Have set up a Linux server (Debian 8.7) and is wondering how I prohibit anonymous clients on the Internet to use my server for time sync?
Server has default ntp config - haven't touched anything yet.
Is it enough just to block port 123 udp incoming in the firewall?
You can just list the hosts which are allowed to use your ntp server. For example, if you want all devices from 192.168.0.0/24 network to get the time from your server, add the following line in your main ntp.conf cofnfiguration file (/etc/ntp.conf):
restrict 192.168.0.0 mask 255.255.255.0 [other options like nomodify noquery kod limit]
You can also implement a limit with iptables, or use it to block incoming connections to that port - whichever you like.
Yes, it should be enough to block NTP traffic using the firewall. NTP is like any other network service and can be blocked or allowed by the firewall. You can just blocking incoming UDP port 123. Using iptables you can do:
iptables -A INPUT -p udp --dport 123 -s my_clients_subnet -j ACCEPT
iptables -A INPUT -p udp --dport 123 -j DROP
First, allow your clients based on IP/mask or maybe interface name. Then, you can deny any other IP.
