more versatile.
在ntp.conf中使用interface指令:
interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
address[/prefixlen]]
This command controls which network addresses ntpd opens, and
whether input is dropped without processing. The first parameter
determines the action for addresses which match the second
parameter. That parameter specifies a class of addresses, or a
specific interface name, or an address. In the address case,
prefixlen determines how many bits must match for this rule to
apply. ignore prevents opening matching addresses, drop causes
ntpd to open the address and drop all received packets without
examination. Multiple interface commands can be used. The last
rule which matches a particular address determines the action
for it. interface commands are disabled if any -I, --interface,
-L, or --novirtualips command-line options are used. If none of
those options are used and no interface actions are specified
in the configuration file, all available network addresses are
opened. The nic command is an alias for interface.