On: ntp, ntpd. link dump!

So, in order to quickly have a (debian) machine up and running on ntp, you’re bound to do something like this ‘apt-get install ntp ntpdate’.

The problem is that this installs ‘ntpd’ too. The default configuration is to allow your server to answer to NTP queries from anywhere.

If you want to give the crackdown you’ll be somewhat frustrated with pre 4.6 config options as they’re somewhat nontraditional to what we usually see; without further ado, here’s a simple ‘link dump’ for a configuration guide.

On ntp 4.x? Guess what? Doesn’t work =[ – must be done with iptables.


Here’s the cheatsheet /etc/ntp.conf :

driftfile /var/lib/ntp/ntp.drift
server my.server.address


restrict default ignore
restrict -6 default ignore

restrict 127.0.0.1

restrict my.server.address

This will allow you to poll things, e.g.: ntpq -p; and keep everyone else from sending packets to your box either on purpose or by accident. Note: You -have- to have your ‘servers’ in restrict lines or else it’ll hang on the first poll. (Indicated by ntpq -p )

When ntp isn’t working right, this is what ntpq -p looks like:

 box:/etc# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================

123.123.123.123  .INIT.          16 –    –   64    0    0.000    0.000   0.000

Note the 0.000’s in the delay/offset/jitter – it’s also stuck on the sync request at INIT.

A properly functioning ntpq -p should look something like this:

box:/etc# ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================

123.123.123.123  123.12.1.12      3 u    3   64    1    1.349  2446.01   0.000


Leave a Reply

Your email address will not be published. Required fields are marked *