On 2011-01-15, RICCARDO <ric.castell...@alice.it> wrote: > On 14 Gen, 22:24, Steve Kostecke <koste...@ntp.org> wrote: > >> ntpd has to bind to an interface on your LAN so that it can poll your >> LAN time server. Recent versions of NTP provide a way for you to >> control which interfaces ntpd will use. >> >> If you don't want your ntpd serving time to others >> (e.g. on your LAN) then you will need configure the >> access restrictions to meet your requirements (see >> http://support.ntp.org/Support/AccessRestrictions or search for >> 'restrict' athttp://doc.ntp.org/your.ntp.version).
[snip] > So I'm going to configure ' ntp daemon' but, I'd like knowing what > advantages I can take from this service vs 'ntpd -qg' command in > crond. Running 'ntpd -gq' from cron is largely the same as running ntpdate or sntp from cron. Each invocation causes the clock to be "pushed" (i.e. slewed) toward, or reset (i.e. stepped) to, the current best estimate of the correct time. Between each cron job the clock will continue to drift. When you run ntpd as a daemon it continuously adjusts the clock toward the correct time. > I thought: > > 1- by 'ntpd -qg' port is opened for necessary time to synchronization, > then port will be closed. > > There are few risks to attack this service, while using service 'ntp' > the port 123 is always opened on client. Although no piece of software is perfect, ntpd is certainly no sendmail. The security notices concerning NTP, shown at http://support.ntp.org/security, bear this out. Never the less, your desire to control incoming connections to ntpd is certainly understandable. There are a number of ways which this may be accomplished: ntpd access restrictions, ntpd interface/nic configuration options, a host firewall, or an external firewall. ntpd interface/nic configuration options may be used to control which interfaces ntpd will use. These options are available in the current NTP stable release series (as well as ntp-dev). ntpd access restrictions may be used to control which addresses/networks NTP packets will be accepted from or sent to. In your case the addition of 3 lines to your ntp.conf will only allow your ntpd to poll your LAN time server, all other NTP packets will be ignored. restrict default ignore restrict 127.0.0.1 restrict <your LAN time server> nomodify nopeer notrap noquery Please take a look at http://support.ntp.org/Support/AccessRestrictions for more information about ntpd access restrictions. > 2- Furthermore running service for all time, you spend more resources > while scheduling task 1-2 a day (ntpd -qg) you could save it. This is a moot issue because ntpd's resource comsumption is negligible on modern systems. Plus allowing ntpd to run as a daemon avoids the overhead involved in starting a new process. PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 13012 ntp RT 0 24164 2116 1624 S 0 0.1 0:09.78 ntpd Using top(1) to sort all running processes by size puts ntpd somewhere between 46th and 50th. When I sort the top(1) list by cpu I can't even find ntpd at all. -- Steve Kostecke <koste...@ntp.org> NTP Public Services Project - http://support.ntp.org/ _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions
