Hi, the pool server I manage (http://www.ntppool.org/scores/78.46.108.116) was disabled by our provider (hetzner.de) on friday after a "scan on other servers". We only got a list of systems "scanned" and ports affected.
An extract: <quote> time src_ip dest_ip:dest_port ------------------------------------------------------------------- Fri Apr 3 16:09:51 2009: 78.46.108.116 => 95.65.129.154: 2054 Fri Apr 3 16:10:55 2009: 78.46.108.116 => 95.65.129.251: 2054 Fri Apr 3 16:10:14 2009: 78.46.108.116 => 95.65.131.121: 2054 Fri Apr 3 16:10:36 2009: 78.46.108.116 => 95.65.131.168: 2054 Fri Apr 3 16:10:04 2009: 78.46.108.116 => 95.65.132.225: 2054 </quote> Notable things: - all systems are in the subnet 95.65.128.0/17, a turkish DSL provider - some systems appear multiple times in the list - the ports "scanned" are all >1024 To me this looks like systems from the subnet flooded our ntpd with requests, and the provider detected the resulting traffic as "scan". I've seen huge spikes from Turkey before on our previous server, but that one had a smaller uplink and no provider checking for abuse. :-) Is this plausible? If the ntpd is the culprit, how do I configure it to avoid such events in the future? We already have this in ntp.conf: ------------------- restrict default kod notrap nomodify limited # Local users may interrogate the ntp server more closely. restrict 127.0.0.1 nomodify restrict 78.46.108.116 nomodify # blocked discard average 45 minimum 1 monitor 1 ------------------- I want to add this: ------------------- restrict 95.65.128.0 mask 255.255.128.0 ignore ------------------- to block KOCNET-DSL. Are there better options? Best Martin PS: The system is debian; currently 4.0, soon 5.0 PPS: ntpd is 4.2.2.p4+dfsg-2etch1 _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
