[ntp:questions] Internal time server
kostecke at ntp.isc.org
Wed Mar 14 02:57:23 UTC 2007
On 2007-03-13, RICCARDO <castellani.riccardo at tiscali.it> wrote:
> I'm going to create my internal time server, what do you think it I
> set ntp.conf so:
> restrict default ignore
You can't use "restrict default ignore" and pool servers (or any other
hostnames that resolve to multiple IP addresses
> restrict 127.0.0.1
> restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> #for stratum 1 time server
> restrict 18.104.22.168 mask 255.255.255.0 nomodify noquery notrap
> #for clients
> server 1.it.pool.ntp.org
> #time server of stratum 1
The 1 on that server line does not mean that you will get a stratum-1
If you wish to use the it.pool.ntp.org zone you should follow the
instructions at http://www.pool.ntp.org/zone/it
> driftfile /var/lib/ntp/drift
Here's what your ntp.conf ought to look like (if you are using the
# General settings
# Default restriction - time service only
restrict default nomodify nopeer notrap noquery
# Authorized Clients - are allowed time service and status queries
restrict 22.214.171.124 mask 255.255.255.0 nomodify nopeer notrap
# Remote time servers from the it.pool.ntp.org zone
server 2.it.pool.ntp.org iburst
server 0.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst
> I noted that if I set bad time my server , ntpd service synchronizes
> it correctly but how it's possibile if it's set "restrict
> 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> should "Nomodify" option avoid to change status of my internal server
> (time should not be set) ?
nomodify has nothing to do with time service.
nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
state of the server (i.e., run time reconfiguration). Queries which
return information are permitted."
Remote modifications of ntpd require either (a) the use of symmetric
keys or (b) that you completely disable authentication. So your ntpd
can't be modified remotely unless you configure satisfy (a) or (b).
nomodify blocks remote modifications even if someone has the symmetric
key(s) or, I believe, if authentication is disabled.
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/
More information about the questions