Internal time server - NTP

This is a discussion on Internal time server - NTP ; I'm going to create my internal time server, what do you think it I set ntp.conf so: restrict default ignore restrict 127.0.0.1 restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap #for stratum 1 time server restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: Internal time server

  1. Internal time server

    I'm going to create my internal time server, what do you think it I
    set ntp.conf so:

    restrict default ignore
    restrict 127.0.0.1
    restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
    notrap
    #for stratum 1 time server

    restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
    #for clients

    server 1.it.pool.ntp.org
    #time server of stratum 1

    driftfile /var/lib/ntp/drift

    I noted that if I set bad time my server , ntpd service synchronizes
    it correctly but how it's possibile if it's set "restrict
    1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
    should "Nomodify" option avoid to change status of my internal server
    (time should not be set) ?


  2. Re: Internal time server


  3. Re: Internal time server

    On 2007-03-13, RICCARDO wrote:

    > I'm going to create my internal time server, what do you think it I
    > set ntp.conf so:


    > restrict default ignore


    You can't use "restrict default ignore" and pool servers (or any other
    hostnames that resolve to multiple IP addresses

    > restrict 127.0.0.1
    > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
    > notrap
    > #for stratum 1 time server
    >
    > restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
    > #for clients
    >
    > server 1.it.pool.ntp.org
    > #time server of stratum 1


    The 1 on that server line does not mean that you will get a stratum-1
    time server.

    If you wish to use the it.pool.ntp.org zone you should follow the
    instructions at http://www.pool.ntp.org/zone/it

    > driftfile /var/lib/ntp/drift


    Here's what your ntp.conf ought to look like (if you are using the
    it.pool zone):

    # General settings
    driftfile /var/lib/ntp/drift

    # Default restriction - time service only
    restrict default nomodify nopeer notrap noquery
    restrict 127.0.0.1

    # Authorized Clients - are allowed time service and status queries
    restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap

    # Remote time servers from the it.pool.ntp.org zone
    server 2.it.pool.ntp.org iburst
    server 0.europe.pool.ntp.org iburst
    server 2.europe.pool.ntp.org iburst

    > I noted that if I set bad time my server , ntpd service synchronizes
    > it correctly but how it's possibile if it's set "restrict
    > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
    > should "Nomodify" option avoid to change status of my internal server
    > (time should not be set) ?


    nomodify has nothing to do with time service.

    nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
    state of the server (i.e., run time reconfiguration). Queries which
    return information are permitted."

    Remote modifications of ntpd require either (a) the use of symmetric
    keys or (b) that you completely disable authentication. So your ntpd
    can't be modified remotely unless you configure satisfy (a) or (b).

    nomodify blocks remote modifications even if someone has the symmetric
    key(s) or, I believe, if authentication is disabled.

    --
    Steve Kostecke
    NTP Public Services Project - http://ntp.isc.org/

  4. Re: Internal time server

    < other
    hostnames that resolve to multiple IP addresses >>

    What do you suggest me, to use server hostnames which resolve unique
    IP address ?
    How many servers should you insert into ntp.conf ? min. 4 ?



    Steve Kostecke ha scritto:

    > On 2007-03-13, RICCARDO wrote:
    >
    > > I'm going to create my internal time server, what do you think it I
    > > set ntp.conf so:

    >
    > > restrict default ignore

    >
    > You can't use "restrict default ignore" and pool servers (or any other
    > hostnames that resolve to multiple IP addresses
    >
    > > restrict 127.0.0.1
    > > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
    > > notrap
    > > #for stratum 1 time server
    > >
    > > restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
    > > #for clients
    > >
    > > server 1.it.pool.ntp.org
    > > #time server of stratum 1

    >
    > The 1 on that server line does not mean that you will get a stratum-1
    > time server.
    >
    > If you wish to use the it.pool.ntp.org zone you should follow the
    > instructions at http://www.pool.ntp.org/zone/it
    >
    > > driftfile /var/lib/ntp/drift

    >
    > Here's what your ntp.conf ought to look like (if you are using the
    > it.pool zone):
    >
    > # General settings
    > driftfile /var/lib/ntp/drift
    >
    > # Default restriction - time service only
    > restrict default nomodify nopeer notrap noquery
    > restrict 127.0.0.1
    >
    > # Authorized Clients - are allowed time service and status queries
    > restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap
    >
    > # Remote time servers from the it.pool.ntp.org zone
    > server 2.it.pool.ntp.org iburst
    > server 0.europe.pool.ntp.org iburst
    > server 2.europe.pool.ntp.org iburst
    >
    > > I noted that if I set bad time my server , ntpd service synchronizes
    > > it correctly but how it's possibile if it's set "restrict
    > > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
    > > should "Nomodify" option avoid to change status of my internal server
    > > (time should not be set) ?

    >
    > nomodify has nothing to do with time service.
    >
    > nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
    > state of the server (i.e., run time reconfiguration). Queries which
    > return information are permitted."
    >
    > Remote modifications of ntpd require either (a) the use of symmetric
    > keys or (b) that you completely disable authentication. So your ntpd
    > can't be modified remotely unless you configure satisfy (a) or (b).
    >
    > nomodify blocks remote modifications even if someone has the symmetric
    > key(s) or, I believe, if authentication is disabled.
    >
    > --
    > Steve Kostecke
    > NTP Public Services Project - http://ntp.isc.org/



  5. Re: Internal time server

    On 2007-03-14, RICCARDO wrote:

    >"Steve Kostecke" wrote:
    >
    >>You can't use "restrict default ignore" and pool servers (or any other
    >>hostnames that resolve to multiple IP addresses

    >
    > What do you suggest me, to use server hostnames which resolve unique
    > IP address ?


    That all depends on your application and requirements.

    If your ntpd is behind NAT or a stateful firewall you don't really need
    "restrict default ignore" and can safely use pool servers.

    If your ntpd has a public, routable, IP address AND is not behind a
    stateful firewall AND you feel that you MUST use "restrict default"
    ignore, then you should choose servers from the Public Stratum-2 Time
    Servers list at http://www.ntp.org/s2 or http://ntp.isc.org/s2

    Under no circumstances should you ever hard code a pool server
    host-name/ip-address in your ntp.conf unless that server is listed on
    one of the Public Time Servers lists.

    Please read http://ntp.isc.org/Support/AccessRestrictions and follow the
    check-list for choosing your default restriction.

    >How many servers should you insert into ntp.conf ? min. 4


    A minimum of 4 will provide ntpd with enough redundancy to determine the
    correct time if one of those 4 servers goes bad.

    --
    Steve Kostecke
    NTP Public Services Project - http://ntp.isc.org/

+ Reply to Thread