NTP, configuring
m (Configuring NTP moved to NTP, configuring) |
|||
Line 127: | Line 127: | ||
http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/ | http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/ | ||
+ | |||
+ | [[Category: Common Tasks]] [[Category: FreeBSD for Servers]] |
Revision as of 06:53, 3 January 2009
After installing Ntp, you'll want to configure it properly. Remember to allow TCP and UDP ports 123 if you're firewalling the client/server.
Contents |
NTP Clients
If you're a client, you'll need to listen locally if you've got an NTP server locally to get the time. To start, edit /etc/ntp.conf and make sure it has something like this in it:
# Because the computer clocks drift, keep the drift info somewhere: driftfile /etc/ntp.drift # if we are a client that listens to NTP broadcasts on the LAN, uncomment this line: #broadcastclient # Let's setup a log file for NTP: logfile /var/log/ntp.log
NTP Servers
First, synchronize to a known good time server -- there are many listed at ntp.isc.org, and due to common sense and politeness, I won't list one particular server here, but the US Navy has some servers available -- be sure to read their policies for allowed use. Once you've got a server that you can use, run
ntpdate time.someserver.somewhere.com
and your system will update to that time. You may want to verify that the time is correct, if you've got a Java-capable browser handy, time.gov will give you the correct time for the timezone you're in.
Once you've got that done, find a server that you can update from regularly -- be sure you've read through the documentation and obtained permission to use the server (seriously, this is important, folks have no sense of humor about this, see links below for why) -- it's time to set up your /etc/ntpd.conf which will at a minimum need to have three lines:
server time.someserver.somewhere.com prefer driftfile /var/db/ntpd.drift restrict default notrust nomodify nopeer
The server line may be repeated (you'll want more than one and less than 5 -- although it's recommended you don't go over 3), and if you leave out the "prefer" keyword and have multiple server lines, then you'll round-robin through the list. If you have multiple server lines and leave the "prefer" keyword in, you'll only go to the other servers (without the "prefer") if your "preferred" server can't be reached.
The restrict keyword is basically an allow statement that restricts how your NTP service on your server may be used (and by who); modifier options after restrict help with this:
restrict Address [ mask Number | default ] [ Parameter ... ]
Allowed parameters are:
ignore Specifies to ignore all packets from hosts which match this entry. Does not respond to queries nor time server polls. limited Specifies that these hosts are subject to limitation of number of clients from the same net. Net in this context refers to the IP notion of net (class A, class B, class C, and so on). Only accepts the first client_limit hosts that have shown up at the server and that have been active during the last client_limit_period seconds. Rejects requests from other clients from the same net. Only takes into account time request packets. Private, control, and broadcast packets are not subject to client limitation and therefore do not contribute to client count. The monitoring capability of the xntpd daemon keeps a history of clients. When you use this option, monitoring remains active. The default value for client_limit is 3. The default value for client_limit_period is 3600 seconds. nomodify Specifies to ignore all NTP mode 6 and 7 packets which attempt to modify the state of the server (run time reconfiguration). Permits queries which return information. nopeer Specifies to provide stateless time service to polling hosts, but not to allocate peer memory resources to these hosts. noquery Specifies to ignore all NTP mode 6 and 7 packets (information queries and configuration requests) from the source. Does not affect time service. noserve Specifies to ignore NTP packets whose mode is not 6 or 7. This denies time service, but permits queries. notrap Specifies to decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the mode 6 control message protocol intended for use by remote event-logging programs. notrust Specifies to treat these hosts normally in other respects, but never use them as synchronization sources. ntpport Specifies to match the restriction entry only if the source port in the packet is the standard NTP UDP port (123).
Note that using no parameters means "open access" for your server.
Now that you've configured your ntp.conf file and want to use your server, start up the program manually:
# ntpd -p /var/run/ntpd.pid
NTP pool servers
Please consider using the NTP Pool servers. These are public time servers selected by round-robin. The DNS reference changes each hour. These time servers have volunteered to offer their services through the pool. As the server pool grows, the service regions will become increasingly more specific, and the results will be even more reliable. To use the pool, for example, users in the U.S. would add these lines to their /etc/ntp.conf
server 0.us.pool.ntp.org server 1.us.pool.ntp.org server 2.us.pool.ntp.org
Some say that you do not need, and should not use, more than three server lines in your /etc/ntp.conf. Others disagree.
Similarly, if you need to quickly set your system clock, to use the pool (if your ISP does not offer a time service) you would say (e.g. in the U.S.):
# /usr/sbin/ntpdate 0.us.pool.ntp.org
It is usually considered poor manners to regularly hit even a server pool more than a few times in a 24 hour period. If you're one of those many who are in the habit of synching every clock on your LAN against a single public server, every few seconds, your IP may end up on the clock-master's list of Folks We Don't Like, and your network's time of reckoning will eventually arrive - or worse, you will contribute to stopping these vital services.
Auto-starting ntpd
Edit your /etc/rc.conf and add this to the end;
# ntpd sets the time in small increments, ntpdate sets the time # no matter how large the discrepancy is. If you're running ntpd # you'll want to weigh the risks of getting a wildly different time # given to your system from whatever system _you_ are getting the # time from. If you're polling time data from absolutely known-good # servers, it might not be a bad idea to get the time from them on boot-up. # If you want to do that, uncomment this line; # ntpdate_enable="NO" # turn on the ntp daemon: ntpd_enable="YES" # The NTP program is located here: ntpd_program="/usr/local/bin/ntpd" # and we want to use it with these options; see man page for details ntpd_flags="-A -g -N -c /etc/ntp.conf -p /var/run/ntpd.pid -l /var/log/ntpd.log"
Note: ntpd_enable was xntpd_enable in older FreeBSD releases (before FreeBSD-5). If you're running FreeBSD-4, replace every instance of ntpd with xntpd (xntpd_enable="YES", for example).
NTP etiquette
The N stands for Network, but if you've got your own network, it behooves you -- and you're expected to -- either keep an ntp server for it or use one that you're allowed to; your ISP's or one you setup yourself. NTP stratum 1 servers are neither ubiquitous nor fair use for everyone. If you have a GPS or atomic-clock enabled server, then you can run your own stratum 1 server. More than likely you'll want to run a stratum 3 (or higher) server for your network, and you'll want to pull time from stratum 2 or 1 servers that are more accurate for you.
Horror stories on why you want to only use servers you're allowed to:
http://www.cs.wisc.edu/~plonka/netgear-sntp/
http://people.freebsd.org/~phk/dlink/
http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/