I just joined my server to the pool yesterday after seeing the /. article. I've run ntpd for some years on my own lan, but opening it up to the world, I think I need some tweaking...
First my machine, a P2-450 running Mandriva 2006, ntpd 4.2.0. The machines only normal function is my internet firewall, and local server for ntpd, named, dhcpd, cups, and a handful of others. I have a 1.5/1.0 DSL connection with a static IP. I opened my firewall to UDP 123 only. I think the ntpd program is stable after increasing the ulimit to 8192. But I'm a little surprised as to how its running. My ntp.conf is (comment lines removed) =========================== server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 server ntp.visi.com #local isp, statum 3 server ntp3.cs.wisc.edu #stratum 2 server ntp.sycharlutheran.org #stratum 2 server ntp1.sjbcom.com #stratum 2 server clock.nyc.he.net #stratum 1 driftfile /etc/ntp/drift multicastclient # listen on default 224.0.1.1 broadcastdelay 0.008 restrict 127.0.0.1 restrict default kod nomodify notrap nopeer ============================= Its largely unchanged from when I just ran my own, except I added a few more server lines, and added the 2 restrict lines. The first surprise is the ntpq -p display. Suddenly there are boatloads more peers than I expected (about 45). I expected to see it only trying to sync to my original 5 I specified. And many of the "new" peers are way off in time and polling at a 16 rate; where my predefined at a nice 1024 rate. Should I be adding more config restrictions to stop this (I think I should). And looking at ntpdc -c monlist, I'm seeing over 600 after being in the pool for less than 24 hours. My network load runs about 10-20 KB/s transmit, and about 3 receive. And the ntpd daemon is taking 5-10% cpu load. In short, I'd like to be a little less generous. Can I: 1. stop the additional peers its finding. 2. reduce the cpu and net loads a little. 3. cap the poll intervals to more reasonable rates? 4. Is my ntp.conf file making ntpd as secure as it should be? Finally, looking at the firewall logs, I'm seeing a lot of rejected UDP/TCP, port 37, and a handful of TCP 123, all of which are being blocked. Should I be doing something with these? Thanks, Brian _______________________________________________ timekeepers mailing list [email protected] https://fortytwo.ch/mailman/cgi-bin/listinfo/timekeepers
