I'm running a web server with no control panel on CentOS 5.4 (most things are custom built, although anything trivial is installed via yum). I have the need to keep the system clock correct, so I tried ntpd, which I installed via yum.

It seems to do the job - the only issue being that our server is locked down quite a bit, we have several blocks of IP's connected to it, and ntpd seems to connect to every IP and interface it can get it's hands on.

I simply want ntpd to run as a client updating the system clock, and do not want other servers connecting to ours (creating new connections). If it had to connect to something... that would be fine as long as it's to one interface/ip and it would be restricted to only allow inbound connections that are established by new outbound connections (I would set the rules via iptables).

The issue is, as I've said, I can't seem to get it to stop connecting to every IP and interface we have. I tried adding the "-L" option to the /etc/sysconfig/ntpd file (which /etc/rc.d/init.d/ntpd seems to use for flags)... but it still does it. And from what I've read, the only thing "-L" does is makes ntpd drop packets on the extra ip's, and it doesn't prevent it from actually opening the connections.

If I could have it setup the way I'd prefer, I'd like it to not keep open connections at all and connect to the time server for clock sync on demand.

The only alternative I can think of is doing a cron to update the date manually... but then I loose the drift functionality of ntpd.

Any help would be appreciated.

Thanks,

Luke

I don't know of a way to make it bind to a single IP address. However ntpd is
a very light-weight protocol, so it won't bog down your server. If you really
want to prevent connections, you could use iptables to block access. Yes, you'd
still have listeners, but you could prevent them from ever getting connections.

Try using '-I ethX' in /etc/sysconfig/ntpd

( thats a capital 'eye' )

cheers

You can just run:

ntpdate -t 10 pool.ntp.org

at boot or cron job.

This will update the system's clock without having to run a daemon.

Thank you for the replies so far .

The issue is that ntpd establishes a connection on every IP address and interface on the system. I've read situations where someone with a lot of ip address blocks couldn't even start ntpd (I think the number was around 1000 - that is a bit extreeme). But the general issue is it shouldn't be opening an connection to each one, and the more it connects to the more memory it consumes.

If I could specify a specific interface or block one out all together I could just specify the private nic which has one address. Or just specify lo to have it ignore all my ethX interfaces.

I got this when I tried starting it up:

According to yum I've installed version 4.2.2p1. It would seem that my repository doesn't have a version with this option. I downloaded the latest stable source and looked at changelogs between my version and the latest and I can't seem to figure out when it was introduced. Every referenced man page online doesn't seem to show this option.

True, but wouldn't I be forgoing the drift functionality? From what I understand the ntp daemon syncs with these servers over a short period of time and establishes how much the server drifts. Then once it figures this out it uses this information to update the system clock without making a connection (at least I assume it would do so less frequently). This would allow the daemon periodcial fine-tuned adjustments.

And if I were to use ntpdate on cron, what would be the difference between that and using rdate? (Although I think the advantage would be I could specify more than one server for fallback on ntpdate).

Add the following to your ntp.conf. The first line denys everyone and the second only allow a particular outside ntp server(s) to sync to. I have not played with ntp all that much so some other configuration changes might be required.

restrict default ignore

restrict ntp.servername nomodify notrap noquery

Sorry, I didn't realise it hadn't always been there, my Fed 11 lappy is running 4.2.4p7

That doesn't stop ntpd from opening up listening connections to each interface and ip address on the system. All it really does is tells ntpd to drop all new incoming packets. My biggest concern is it connecting to eth1, which has all my virtual IP's. If I could restrict it to eth0 it would greatly reduce what it's connecting to (or better yet just lo).

It's ok. I'll just have to find a newer RPM for my system and try again. If that doesn't work, I'll just resort to rdate and a cron.

Thanks for the help so far