On 2006-06-06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Steve Kostecke wrote: > >> On 2006-06-06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: >> >> Forcing ntpd to poll someone elses' time server every 64 seconds is >> considered abusive. > > He was talking about use on the local LAN, in which case, polling > frequency is a non-issue.
Under most conditions ntpd should be allowed to manage its poll interval. >> > driftfile /etc/ntp.drift enable auth > > I actually got burned by this. I had someone set up a fake stratum 1 > server with a "peer" statement in their configuration and fed me bad > time. I specify it anyway just to be safe. In current versions of NTP (i.e. 4.2 and later) auth is enabled by default. The way to control unwanted static peering is by using the 'nopeer' restriction. BTW: daemons have no business writing to /etc; the drift file really belongs somewhere else > Fine, please post what you consider to be a minimal configuration. To sync a single LAN time server: ----------------------8X---------------------- driftfile /var/lib/ntp/ntp.drift restrict default notrap nopeer restrict 127.0.0.1 server your.lan.timeserver iburst ----------------------8X---------------------- If you wish to use remote time servers: ----------------------8X---------------------- driftfile /var/lib/ntp/ntp.drift restrict default notrap nopeer restrict 127.0.0.1 server pool.ntp.org iburst server 0.pool.ntp.org iburst server 1.pool.ntp.org iburst server 2.pool.ntp.org iburst ----------------------8X---------------------- Possible modifications 1. Add 'nomodify' to the default restriction line. nomodify -- "Do not allow this host/subnet to modify the ntpd settings even if they have the correct keys." By default ntpd requires authentication with symmetric keys for modifications made with ntpdc. So if you don't configure symmetric keys for your ntpd, or keep them properly safeguarded, you don't need to use 'nomodify' unless you are concerned that the NTP authentication scheme might be compromised. 2. Add 'noquery' to the default restriction line. noquery -- "Do not allow this host/subnet to query your ntpd status." The ntpd status query features provided by ntpq/ntpdc will reveal some information about the system running ntpd (e.g. OS version, ntpd version) that you many not wish others to know. You need to decide if concealing this information is more important than the possible benefits of allowing your clients to see synchronization information about your ntpd. 3. Use different time servers. Your ISP might provide time servers. Or you might wish to use a pool zone for your geographic area (see http://ntp.isc.org/pool) and/or some servers chosen from the Stratum 2 public server list (see http://ntp.isc.org/s2) -- Steve Kostecke <[EMAIL PROTECTED]> NTP Public Services Project - http://ntp.isc.org/ _______________________________________________ questions mailing list [email protected] https://lists.ntp.isc.org/mailman/listinfo/questions
