[ntp:questions] why is my pool server's offset so bad
Dennis Hilberg, Jr.
timekeeper at dennishilberg.com.invalid
Mon Jan 21 17:40:31 UTC 2008
Pat Farrell wrote:
> On Sat, 19 Jan 2008 23:43:00 -0800, Dennis Hilberg, Jr. wrote:
>> It looks like switching from openntpd to ntpd solved the problem. Check out
>> your offset graph now.
>> Was your Mandriva 2006 system using ntpd, or openntpd?
> Sure looks like its fixed.
> Mandriva was ntpd built from sources, as their distro version was way too
> old to be used.
> Here is my current ntpd.conf, for all the world to see:
> # /etc/ntp.conf, configuration for ntpd
> driftfile /var/lib/ntp/ntp.drift
I was mainly checking to see if you had a drift file specified.
> statsdir /var/log/ntpstats/
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable
You won't generate any clockstats unless your using a clock driver.
> # pool.ntp.org maps to more than 300 low-stratum NTP servers.
> server nist1.aol-va.symmetricom.com
> server ntp-2.vt.edu
> server ntp-4.vt.edu
> server ntp-1.cede.psu.edu
> #server prometheus.acm.jhu.edu
> server time-b.nist.gov
> # By default, exchange time with everybody, but don't allow configuration.
> # See /usr/share/doc/ntp-doc/html/accopt.html for details.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery
Using 'noquery' prevents people from using ntpq and ntpdc (and ntptrace too
I believe) on your server. So if I wanted to 'ntpq -p 188.8.131.52' to
see what your time sources were or 'ntpq -crv 184.108.40.206' to see your
system variables, I would get request timed out. If you don't want to allow
that, that's fine of course, but it's a friendly gesture to allow it. There
aren't really any exploits to worry about as far as I know.
> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> # Clients from this (example!) subnet have unlimited access,
> # but only if cryptographically authenticated
> #restrict 192.168.123.0 mask 255.255.255.0 notrust
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> broadcast 172.16.4.255
Disable broadcast unless you are using it.
> # If you want to listen to time broadcasts on your local subnet,
> # de-comment the next lines. Please do this only if you trust everybody
> # on the network!
> #disable auth
Dennis Hilberg, Jr. \ timekeeper(at)dennishilberg(dot)com
NTP Server Information: \ http://saturn.dennishilberg.com/ntp.php
More information about the questions