How to close a public NTP server

NTP (Network Time Protocol) is a network protocol for time and clock synchronization on linux systems. NTP is used for updating the system's clock to UTC time, while also being able to mitigate any network latency while doing such. Ideally, in most situations, NTP is used under the "client-server" model, with a server contacting a NTP source to sync the system time. 

Unfortunately, NTP includes a built in 'peer-to-peer' function as well that's currently being utilized to launch outbound DoS attacks when left open. Many operating systems and distributions, including PBX systems include a fully open NTP daemon on every server. 

To properly guard against these attacks, first the NTP server must be changed to act as a client  only.

Start by modifying : /etc/ntp.conf with your preferred text editor. 

nano /etc/ntp.conf

Next, add the following line to to /etc/ntp.conf to restrict access and ignore inbound requests:

restrict default ignore

You can now restart the ntp daemon by issuing the following command:

/etc/init.d/ntpd restart

As NTP servers are being flooded from spoofed requests from recent attacks that can take up all available network resources, it's suggested you completely shutdown the daemon, and even secure port 123, the NTP default.

To shutdown the ntp daemon, issue the following command:

/etc/init.d/ntpd stop

To make sure the ntp daemon is not restarted with your server, simply issue the following command via chkconfig:

/sbin/chkconfig --level 35 ntpd off

Finally, if you wish to further secure your server by blocking inbound junk traffic (from spoofed sources) you can block inbound NTP rogue queries using the following commands:

iptables -A INPUT -m state --state NEW -p udp --dport 123 -j DROP
/etc/init.d/iptables save

Your server is now secure from initiating outbound DoS attacks via NTP, and safe from incoming junk traffic trying to spoof excessive NTP queries.

 If you want to test and verify that the server doesn't answer NTP queries, you can try this command from a terminal, replacing IP with your server's IP: 

ntpq -pn IP

The server should reply with a 'timed out, nothing received' message, and/or general failure, such as 'Request timed out'. If you receive any reply with a list of IPs, the NTP server is still open and answering requests. If this happens, you should check your configuration and re-follow the above steps.