Re: [chrony-users] gpsd, pps and chrony

[ Thread Index | Date Index | More Archives ]

On Mon, Apr 04, 2011 at 09:44:22PM +0100, Ed W wrote:
> Are there any notes on configuration for acting as a public server? Is
> anything else needed than "allow" in the config file? Security?
> Preventing abuse, particularly denial of service?  Are there a known
> chunk of users using chrony for public service?

Beside allowing whole IP range, I think there is nothing special
needed to run a public server. Command access should be denied, maybe
disable client logging to not waste resources. Chrony doesn't detect
abusive clients and doesn't send the KoD reply, they will have to be
blocked by firewall.

As for the security, to minimize the risks it's good to drop the root
privileges (-u option), maybe compile chronyd as position independent
executable (-pie -fPIE), with RELRO protection (-Wl,-z,relro,-z,now),
also enable SELinux, the reference SELinux policy includes a chrony

I don't know anyone running chrony in the pool.

Miroslav Lichvar

To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Mail converted by MHonArc 2.6.19+