We use *.rhel.pool.ntp.org (default pool from Red Hat chrony RPM).
Our InfoSec department flagged 51.158.146.73 as being associated with malware. I’m afraid I don’t have any further information on their specific findings. Other than it was mentioned 51.158.146.73 is no longer being used as an NTP server.
However, I am questioning if this was a false alert. We can see the client server was syncing time successfully from four servers in the pool.
I can’t find any further information on 51.158.146.73 that might suggest it’s being used for malicious purposes. How could I confirm if 51.158.146.73 is suspicious?
In addition, we use the DNS name for the pool in our chrony.conf so why would DNS resolve to an IP that is no longer used as an NTP host?
Looking through previous threads in this forum, it seems running TOR and NTP services is common and therefore the most likely explanation.
So technically our InfoSec scans flagged the IP based on the shared nature of 51.158.146.73 (although it’s still a valid NTP pool member as you’ve pointed out).
I wouldn’t say running TOR on NTP servers is common, but given that there are currently 2562 NTP servers in the pool, there’s a chance that some of them are used for TOR as well.
I don’t have statistics to back this up, but I have a hunch that only a small percentage of servers in the pool serve only NTP and nothing else. Many of those servers are also used as web, mail, DNS or whatever-servers.