[ntp:questions] Internal time server

Steve Kostecke kostecke at ntp.isc.org
Wed Mar 14 02:57:23 UTC 2007


On 2007-03-13, RICCARDO <castellani.riccardo at tiscali.it> wrote:

> I'm going to create my internal time server, what do you think it I
> set ntp.conf so:

> restrict default ignore

You can't use "restrict default ignore" and pool servers (or any other
hostnames that resolve to multiple IP addresses

> restrict 127.0.0.1
> restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> notrap
> #for stratum 1 time server
>
> restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
> #for clients
>
> server 1.it.pool.ntp.org
> #time server of stratum 1

The 1 on that server line does not mean that you will get a stratum-1
time server.

If you wish to use the it.pool.ntp.org zone you should follow the
instructions at http://www.pool.ntp.org/zone/it

> driftfile /var/lib/ntp/drift

Here's what your ntp.conf ought to look like (if you are using the
it.pool zone):

# General settings
driftfile /var/lib/ntp/drift

# Default restriction - time service only
restrict default nomodify nopeer notrap noquery 
restrict 127.0.0.1

# Authorized Clients - are allowed time service and status queries
restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap

# Remote time servers from the it.pool.ntp.org zone
server 2.it.pool.ntp.org iburst
server 0.europe.pool.ntp.org iburst
server 2.europe.pool.ntp.org iburst 

> I noted that if I set bad time my server , ntpd service synchronizes
> it correctly but how it's possibile if it's set "restrict
> 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> should "Nomodify" option avoid to change status of my internal server
> (time should not be set) ?

nomodify has nothing to do with time service.

nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
state of the server (i.e., run time reconfiguration). Queries which
return information are permitted."

Remote modifications of ntpd require either (a) the use of symmetric
keys or (b) that you completely disable authentication. So your ntpd
can't be modified remotely unless you configure satisfy (a) or (b).

nomodify blocks remote modifications even if someone has the symmetric
key(s) or, I believe, if authentication is disabled.

-- 
Steve Kostecke <kostecke at ntp.isc.org>
NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list