[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

ntp.conf help restricting queries

Posted on 2006-04-11
11
Medium Priority
?
1,695 Views
Last Modified: 2010-07-27
I have a FreeBSD-6 server running ntp 4.2.0a and am having trouble configuring ntp.conf (restrict statements etc) correctly.

I want to prevent anyone from modifying my server time and I want to use 6 or 7 other servers as peers. Are my potential restrict lines for my internal networks (the commented lines below) correct?

I originally had my restrict default set to ignore but replaced it with "nomodify nopeer notrap" when client machines could not get the time from the server.


my current ntp.conf (have changed the dns names of my time source servers)
# more /etc/ntp.conf
restrict default nomodify nopeer notrap
restrict 127.0.0.1
#restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 172.20.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.0.0.0 mask 255.255.0.0 notrust nomodify notrap
#restrict 10.2.0.0 mask 255.255.0.0 notrust nomodify notrap
server clock.myntp.tld prefer nomodify notrap noquery
server ntp.something.tld nomodify notrap noquery
multicastclient
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap
fudge   127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
keys            /etc/ntp/keys


on a related note, all machines except win2k3 server have worked fine, but win2k3 server logs say "no suitable server found" (or something very like that), even though other machines (windows XP Pro, unix, linux, mac os x etc) all get the time ok from the server. Any ideas what I'm doing wrong there?
0
Comment
Question by:David Piniella
11 Comments
 
LVL 9

Author Comment

by:David Piniella
ID: 16431498
increasing points
0
 
LVL 6

Expert Comment

by:bpeterse
ID: 16435623
This may not be the answer you're seeking, but it's definitely a workaround.  I've had *challenges* getting ntp configured on a slack box and learned this trick from a slack wizard.  All you have to do in your crontab is point it to a timeserver:

# Added to synch with local NTP server -
0 15 * * * /usr/sbin/ntpdate <ip_address_time_server>

You could synch it as often as you'd prefer this way as well.


0
 
LVL 9

Author Comment

by:David Piniella
ID: 16438450
my problem isn't synching my machine, it's getting my LAN machines to sync to my machine

ntpdate works dandy, and I can talk to other servers, but when I tell the win2k3 servers on my lan to get their time from my ntp....they can't.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
LVL 62

Expert Comment

by:gheist
ID: 16443541
ntpd on FreeBSd is broken, especially restrict does not work well.
in most cases ntpdate is enough unless you wish to serve time to clients

http://ntp.isc.org/bin/view/Main/DocumentationIndex

read thru three-part doc, i can post working ntp config if you need one.
0
 
LVL 9

Author Comment

by:David Piniella
ID: 16443567
I wouldn't mind a working config copy; I have read through the docs (there's one at us-webmaster.com that's great for ntp) and wound up installing from source since the port installs an unpatched version of ntp w/ a broken broadcastclient.

I am planning on serving time to clients and running my own ntp pool of servers. all my clients get time ok except win2k3 servers.
0
 
LVL 62

Expert Comment

by:gheist
ID: 16444006
2003 has to be configured differently than XP, 2000 or NT4, your problems finding right doc.
0
 
LVL 9

Author Comment

by:David Piniella
ID: 16446835
found a doc ages ago that said the problem was the packet type 2k3 was sending; suggested sending a diff packet type (in the 2k3 CLI net time command) and that didn't help either....something about 2k3 sending packets as a peer instead of as a client.
0
 
LVL 62

Expert Comment

by:gheist
ID: 16661042
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I will leave the following recommendation for this question in the Cleanup topic area:

Accept dpiniella http:#16446835

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

gheist
EE Cleanup Volunteer
0
 
LVL 62

Expert Comment

by:gheist
ID: 16661051
I am punishing myself for not posting:
---
server xxx

driftfile /var/db/ntp.drift

restrict default ignore

restrict 192.168.0.0 mask 255.255.0.0 notrust nomodify notrap

restrict xxx noquery nomodify notrap

restrict 127.0.0.1

0
 
LVL 9

Author Comment

by:David Piniella
ID: 16661423
This particular setup (conf file below) would not let me sync my win2k3 server (on the 10.64./16 network) to my ntp server (public IP, same VLAN, same switch). I'm not running a firewall on the ntp host itself, and there isn't one on the windows host either (there is a hardware firewall between them both and the world at large though). I still don't know what to make of this.

I eventually solved my problem by making my server an open NTP server in the conf and blocking access via the firewall, but this is inelegant and less than ideal. I'll try your config tomorrow (I have to reboot the server _anyway_ and i want to see if I've set it up correctly for the services coming up on reboot).

would changing the fudge line change what strata my server reports itself as being?

root@ntp:[/etc%]# more ntp.conf
# Prohibit general access to this service.
restrict default nomodify nopeer notrap
# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
restrict 10.64.0.0 mask 255.255.255.0 notrust nomodify notrap

# --- OUR TIMESERVERS -----
# or remove the default restrict line
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

# restrict mytrustedtimeserverip mask 255.255.255.255 nomodify notrap noquery
# server mytrustedtimeserverip
server ntp.myfloridacity.us
restrict ntp.myfloridaviry.us nomodify notrap noquery
server tick.navy.mil
restrict tick.navy.mil nomodify notrap noquery


# --- NTP MULTICASTCLIENT ---
multicastclient                        # listen on default 224.0.1.1
restrict 224.0.1.1 mask 255.255.255.255 notrust nomodify notrap



# --- GENERAL CONFIGURATION ---
#
fudge   127.127.1.0 stratum 10
# server 1.north-america.pool.ntp.org
# server 2.north-america.pool.ntp.org
# driftfile stuff
driftfile /var/lib/ntp/drift
broadcastdelay  0.008
# authenticate yes
# keys
keys            /etc/ntp/keys
0
 

Accepted Solution

by:
GranMod earned 0 total points
ID: 16680995
PAQed with points refunded (350)

GranMod
Community Support Moderator
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Java performance on Solaris - Managing CPUs There are various resource controls in operating system which directly/indirectly influence the performance of application. one of the most important resource controls is "CPU".   In a multithreaded…
FreeBSD on EC2 FreeBSD (https://www.freebsd.org) is a robust Unix-like operating system that has been around for many years. FreeBSD is available on Amazon EC2 through Amazon Machine Images (AMIs) provided by FreeBSD developer and security office…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

607 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question