[ntp:questions] Suitable ntp.conf for public NTP server?

Dennis Hilberg Jr dhilberg at comcast.net
Sun Oct 29 07:53:46 UTC 2006

Thanks for replying.

No, I do not have a static IP address with Comcast.  However, I have had 
good luck with them in this area regarding consistent IP addresses.  I moved 
to my current home back in the beginning of February 2006, and had the same 
IP address until just about a week ago.  At my previous residence, I had the 
same IP address for almost two years.

I don't use DynDNS, but I do have a website through a provider that allows 
its users to edit their own DNS records.  So I created a custom A record for 
my server as a sub-domain of my website, which points to my IP address here. 
It works great.  So if/when my IP address changes, all I would have to do is 
update the A record in my web's DNS configs.  Which I think would be easier 
than having to submit an IP address change to the pool.  But my IP changes 
are so infrequent that I think I would be ok.  This is really the only 
reason I'm considering submitting the server, as I really don't want to 
create any issues for the pool by having an IP address that would change 

I do not have a UPS system either.  Is this a requirement?

After reading your reply, and doing more research, I've come up with this 

restrict default kod nomodify notrap nopeer noquery
restrict mask nomodify notrap nopeer noquery

server bigben.cac.washington.edu   iburst       # University of Washington, 
Seattle, WA
server utcnist.colorado.edu        iburst       # JILA Laboratory, 
University of Colorado
server time-nw.nist.gov            iburst       # Microsoft Corporation, 
Redmond, WA
server father-time.t-bird.edu      iburst       # The Garvin School of 
International Managment, Glendale, AZ
server time-a.timefreq.bldrdoc.gov iburst       # NIST Boulder Laboratories, 
Boulder, Colorado
server clepsydra.dec.com           iburst       # HP Western Research 
Laboratory, Palo Alto, CA
server time.xmission.com           iburst       # XMission Internet, Salt 
Lake City, Utah

driftfile /etc/ntp/drift
logfile /var/log/ntp/ntp.log

statsdir /var/log/ntp/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# Authentication parameters

#keys           /etc/ntp/keys
#trustedkey     2 3 4
#controlkey     3       # To access the ntpq utility
#requestkey     2       # To access the ntpdc utility

The keys I do not have set up yet.  What would be the purpose of having keys 
on a public server?  Or maybe I don't understand what the keys are for.  And 
doesn't 'noquery' in the default restrictions prevent remote access of ntpq 
and ntpdc?

Thanks again.

"Richard B. Gilbert" <rgilbert88 at comcast.net> wrote in message 
news:3a-dnZnt-5VtB97YnZ2dnUVZ_r6dnZ2d at comcast.com...
Dennis Hilberg Jr wrote:
> Hello.
> I am new to ntpd, and have a question regarding the ntp.conf.
> First of all, here is my ntp.conf:
> restrict
> server bigben.cac.washington.edu iburst
> server time-nw.nist.gov iburst
> server usno.pa-x.dec.com iburst
> server nist1.aol-ca.truetime.com iburst
> server clepsydra.dec.com iburst
> driftfile /etc/ntp/drift
> logfile /var/log/ntp.log
> Is this an acceptable ntp.conf for running a public ntp server?  I'm
> considering submitting my server to the pool, but only if I know it's
> relatively secure.  I'm having a hard time finding ntp.conf examples for
> public ntp servers with descriptions of each setting.  I've followed
> whatever advice I've found: no more than five servers, no local server, 
> etc.
> I use my ntp server for syncing time on my local network, and it works
> great.
> Basically, do I need any other security settings to run a secure
> (relatively) public ntp server?  Or am I good to go to open up the 
> firewall?
> Thanks for any assistance!
> Dennis

It should work.

I think you might want to create an ntp.keys file and add a pointer to
it to your ntp.conf

# Authentication parameters
keys /etc/inet/ntp.keys
trustedkey  2 3 4
controlkey 3            # To access the ntpq utility
requestkey 2            # To access the ntpdc utility

In addition, you should probably have some restrict statements:
restrict default nomodify noquery notrust
restrict # Allow free access to localhost
restrict mask # Allow my local network
restrict <server IP> nomodify # For each server

# NTP monitoring parameters
statsdir /var/ntp/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

Last, but not least, you might want to set up authentication with the
servers you are using.  This guarantees that the servers you get time
from are, in fact, the servers you think they are; e.g. nobody can
deceive you by pretending to be a well known public server.

I see that your address is comcast.net.  Did you get a static IP address
from them or are you using Dyndns?  If your address changes every few
weeks, as Comcast tends to do, it will make it difficult for your
clients to keep up with you.

Do you have an uninterruptable power system (UPS) for your server and
network components? 

More information about the questions mailing list