Chuck Swiger wrote: > On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote: >> My ntp.conf file looks like that: >> >> server 2.pl.pool.ntp.org prefer >> server 1.europe.pool.ntp.org >> server 0.europe.pool.ntp.org >> restrict default ignore >> driftfile /var/db/ntp.drift > > Unless you've got additional restrict lines which permit some hosts to > make changes, using only "restrict default ignore" will prevent ntpd > from paying attention to the timeservers you've listed and it will even > prevent ntpd from changing the local clock or being administered via > ntpq from localhost. > > This misconfiguration will also cause your ntpd to generate excessive > numbers of queries, rather than syncing up and reducing the NTP polling > interval from minpoll to maxpoll. [1] > > Remove that line and restart ntpd.
That means that anyone can connect to your NTP daemon and poll it for time service or use ntpdc to muck around with your configuration. It's better to use at minimum: restrict default nopeer nomodify restrict localhost (the 'restrict localhost' line actually removes all limitations on access from localhost. Ain't ntp.conf syntax wonderful.) Ideally, you'ld be able to use 'restrict default ignore' then apply restrict 2.pl.pool.ntp.org nopeer nomodify server 2.pl.pool.ntp.org prefer for each server you configure. That works well if you specify individual servers by name. Unfortunately the way NTP pool mechanism works makes that approach unworkable. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature