17.9. Understanding the ntpd Configuration File
ntpd, reads the configuration file at system start or when the service is restarted. The default location for the file is
/etc/ntp.confand you can view the file by entering the following command:
~]$The configuration commands are explained briefly later in this chapter, see Section 17.17, “Configure NTP”, and more verbosely in the
- The driftfile entry
- A path to the drift file is specified, the default entry on Red Hat Enterprise Linux is:
driftfile /var/lib/ntp/driftIf you change this be certain that the directory is writable by
ntpd. The file contains one value used to adjust the system clock frequency after every system or service start. See Understanding the Drift File for more information.
- The access control entries
- The following line sets the default access control restriction:
restrict default nomodify notrap nopeer noquery
nomodifyoptions prevents any changes to the configuration.
ntpdccontrol message protocol traps.
nopeeroption prevents a peer association being formed.
ntpdcqueries, but not time queries, from being answered.
ntpdcqueries can be used in amplification attacks, therefore do not remove the
noqueryoption from the
restrict defaultcommand on publicly accessible systems.See CVE-2013-5211 for more details.Addresses within the range
127.0.0.0/8are sometimes required by various processes or applications. As the "restrict default" line above prevents access to everything not explicitly allowed, access to the standard loopback address for
IPv6is permitted by means of the following lines:
# the administrative functions. restrict 127.0.0.1 restrict ::1Addresses can be added underneath if specifically required by another application.Hosts on the local network are not permitted because of the "restrict default" line above. To change this, for example to allow hosts from the
192.0.2.0/24network to query the time and statistics but nothing more, a line in the following format is required:
restrict 192.0.2.0 mask 255.255.255.0 nomodify notrap nopeerTo allow unrestricted access from a specific host, for example
192.0.2.250/32, a line in the following format is required:
restrict 192.0.2.250A mask of
255.255.255.255is applied if none is specified.The restrict commands are explained in the
- The public servers entry
- By default, the
ntp.conffile contains four public server entries:
server 0.rhel.pool.ntp.org iburst server 1.rhel.pool.ntp.org iburst server 2.rhel.pool.ntp.org iburst server 3.rhel.pool.ntp.org iburst
- The broadcast multicast servers entry
- By default, the
ntp.conffile contains some commented out examples. These are largely self explanatory. See Section 17.17, “Configure NTP” for the explanation of the specific commands. If required, add your commands just below the examples.
DHCPclient program, dhclient, receives a list of
NTPservers from the
DHCPserver, it adds them to
ntp.confand restarts the service. To disable that feature, add