[ntp:questions] Suitable ntp.conf for public NTP server?

Richard B. Gilbert rgilbert88 at comcast.net
Sat Oct 28 18:01:18 UTC 2006


Dennis Hilberg Jr wrote:
> Hello.
> 
> I am new to ntpd, and have a question regarding the ntp.conf.
> 
> First of all, here is my ntp.conf:
> 
> 
> restrict 127.0.0.1
> 
> server bigben.cac.washington.edu iburst
> server time-nw.nist.gov iburst
> server usno.pa-x.dec.com iburst
> server nist1.aol-ca.truetime.com iburst
> server clepsydra.dec.com iburst
> 
> driftfile /etc/ntp/drift
> logfile /var/log/ntp.log
> 
> 
> Is this an acceptable ntp.conf for running a public ntp server?  I'm 
> considering submitting my server to the pool, but only if I know it's 
> relatively secure.  I'm having a hard time finding ntp.conf examples for 
> public ntp servers with descriptions of each setting.  I've followed 
> whatever advice I've found: no more than five servers, no local server, etc. 
> I use my ntp server for syncing time on my local network, and it works 
> great.
> 
> Basically, do I need any other security settings to run a secure 
> (relatively) public ntp server?  Or am I good to go to open up the firewall?
> 
> Thanks for any assistance!
> 
> Dennis 
> 
> 

It should work.

I think you might want to create an ntp.keys file and add a pointer to 
it to your ntp.conf

#
# Authentication parameters
#
keys /etc/inet/ntp.keys
trustedkey  2 3 4
controlkey 3            # To access the ntpq utility
requestkey 2            # To access the ntpdc utility

In addition, you should probably have some restrict statements:
restrict default nomodify noquery notrust
restrict 127.0.0.1	# Allow free access to localhost
restrict 192.168.1.0 mask 255.255.255.0 # Allow my local network
restrict <server IP> nomodify # For each server

And:
#
# NTP monitoring parameters
#
statsdir /var/ntp/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

Last, but not least, you might want to set up authentication with the 
servers you are using.  This guarantees that the servers you get time 
from are, in fact, the servers you think they are; e.g. nobody can 
deceive you by pretending to be a well known public server.

I see that your address is comcast.net.  Did you get a static IP address 
from them or are you using Dyndns?  If your address changes every few 
weeks, as Comcast tends to do, it will make it difficult for your 
clients to keep up with you.

Do you have an uninterruptable power system (UPS) for your server and 
network components?




More information about the questions mailing list