Suitable ntp.conf for public NTP server? - NTP

This is a discussion on Suitable ntp.conf for public NTP server? - NTP ; Hello. I am new to ntpd, and have a question regarding the ntp.conf. First of all, here is my ntp.conf: restrict 127.0.0.1 server bigben.cac.washington.edu iburst server time-nw.nist.gov iburst server usno.pa-x.dec.com iburst server nist1.aol-ca.truetime.com iburst server clepsydra.dec.com iburst driftfile /etc/ntp/drift logfile ...

+ Reply to Thread
Results 1 to 8 of 8

Thread: Suitable ntp.conf for public NTP server?

  1. Suitable ntp.conf for public NTP server?

    Hello.

    I am new to ntpd, and have a question regarding the ntp.conf.

    First of all, here is my ntp.conf:


    restrict 127.0.0.1

    server bigben.cac.washington.edu iburst
    server time-nw.nist.gov iburst
    server usno.pa-x.dec.com iburst
    server nist1.aol-ca.truetime.com iburst
    server clepsydra.dec.com iburst

    driftfile /etc/ntp/drift
    logfile /var/log/ntp.log


    Is this an acceptable ntp.conf for running a public ntp server? I'm
    considering submitting my server to the pool, but only if I know it's
    relatively secure. I'm having a hard time finding ntp.conf examples for
    public ntp servers with descriptions of each setting. I've followed
    whatever advice I've found: no more than five servers, no local server, etc.
    I use my ntp server for syncing time on my local network, and it works
    great.

    Basically, do I need any other security settings to run a secure
    (relatively) public ntp server? Or am I good to go to open up the firewall?

    Thanks for any assistance!

    Dennis



  2. Re: Suitable ntp.conf for public NTP server?

    Dennis Hilberg Jr wrote:
    > Hello.
    >
    > I am new to ntpd, and have a question regarding the ntp.conf.
    >
    > First of all, here is my ntp.conf:
    >
    >
    > restrict 127.0.0.1
    >
    > server bigben.cac.washington.edu iburst
    > server time-nw.nist.gov iburst
    > server usno.pa-x.dec.com iburst
    > server nist1.aol-ca.truetime.com iburst
    > server clepsydra.dec.com iburst
    >
    > driftfile /etc/ntp/drift
    > logfile /var/log/ntp.log
    >
    >
    > Is this an acceptable ntp.conf for running a public ntp server? I'm
    > considering submitting my server to the pool, but only if I know it's
    > relatively secure. I'm having a hard time finding ntp.conf examples for
    > public ntp servers with descriptions of each setting. I've followed
    > whatever advice I've found: no more than five servers, no local server, etc.
    > I use my ntp server for syncing time on my local network, and it works
    > great.
    >
    > Basically, do I need any other security settings to run a secure
    > (relatively) public ntp server? Or am I good to go to open up the firewall?
    >
    > Thanks for any assistance!
    >
    > Dennis
    >
    >


    It should work.

    I think you might want to create an ntp.keys file and add a pointer to
    it to your ntp.conf

    #
    # Authentication parameters
    #
    keys /etc/inet/ntp.keys
    trustedkey 2 3 4
    controlkey 3 # To access the ntpq utility
    requestkey 2 # To access the ntpdc utility

    In addition, you should probably have some restrict statements:
    restrict default nomodify noquery notrust
    restrict 127.0.0.1 # Allow free access to localhost
    restrict 192.168.1.0 mask 255.255.255.0 # Allow my local network
    restrict nomodify # For each server

    And:
    #
    # NTP monitoring parameters
    #
    statsdir /var/ntp/ntpstats/
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    Last, but not least, you might want to set up authentication with the
    servers you are using. This guarantees that the servers you get time
    from are, in fact, the servers you think they are; e.g. nobody can
    deceive you by pretending to be a well known public server.

    I see that your address is comcast.net. Did you get a static IP address
    from them or are you using Dyndns? If your address changes every few
    weeks, as Comcast tends to do, it will make it difficult for your
    clients to keep up with you.

    Do you have an uninterruptable power system (UPS) for your server and
    network components?

  3. Re: Suitable ntp.conf for public NTP server?

    Thanks for replying.

    No, I do not have a static IP address with Comcast. However, I have had
    good luck with them in this area regarding consistent IP addresses. I moved
    to my current home back in the beginning of February 2006, and had the same
    IP address until just about a week ago. At my previous residence, I had the
    same IP address for almost two years.

    I don't use DynDNS, but I do have a website through a provider that allows
    its users to edit their own DNS records. So I created a custom A record for
    my server as a sub-domain of my website, which points to my IP address here.
    It works great. So if/when my IP address changes, all I would have to do is
    update the A record in my web's DNS configs. Which I think would be easier
    than having to submit an IP address change to the pool. But my IP changes
    are so infrequent that I think I would be ok. This is really the only
    reason I'm considering submitting the server, as I really don't want to
    create any issues for the pool by having an IP address that would change
    frequently.

    I do not have a UPS system either. Is this a requirement?

    After reading your reply, and doing more research, I've come up with this
    ntp.conf:


    restrict default kod nomodify notrap nopeer noquery
    restrict 127.0.0.1
    restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer noquery

    server bigben.cac.washington.edu iburst # University of Washington,
    Seattle, WA
    server utcnist.colorado.edu iburst # JILA Laboratory,
    University of Colorado
    server time-nw.nist.gov iburst # Microsoft Corporation,
    Redmond, WA
    server father-time.t-bird.edu iburst # The Garvin School of
    International Managment, Glendale, AZ
    server time-a.timefreq.bldrdoc.gov iburst # NIST Boulder Laboratories,
    Boulder, Colorado
    server clepsydra.dec.com iburst # HP Western Research
    Laboratory, Palo Alto, CA
    server time.xmission.com iburst # XMission Internet, Salt
    Lake City, Utah

    driftfile /etc/ntp/drift
    logfile /var/log/ntp/ntp.log

    statsdir /var/log/ntp/
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    # Authentication parameters

    #keys /etc/ntp/keys
    #trustedkey 2 3 4
    #controlkey 3 # To access the ntpq utility
    #requestkey 2 # To access the ntpdc utility


    The keys I do not have set up yet. What would be the purpose of having keys
    on a public server? Or maybe I don't understand what the keys are for. And
    doesn't 'noquery' in the default restrictions prevent remote access of ntpq
    and ntpdc?

    Thanks again.

    "Richard B. Gilbert" wrote in message
    news:3a-dnZnt-5VtB97YnZ2dnUVZ_r6dnZ2d@comcast.com...
    Dennis Hilberg Jr wrote:
    > Hello.
    >
    > I am new to ntpd, and have a question regarding the ntp.conf.
    >
    > First of all, here is my ntp.conf:
    >
    >
    > restrict 127.0.0.1
    >
    > server bigben.cac.washington.edu iburst
    > server time-nw.nist.gov iburst
    > server usno.pa-x.dec.com iburst
    > server nist1.aol-ca.truetime.com iburst
    > server clepsydra.dec.com iburst
    >
    > driftfile /etc/ntp/drift
    > logfile /var/log/ntp.log
    >
    >
    > Is this an acceptable ntp.conf for running a public ntp server? I'm
    > considering submitting my server to the pool, but only if I know it's
    > relatively secure. I'm having a hard time finding ntp.conf examples for
    > public ntp servers with descriptions of each setting. I've followed
    > whatever advice I've found: no more than five servers, no local server,
    > etc.
    > I use my ntp server for syncing time on my local network, and it works
    > great.
    >
    > Basically, do I need any other security settings to run a secure
    > (relatively) public ntp server? Or am I good to go to open up the
    > firewall?
    >
    > Thanks for any assistance!
    >
    > Dennis
    >
    >


    It should work.

    I think you might want to create an ntp.keys file and add a pointer to
    it to your ntp.conf

    #
    # Authentication parameters
    #
    keys /etc/inet/ntp.keys
    trustedkey 2 3 4
    controlkey 3 # To access the ntpq utility
    requestkey 2 # To access the ntpdc utility

    In addition, you should probably have some restrict statements:
    restrict default nomodify noquery notrust
    restrict 127.0.0.1 # Allow free access to localhost
    restrict 192.168.1.0 mask 255.255.255.0 # Allow my local network
    restrict nomodify # For each server

    And:
    #
    # NTP monitoring parameters
    #
    statsdir /var/ntp/ntpstats/
    statistics loopstats peerstats clockstats
    filegen loopstats file loopstats type day enable
    filegen peerstats file peerstats type day enable
    filegen clockstats file clockstats type day enable

    Last, but not least, you might want to set up authentication with the
    servers you are using. This guarantees that the servers you get time
    from are, in fact, the servers you think they are; e.g. nobody can
    deceive you by pretending to be a well known public server.

    I see that your address is comcast.net. Did you get a static IP address
    from them or are you using Dyndns? If your address changes every few
    weeks, as Comcast tends to do, it will make it difficult for your
    clients to keep up with you.

    Do you have an uninterruptable power system (UPS) for your server and
    network components?



  4. Re: Suitable ntp.conf for public NTP server?

    In article ,
    Dennis Hilberg Jr wrote:

    > It works great. So if/when my IP address changes, all I would have to do is
    > update the A record in my web's DNS configs. Which I think would be easier


    ntpd never re-resolves domain names, so any servers which change address
    are lost until the next reboot.

    Also, as a correctly operated system would not change IP addresses except
    after extended downtime, it is generally assumed that these IP address
    changes are the result of a deliberate policy to frustrate the operation
    of servers. It may just be that you are currently operating under
    circumstances where that policy isn't working well.

    > server time-nw.nist.gov iburst # Microsoft Corporation,
    > Redmond, WA


    I know this one is aliased as the Microsoft one, but is it really run by
    Microsoft, or do they just pay NIST to be able to use it in Windows?
    From what I've read, all the NIST servers are overloaded to the point
    where they are not the best choice and this one may well be particularly
    overloaded.


  5. Re: Suitable ntp.conf for public NTP server?

    Dennis Hilberg Jr wrote:

    > Thanks for replying.
    >
    > No, I do not have a static IP address with Comcast. However, I have had
    > good luck with them in this area regarding consistent IP addresses. I moved
    > to my current home back in the beginning of February 2006, and had the same
    > IP address until just about a week ago. At my previous residence, I had the
    > same IP address for almost two years.
    >
    > I don't use DynDNS, but I do have a website through a provider that allows
    > its users to edit their own DNS records. So I created a custom A record for
    > my server as a sub-domain of my website, which points to my IP address here.
    > It works great. So if/when my IP address changes, all I would have to do is
    > update the A record in my web's DNS configs. Which I think would be easier
    > than having to submit an IP address change to the pool. But my IP changes
    > are so infrequent that I think I would be ok. This is really the only
    > reason I'm considering submitting the server, as I really don't want to
    > create any issues for the pool by having an IP address that would change
    > frequently.
    >
    > I do not have a UPS system either. Is this a requirement?
    >
    > After reading your reply, and doing more research, I've come up with this
    > ntp.conf:
    >
    >
    > restrict default kod nomodify notrap nopeer noquery
    > restrict 127.0.0.1
    > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer noquery
    >
    > server bigben.cac.washington.edu iburst # University of Washington,
    > Seattle, WA
    > server utcnist.colorado.edu iburst # JILA Laboratory,
    > University of Colorado
    > server time-nw.nist.gov iburst # Microsoft Corporation,
    > Redmond, WA
    > server father-time.t-bird.edu iburst # The Garvin School of
    > International Managment, Glendale, AZ
    > server time-a.timefreq.bldrdoc.gov iburst # NIST Boulder Laboratories,
    > Boulder, Colorado
    > server clepsydra.dec.com iburst # HP Western Research
    > Laboratory, Palo Alto, CA
    > server time.xmission.com iburst # XMission Internet, Salt
    > Lake City, Utah
    >
    > driftfile /etc/ntp/drift
    > logfile /var/log/ntp/ntp.log
    >
    > statsdir /var/log/ntp/
    > statistics loopstats peerstats clockstats
    > filegen loopstats file loopstats type day enable
    > filegen peerstats file peerstats type day enable
    > filegen clockstats file clockstats type day enable
    >
    > # Authentication parameters
    >
    > #keys /etc/ntp/keys
    > #trustedkey 2 3 4
    > #controlkey 3 # To access the ntpq utility
    > #requestkey 2 # To access the ntpdc utility
    >
    >
    > The keys I do not have set up yet. What would be the purpose of having keys
    > on a public server? Or maybe I don't understand what the keys are for. And
    > doesn't 'noquery' in the default restrictions prevent remote access of ntpq
    > and ntpdc?
    >
    > Thanks again.



    The purpose of having keys is to enable you to use the privileged
    functions of ntpdc and ntpq and to prevent strangers from doing so!
    Restrict noquery does prevent people from querying your server via ntpq
    or ntpdc. Your clients, however, might just like to know some of the
    things ntpdc or ntpq could tell them.

    The UPS is not a requirement, just a good idea. Where I live the power
    company doesn't believe in preventative maintenance (like trimming
    trees) so every time we have a wind storm, the power lines contact
    branches, the fuse blows and we have no power for the two to three hours
    it takes them to come out and replace the fuse. One of these days I'm
    going to break down and buy a generator to back up the UPS.

    In a lot of places, the power can "blink" just long enough to cause a
    computer to reboot. A UPS lets you "ride out" all these little glitches
    and gives you ten or fifteen minutes in which to do a clean shutdown
    when the power does go off.

  6. Re: Suitable ntp.conf for public NTP server?

    "David Woolley" wrote in message
    news:T1162112019@djwhome.demon.co.uk...
    | In article ,
    | Dennis Hilberg Jr wrote:
    |
    | > It works great. So if/when my IP address changes, all I would have to
    do is
    | > update the A record in my web's DNS configs. Which I think would be
    easier
    |
    | ntpd never re-resolves domain names, so any servers which change address
    | are lost until the next reboot.

    This would definitely pose a challenge if my IP changed. So ntpd resolves
    the domain once, then uses the resulting IP address until the next reboot or
    service restart, correct?

    | Also, as a correctly operated system would not change IP addresses except
    | after extended downtime, it is generally assumed that these IP address
    | changes are the result of a deliberate policy to frustrate the operation
    | of servers. It may just be that you are currently operating under
    | circumstances where that policy isn't working well.

    My server is on a network behind a router, and the router and modem never
    get turned off. Could this be why I keep the same IP for extended periods?
    Comcast told me once that their lease period for the dynamic IP addresses is
    one week, but almost always lease the same IP continuously. I was going to
    call Comcast last night and inquire about purchasing a static IP (if that's
    even possible), but didn't get around to it.

    |
    | > server time-nw.nist.gov iburst # Microsoft Corporation,
    | > Redmond, WA
    |
    | I know this one is aliased as the Microsoft one, but is it really run by
    | Microsoft, or do they just pay NIST to be able to use it in Windows?
    | From what I've read, all the NIST servers are overloaded to the point
    | where they are not the best choice and this one may well be particularly
    | overloaded.

    All that I know about this server is what I gather from here:
    http://ntp.isc.org/bin/view/Servers/TimeNwNistGov. According to that link
    the server is not running a Windows OS (surprising). Maybe Microsoft
    allowed the government to come in and set up a server using their network.
    You may be right about it being overloaded, as under 'ntpq -p' it's always
    flagged with the hyphen (-). I was considering replacing it with a
    different server. I chose it only because of its proximity to me, and low
    latency.



  7. Re: Suitable ntp.conf for public NTP server?

    Thank you for the information.

    "Richard B. Gilbert" wrote in message
    news:7ridncEDY6V7N9nYnZ2dnUVZ_v6dnZ2d@comcast.com. ..
    | Dennis Hilberg Jr wrote:
    |
    | > Thanks for replying.
    | >
    | > No, I do not have a static IP address with Comcast. However, I have had
    | > good luck with them in this area regarding consistent IP addresses. I
    moved
    | > to my current home back in the beginning of February 2006, and had the
    same
    | > IP address until just about a week ago. At my previous residence, I had
    the
    | > same IP address for almost two years.
    | >
    | > I don't use DynDNS, but I do have a website through a provider that
    allows
    | > its users to edit their own DNS records. So I created a custom A record
    for
    | > my server as a sub-domain of my website, which points to my IP address
    here.
    | > It works great. So if/when my IP address changes, all I would have to
    do is
    | > update the A record in my web's DNS configs. Which I think would be
    easier
    | > than having to submit an IP address change to the pool. But my IP
    changes
    | > are so infrequent that I think I would be ok. This is really the only
    | > reason I'm considering submitting the server, as I really don't want to
    | > create any issues for the pool by having an IP address that would change
    | > frequently.
    | >
    | > I do not have a UPS system either. Is this a requirement?
    | >
    | > After reading your reply, and doing more research, I've come up with
    this
    | > ntp.conf:
    | >
    | >
    | > restrict default kod nomodify notrap nopeer noquery
    | > restrict 127.0.0.1
    | > restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer noquery
    | >
    | > server bigben.cac.washington.edu iburst # University of
    Washington,
    | > Seattle, WA
    | > server utcnist.colorado.edu iburst # JILA Laboratory,
    | > University of Colorado
    | > server time-nw.nist.gov iburst # Microsoft Corporation,
    | > Redmond, WA
    | > server father-time.t-bird.edu iburst # The Garvin School of
    | > International Managment, Glendale, AZ
    | > server time-a.timefreq.bldrdoc.gov iburst # NIST Boulder
    Laboratories,
    | > Boulder, Colorado
    | > server clepsydra.dec.com iburst # HP Western Research
    | > Laboratory, Palo Alto, CA
    | > server time.xmission.com iburst # XMission Internet,
    Salt
    | > Lake City, Utah
    | >
    | > driftfile /etc/ntp/drift
    | > logfile /var/log/ntp/ntp.log
    | >
    | > statsdir /var/log/ntp/
    | > statistics loopstats peerstats clockstats
    | > filegen loopstats file loopstats type day enable
    | > filegen peerstats file peerstats type day enable
    | > filegen clockstats file clockstats type day enable
    | >
    | > # Authentication parameters
    | >
    | > #keys /etc/ntp/keys
    | > #trustedkey 2 3 4
    | > #controlkey 3 # To access the ntpq utility
    | > #requestkey 2 # To access the ntpdc utility
    | >
    | >
    | > The keys I do not have set up yet. What would be the purpose of having
    keys
    | > on a public server? Or maybe I don't understand what the keys are for.
    And
    | > doesn't 'noquery' in the default restrictions prevent remote access of
    ntpq
    | > and ntpdc?
    | >
    | > Thanks again.
    |
    |
    | The purpose of having keys is to enable you to use the privileged
    | functions of ntpdc and ntpq and to prevent strangers from doing so!
    | Restrict noquery does prevent people from querying your server via ntpq
    | or ntpdc. Your clients, however, might just like to know some of the
    | things ntpdc or ntpq could tell them.
    |
    | The UPS is not a requirement, just a good idea. Where I live the power
    | company doesn't believe in preventative maintenance (like trimming
    | trees) so every time we have a wind storm, the power lines contact
    | branches, the fuse blows and we have no power for the two to three hours
    | it takes them to come out and replace the fuse. One of these days I'm
    | going to break down and buy a generator to back up the UPS.
    |
    | In a lot of places, the power can "blink" just long enough to cause a
    | computer to reboot. A UPS lets you "ride out" all these little glitches
    | and gives you ten or fifteen minutes in which to do a clean shutdown
    | when the power does go off.
    |



  8. Re: Suitable ntp.conf for public NTP server?

    David Woolley wrote:
    > ntpd never re-resolves domain names, so any servers which change address
    > are lost until the next reboot.


    And I can tell you: some ntp clients can keep up for months. We removed a
    server from the pool at the beginning of August. It was around 1800 active
    clients at that time. It is now (nearing the end of November) around 500
    active clients. All very stable and boring, but all still generating some
    traffic.

    So a 'may sometimes change' IP isn't the best choice for a pool
    member.

    Koos

    --
    Koos van den Hout, herding Suns and networks as koos@cs.uu.nl
    +31-30-2534104 PGP keyid 0x27513781
    http://idefix.net/~koos/ Use PGP when possible!
    Camp Wireless, wireless Internet access at campsites http://camp-wireless.org/

+ Reply to Thread