Internal time server

Printable View

10-02-2007, 11:20 PM
unix

Internal time server

I'm going to create my internal time server, what do you think it I
set ntp.conf so:

restrict default ignore
restrict 127.0.0.1
restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
notrap
#for stratum 1 time server

restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
#for clients

server 1.it.pool.ntp.org
#time server of stratum 1

driftfile /var/lib/ntp/drift

I noted that if I set bad time my server , ntpd service synchronizes
it correctly but how it's possibile if it's set "restrict
1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
should "Nomodify" option avoid to change status of my internal server
(time should not be set) ?
10-02-2007, 11:20 PM
unix

Re: Internal time server

I think you should read:

[url]http://ntp.isc.org/Support/AccessRestrictions[/url]

H
10-02-2007, 11:20 PM
unix

Re: Internal time server

On 2007-03-13, RICCARDO <castellani.riccardo@tiscali.it> wrote:
[color=blue]
> I'm going to create my internal time server, what do you think it I
> set ntp.conf so:[/color]
[color=blue]
> restrict default ignore[/color]

You can't use "restrict default ignore" and pool servers (or any other
hostnames that resolve to multiple IP addresses
[color=blue]
> restrict 127.0.0.1
> restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> notrap
> #for stratum 1 time server
>
> restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
> #for clients
>
> server 1.it.pool.ntp.org
> #time server of stratum 1[/color]

The 1 on that server line does not mean that you will get a stratum-1
time server.

If you wish to use the it.pool.ntp.org zone you should follow the
instructions at [url]http://www.pool.ntp.org/zone/it[/url]
[color=blue]
> driftfile /var/lib/ntp/drift[/color]

Here's what your ntp.conf ought to look like (if you are using the
it.pool zone):

# General settings
driftfile /var/lib/ntp/drift

# Default restriction - time service only
restrict default nomodify nopeer notrap noquery
restrict 127.0.0.1

# Authorized Clients - are allowed time service and status queries
restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap

# Remote time servers from the it.pool.ntp.org zone
server 2.it.pool.ntp.org iburst
server 0.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
[color=blue]
> I noted that if I set bad time my server , ntpd service synchronizes
> it correctly but how it's possibile if it's set "restrict
> 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> should "Nomodify" option avoid to change status of my internal server
> (time should not be set) ?[/color]

nomodify has nothing to do with time service.

nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
state of the server (i.e., run time reconfiguration). Queries which
return information are permitted."

Remote modifications of ntpd require either (a) the use of symmetric
keys or (b) that you completely disable authentication. So your ntpd
can't be modified remotely unless you configure satisfy (a) or (b).

nomodify blocks remote modifications even if someone has the symmetric
key(s) or, I believe, if authentication is disabled.

--
Steve Kostecke <kostecke@ntp.isc.org>
NTP Public Services Project - [url]http://ntp.isc.org/[/url]
10-02-2007, 11:20 PM
unix

Re: Internal time server

<<You can't use "restrict default ignore" and pool servers (or any
other
hostnames that resolve to multiple IP addresses >>

What do you suggest me, to use server hostnames which resolve unique
IP address ?
How many servers should you insert into ntp.conf ? min. 4 ?

Steve Kostecke ha scritto:
[color=blue]
> On 2007-03-13, RICCARDO <castellani.riccardo@tiscali.it> wrote:
>[color=green]
> > I'm going to create my internal time server, what do you think it I
> > set ntp.conf so:[/color]
>[color=green]
> > restrict default ignore[/color]
>
> You can't use "restrict default ignore" and pool servers (or any other
> hostnames that resolve to multiple IP addresses
>[color=green]
> > restrict 127.0.0.1
> > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> > notrap
> > #for stratum 1 time server
> >
> > restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
> > #for clients
> >
> > server 1.it.pool.ntp.org
> > #time server of stratum 1[/color]
>
> The 1 on that server line does not mean that you will get a stratum-1
> time server.
>
> If you wish to use the it.pool.ntp.org zone you should follow the
> instructions at [url]http://www.pool.ntp.org/zone/it[/url]
>[color=green]
> > driftfile /var/lib/ntp/drift[/color]
>
> Here's what your ntp.conf ought to look like (if you are using the
> it.pool zone):
>
> # General settings
> driftfile /var/lib/ntp/drift
>
> # Default restriction - time service only
> restrict default nomodify nopeer notrap noquery
> restrict 127.0.0.1
>
> # Authorized Clients - are allowed time service and status queries
> restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap
>
> # Remote time servers from the it.pool.ntp.org zone
> server 2.it.pool.ntp.org iburst
> server 0.europe.pool.ntp.org iburst
> server 2.europe.pool.ntp.org iburst
>[color=green]
> > I noted that if I set bad time my server , ntpd service synchronizes
> > it correctly but how it's possibile if it's set "restrict
> > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> > should "Nomodify" option avoid to change status of my internal server
> > (time should not be set) ?[/color]
>
> nomodify has nothing to do with time service.
>
> nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
> state of the server (i.e., run time reconfiguration). Queries which
> return information are permitted."
>
> Remote modifications of ntpd require either (a) the use of symmetric
> keys or (b) that you completely disable authentication. So your ntpd
> can't be modified remotely unless you configure satisfy (a) or (b).
>
> nomodify blocks remote modifications even if someone has the symmetric
> key(s) or, I believe, if authentication is disabled.
>
> --
> Steve Kostecke <kostecke@ntp.isc.org>
> NTP Public Services Project - [url]http://ntp.isc.org/[/url][/color]
10-02-2007, 11:20 PM
unix

Re: Internal time server

On 2007-03-14, RICCARDO <castellani.riccardo@tiscali.it> wrote:
[color=blue]
>"Steve Kostecke" wrote:
>[color=green]
>>You can't use "restrict default ignore" and pool servers (or any other
>>hostnames that resolve to multiple IP addresses[/color]
>
> What do you suggest me, to use server hostnames which resolve unique
> IP address ?[/color]

That all depends on your application and requirements.

If your ntpd is behind NAT or a stateful firewall you don't really need
"restrict default ignore" and can safely use pool servers.

If your ntpd has a public, routable, IP address AND is not behind a
stateful firewall AND you feel that you MUST use "restrict default"
ignore, then you should choose servers from the Public Stratum-2 Time
Servers list at [url]http://www.ntp.org/s2[/url] or [url]http://ntp.isc.org/s2[/url]

Under no circumstances should you ever hard code a pool server
host-name/ip-address in your ntp.conf unless that server is listed on
one of the Public Time Servers lists.

Please read [url]http://ntp.isc.org/Support/AccessRestrictions[/url] and follow the
check-list for choosing your default restriction.
[color=blue]
>How many servers should you insert into ntp.conf ? min. 4[/color]

A minimum of 4 will provide ntpd with enough redundancy to determine the
correct time if one of those 4 servers goes bad.

--
Steve Kostecke <kostecke@ntp.isc.org>
NTP Public Services Project - [url]http://ntp.isc.org/[/url]