RUGGEDCOM ROX II
CLI User Guide
Chapter 17
Time Services
Viewing a List of Server Restrictions 739
Section17.8.6.1
Viewing a List of Server Restrictions
To view a list of NTP server restrictions, type:
show running-config services ntp restrict
If restrictions have been configured, a table or list similar to the following example appears:
ruggedcom# show running-config services ntp restrict | tab
NAME MASK FLAGS
---------------------------
127.0.0.1 default -
!
!
If no server restrictions have been configured, add restrictions as needed. For more information, refer to
Section17.8.6.2, “Adding a Server Restriction”.
Section17.8.6.2
Adding a Server Restriction
To add an NTP server restriction, do the following:
1. Make sure the CLI is in Configuration mode.
2. Add the restriction by typing:
services ntp restrict address mask
Where:
• address is the IP address to match. The address can be a host or network IP address, or a valid host DNS
name.
• mask is the mask used to match the address. A value of 255.255.255.255 indicates the address is treated
as the address of an individual host.
3. Configure the following parameter(s) as required:
CAUTION!
Security hazard – risk of unauthorized access and/or exploitation. It is recommended to restrict
queries via ntpdc and ntpq, unless the queries come from a localhost, or to disable this feature
entirely if not required. This prevents DDoS (Distributed Denial of Service) reflection/amplification
attacks. To set this restriction, configure the following flags: kod, nomodify, nopeer, noquery
and notrap.
Parameter Description
flags { flags } Synopsis: { ignore, kod, limited, lowpriotrap, nomodify, nopeer, noquery, noserve,
notrap, notrust, ntpport, version }
Flags restrict access to NTP services. An entry with no flags allows free access to the NTP
server.
• Version: Denies packets that do not match the current NTP version.
• ntpport: Matches only if the source port in the packet is the standard NTP UDP port
(123).
• notrust: Denies service unless the packet is cryptographically authenticated.
• notrap: Declines to to provide mode 6 control message trap service to matching hosts.
To Next Page
Loading...
Need help?
General
