This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
requeriments [2015/09/11 03:11] cbustillo [Configure NTP] |
requeriments [2020/04/10 17:38] (current) |
||
---|---|---|---|
Line 364: | Line 364: | ||
# Default restriction: Only allow querying time (incl. ms-sntp) from this machine | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
restrict default kod nomodify notrap nopeer mssntp</code> | restrict default kod nomodify notrap nopeer mssntp</code> | ||
+ | |||
+ | A suitable configuration for ntp.conf maybe: | ||
+ | |||
+ | <code> | ||
+ | # Local clock (Note: This is not the localhost address!) | ||
+ | server 127.127.1.0 | ||
+ | fudge 127.127.1.0 stratum 10 | ||
+ | |||
+ | # The source, where we are receiving the time from | ||
+ | server 0.pool.ntp.org iburst prefer | ||
+ | |||
+ | driftfile /var/lib/ntp/ntp.drift | ||
+ | logfile /var/log/ntp | ||
+ | ntpsigndsocket /usr/local/samba/var/lib/ntp_signd/ | ||
+ | |||
+ | # Access control | ||
+ | # Default restriction: Only allow querying time (incl. ms-sntp) from this machine | ||
+ | restrict default kod nomodify notrap nopeer mssntp | ||
+ | |||
+ | # Allow everything from localhost | ||
+ | restrict 127.0.0.1 | ||
+ | |||
+ | # Allow that our time source can only provide time and do nothing else | ||
+ | restrict 0.pool.ntp.org mask 255.255.255.255 nomodify notrap nopeer noquery | ||
+ | </code> | ||
Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: | Finally check that the socket permissions are set correct. It must be readable by the account your ntpd uses and should not be accessable by other: |