Chuck Swiger wrote: > On Oct 17, 2006, at 3:13 PM, Zbigniew Szalbot wrote: >> My ntp.conf file looks like that: >> >> server 2.pl.pool.ntp.org prefer >> server 1.europe.pool.ntp.org >> server 0.europe.pool.ntp.org >> restrict default ignore >> driftfile /var/db/ntp.drift > > Unless you've got additional restrict lines which permit some hosts to > make changes, using only "restrict default ignore" will prevent ntpd > from paying attention to the timeservers you've listed and it will even > prevent ntpd from changing the local clock or being administered via > ntpq from localhost. > > This misconfiguration will also cause your ntpd to generate excessive > numbers of queries, rather than syncing up and reducing the NTP polling > interval from minpoll to maxpoll. [1] > > Remove that line and restart ntpd.
That means that anyone can connect to your NTP daemon and poll it for time
service or use ntpdc to muck around with your configuration. It's better
to use at minimum:
restrict default nopeer nomodify
restrict localhost
(the 'restrict localhost' line actually removes all limitations on access
from localhost. Ain't ntp.conf syntax wonderful.)
Ideally, you'ld be able to use 'restrict default ignore' then apply
restrict 2.pl.pool.ntp.org nopeer nomodify
server 2.pl.pool.ntp.org prefer
for each server you configure. That works well if you specify individual
servers by name. Unfortunately the way NTP pool mechanism works makes that
approach unworkable.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
