1

Can a linux server be configured to use a high source port(above 1023) for NTP synchronization with a Stratum 1/2 server?

Are there any disadvantages to doing this?

demiAdmin
  • 155
  • 1
  • 9
  • Why [ask the same question](http://serverfault.com/q/674147/50647) again? – Aaron Copley Mar 09 '15 at 21:38
  • Deleted the old one. – demiAdmin Mar 09 '15 at 21:45
  • What on earth is your business need for doing this? It can't be to avoid running `ntpd` as root, because the daemon will need privilege to adjust the system clock. – MadHatter Mar 10 '15 at 08:33
  • I help manage a 6500 cisco router for a small ISP. We had some issues with NTP amplification DDOS attacks so we denied port 123 from any source on the inbound of our WAN interface. I have a customer that's running openSUSE in 'client' mode, but it's using source port 123 to communicate with an NTP server. Rather than change our ACL for one user I was wondering if he can configure his devices to use a high source port. – demiAdmin Mar 10 '15 at 16:19
  • could iptables reroute it out of a different port? – demiAdmin Mar 10 '15 at 16:49

2 Answers2

4

Can a linux server be configured to use a high source port(above 1023) for NTP synchronization

I had a quick look at the man pages for ntpd(8), ntp.conf(5), ntpdate(8) on a CentOS 6 system I have to hand and non of these makes any mention of being able to change the port that they listen on or connect to. I would not expect other distros or OSes to be any different.

I guess the answer to your question is therefore no.

user9517
  • 115,471
  • 20
  • 215
  • 297
  • This guy is using openSUSE. Could outbound NTP traffic be redirected to leave out of a higher port using iptables? – demiAdmin Mar 10 '15 at 16:34
1

From a fast check, it looks like it's impossible to change, But you can try and use iptables to redirect it through another port, try to see, if this link will be helpful

It depends on what are your needs

AlexiusFlavius
  • 58
  • 6
  • That's interesting. So iptables may be exactly what I'm looking for. I'll have to look into the man pages when I have time. Thanks! – demiAdmin Mar 10 '15 at 16:34