We use *.rhel.pool.ntp.org (default pool from Red Hat chrony RPM).
Our InfoSec department flagged 188.8.131.52 as being associated with malware. I’m afraid I don’t have any further information on their specific findings. Other than it was mentioned 184.108.40.206 is no longer being used as an NTP server.
However, I am questioning if this was a false alert. We can see the client server was syncing time successfully from four servers in the pool.
^* 220.127.116.11 2 10 300 124m -4737us[-4767us] +/- 93ms
^* 18.104.22.168 2 10 360 97m -5877us[-5929us] +/- 76ms
^* 22.214.171.124 2 10 360 98m -6959us[-7011us] +/- 63ms
^* 126.96.36.199 2 10 340 108m *48ms[ *48ms] +/- 196ms
I can’t find any further information on 188.8.131.52 that might suggest it’s being used for malicious purposes. How could I confirm if 184.108.40.206 is suspicious?
In addition, we use the DNS name for the pool in our chrony.conf so why would DNS resolve to an IP that is no longer used as an NTP host?