[ntp:questions] why is my pool server's offset so bad

Dennis Hilberg, Jr. timekeeper at dennishilberg.com.invalid
Mon Jan 21 17:40:31 UTC 2008


Pat Farrell wrote:
> On Sat, 19 Jan 2008 23:43:00 -0800, Dennis Hilberg, Jr. wrote:
>> It looks like switching from openntpd to ntpd solved the problem.  Check out 
>> your offset graph now.
>>
>> Was your Mandriva 2006 system using ntpd, or openntpd?
> 
> Sure looks like its fixed.
> Mandriva was ntpd built from sources, as their distro version was way too
> old to be used.
> 
> Here is my current ntpd.conf, for all the world to see:
> 
> # /etc/ntp.conf, configuration for ntpd
> 
> driftfile /var/lib/ntp/ntp.drift

I was mainly checking to see if you had a drift file specified.

> statsdir /var/log/ntpstats/
> 
> statistics loopstats peerstats clockstats
> filegen loopstats file loopstats type day enable
> filegen peerstats file peerstats type day enable
> filegen clockstats file clockstats type day enable

You won't generate any clockstats unless your using a clock driver.

> # pool.ntp.org maps to more than 300 low-stratum NTP servers.
> server nist1.aol-va.symmetricom.com
> server ntp-2.vt.edu
> server ntp-4.vt.edu
> server ntp-1.cede.psu.edu
> #server prometheus.acm.jhu.edu
> server time-b.nist.gov
> 
> 
> # By default, exchange time with everybody, but don't allow configuration.
> # See /usr/share/doc/ntp-doc/html/accopt.html for details.
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery

Using 'noquery' prevents people from using ntpq and ntpdc (and ntptrace too 
I believe) on your server.  So if I wanted to 'ntpq -p 70.184.242.241' to 
see what your time sources were or 'ntpq -crv 70.184.242.241' to see your 
system variables, I would get request timed out.  If you don't want to allow 
that, that's fine of course, but it's a friendly gesture to allow it.  There 
aren't really any exploits to worry about as far as I know.

> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
> 
> # Clients from this (example!) subnet have unlimited access,
> # but only if cryptographically authenticated
> #restrict 192.168.123.0  mask  255.255.255.0 notrust
> 
> # If you want to provide time to your local subnet, change the next line.
> # (Again, the address is an example only.)
> broadcast 172.16.4.255

Disable broadcast unless you are using it.

> # If you want to listen to time broadcasts on your local subnet,
> # de-comment the next lines. Please do this only if you trust everybody
> # on the network!
> #disable auth
> #broadcastclient

-- 
Dennis Hilberg, Jr.     \  timekeeper(at)dennishilberg(dot)com
NTP Server Information:  \  http://saturn.dennishilberg.com/ntp.php




More information about the questions mailing list