Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm running a web server with no control panel on CentOS 5.4 (most things are custom built, although anything trivial is installed via yum). I have the need to keep the system clock correct, so I tried ntpd, which I installed via yum.
It seems to do the job - the only issue being that our server is locked down quite a bit, we have several blocks of IP's connected to it, and ntpd seems to connect to every IP and interface it can get it's hands on.
I simply want ntpd to run as a client updating the system clock, and do not want other servers connecting to ours (creating new connections). If it had to connect to something... that would be fine as long as it's to one interface/ip and it would be restricted to only allow inbound connections that are established by new outbound connections (I would set the rules via iptables).
The issue is, as I've said, I can't seem to get it to stop connecting to every IP and interface we have. I tried adding the "-L" option to the /etc/sysconfig/ntpd file (which /etc/rc.d/init.d/ntpd seems to use for flags)... but it still does it. And from what I've read, the only thing "-L" does is makes ntpd drop packets on the extra ip's, and it doesn't prevent it from actually opening the connections.
If I could have it setup the way I'd prefer, I'd like it to not keep open connections at all and connect to the time server for clock sync on demand.
The only alternative I can think of is doing a cron to update the date manually... but then I loose the drift functionality of ntpd.
I don't know of a way to make it bind to a single IP address. However ntpd is
a very light-weight protocol, so it won't bog down your server. If you really
want to prevent connections, you could use iptables to block access. Yes, you'd
still have listeners, but you could prevent them from ever getting connections.
I don't know of a way to make it bind to a single IP address. However ntpd is
a very light-weight protocol, so it won't bog down your server. If you really
want to prevent connections, you could use iptables to block access. Yes, you'd
still have listeners, but you could prevent them from ever getting connections.
The issue is that ntpd establishes a connection on every IP address and interface on the system. I've read situations where someone with a lot of ip address blocks couldn't even start ntpd (I think the number was around 1000 - that is a bit extreeme). But the general issue is it shouldn't be opening an connection to each one, and the more it connects to the more memory it consumes.
If I could specify a specific interface or block one out all together I could just specify the private nic which has one address. Or just specify lo to have it ignore all my ethX interfaces.
Quote:
Originally Posted by kbp
Try using '-I ethX' in /etc/sysconfig/ntpd
( thats a capital 'eye' )
cheers
I got this when I tried starting it up:
Code:
Starting ntpd: ntpd: unknown option -I
According to yum I've installed version 4.2.2p1. It would seem that my repository doesn't have a version with this option. I downloaded the latest stable source and looked at changelogs between my version and the latest and I can't seem to figure out when it was introduced. Every referenced man page online doesn't seem to show this option.
Quote:
Originally Posted by Weird0ne
You can just run:
ntpdate -t 10 pool.ntp.org
at boot or cron job.
This will update the system's clock without having to run a daemon.
True, but wouldn't I be forgoing the drift functionality? From what I understand the ntp daemon syncs with these servers over a short period of time and establishes how much the server drifts. Then once it figures this out it uses this information to update the system clock without making a connection (at least I assume it would do so less frequently). This would allow the daemon periodcial fine-tuned adjustments.
And if I were to use ntpdate on cron, what would be the difference between that and using rdate? (Although I think the advantage would be I could specify more than one server for fallback on ntpdate).
Add the following to your ntp.conf. The first line denys everyone and the second only allow a particular outside ntp server(s) to sync to. I have not played with ntp all that much so some other configuration changes might be required.
Add the following to your ntp.conf. The first line denys everyone and the second only allow a particular outside ntp server(s) to sync to. I have not played with ntp all that much so some other configuration changes might be required.
restrict default ignore
restrict ntp.servername nomodify notrap noquery
That doesn't stop ntpd from opening up listening connections to each interface and ip address on the system. All it really does is tells ntpd to drop all new incoming packets. My biggest concern is it connecting to eth1, which has all my virtual IP's. If I could restrict it to eth0 it would greatly reduce what it's connecting to (or better yet just lo).
Quote:
Originally Posted by kbp
Sorry, I didn't realise it hadn't always been there, my Fed 11 lappy is running 4.2.4p7
It's ok. I'll just have to find a newer RPM for my system and try again. If that doesn't work, I'll just resort to rdate and a cron.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.