我的情況是,我爲虛擬機配置了許多虛擬網絡接口,並且我的一些網絡甚至有兩個或更多個地址。我不需要ntpd來偵聽所有這些接口,但似乎沒有選項來限制ntpd嘗試綁定的接口。 除了所有這些「安全」選項在ntpd中,對於一個知道他的環境的系統管理員來說,最好的安全選項是不要聽任何接口。例如,根本不聽外部接口會更安全,但通過ntp配置來限制訪問。是否有任何ntpd可以配置爲只偵聽選定的接口?
是否有任何ntpd軟件已知,可以配置爲只偵聽選定的接口(如任何網絡守護進程應該)?
有兩種簡單的方法可以做到這一點,既記錄了官方NTP文檔中:
使用-I命令行選項ntpd的調用
-I [address | interface name]
Open the network address given, or all the addresses associated
with the given interface name. This option may appear multiple
times. This option also implies not opening other addresses,
except wildcard and local‐ host. This option is deprecated.
Please consider using the configuration file interface command,
which is more versatile.
在ntp.conf中使用interface指令:
interface [listen | ignore | drop] [all | ipv4 | ipv6 | wildcard | name |
address[/prefixlen]]
This command controls which network addresses ntpd opens, and
whether input is dropped without processing. The first parameter
determines the action for addresses which match the second
parameter. That parameter specifies a class of addresses, or a
specific interface name, or an address. In the address case,
prefixlen determines how many bits must match for this rule to
apply. ignore prevents opening matching addresses, drop causes
ntpd to open the address and drop all received packets without
examination. Multiple interface commands can be used. The last
rule which matches a particular address determines the action
for it. interface commands are disabled if any -I, --interface,
-L, or --novirtualips command-line options are used. If none of
those options are used and no interface actions are specified
in the configuration file, all available network addresses are
opened. The nic command is an alias for interface.