I had a few servers but vps hosting companies are kicking me out due to high queries i guess.
Do you have a hosting (dedicated or vps) to host NTP?
Thank you
Three of my NTP servers are at UpCloud, one at Hetzner. These have been in operation for years without any particular issues. I think I had to explain that these are NTP servers, but after the explanations everything has been going nicely.
In addition to those, I had a temporary NTP server at Hetznerās Singapore DC some time ago. That server was fairly busy and I received several āPortscanOutLevel: scansnarf-ng detected Portscan from xxxā messages from Hetzner. I filed several āstatementsā about the incidents and that cleared up the situation for a while, but I think the key was that I adjusted my firewall so that if my server received an āICMP host/net/port unreachableā from some address, NTP requests from that address were dropped for 100 seconds. I think they were monitoring the number of ICMP responses and raised an alert if the levels were exceeded. This firewall configuration reduced the number of ICMP unreachable responses significantly and I donāt think I received any more āportscanā messages after the firewall config change. I added this same config change to my other NTP servers as well.
iptables -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -m recent --set --name icmp_udp_unreachable --mask 255.255.255.255 --rsource -j ACCEPT
iptables -A INPUT -p udp -m recent --rcheck --seconds 100 --name icmp_udp_unreachable --mask 255.255.255.255 --rsource -m udp --dport 123 -j DROP
ip6tables -A INPUT -p icmpv6 -m icmpv6 --icmpv6-type destination-unreachable -m recent --set --name icmp6_udp_unreachable --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -j ACCEPT
ip6tables -A INPUT -p udp -m recent --rcheck --seconds 100 --name icmp6_udp_unreachable --mask ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff --rsource -m udp --dport 123 -j DROP
I also have this in /etc/modprobe.d/xt.conf:
options xt_recent ip_list_tot=10000 ip_pkt_list_tot=1
Edit: Fixed ICMP target DROP->ACCEPT.
1 Like
I use VPS servers too but never had any problems with them.
I use HostHatch. Havenāt had any issues.
Shamelessly including my referral link: https://cloud.hosthatch.com/a/2532
I have a couple of NTP servers at RackNerd. They have specials every November ā I have one VPS that I pay $15/yr.
2 Likes
Just ordered me one in Franceā¦.22 dollar, not bad!
But you have to click on the top bar, else you pay a lot more.
@ask can you add ALL my France servers to Belgium zone please?
My current pool of NTP servers:
root@server-racknerd:/opt/chrony-stats# nslookup ntp.heppen.be
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: ntp.heppen.be
Address: 51.75.149.45
Name: ntp.heppen.be
Address: 185.142.225.68
Name: ntp.heppen.be
Address: 45.95.172.130
Name: ntp.heppen.be
Address: 212.187.8.48
Name: ntp.heppen.be
Address: 87.118.104.17
Name: ntp.heppen.be
Address: 2001:41d0:700:1e9d::ec3d:bd92
Name: ntp.heppen.be
Address: 2001:1b60:2:1:1126:104:0:1
Name: ntp.heppen.be
Address: 2a01:7a7:2:3343:216:3cff:fee3:7803
1 Like
You have several servers/ip registered ntp.heppen.be.
When using āpool ntp.heppen.be iburstā in chrony.conf, it acts as a normal pool.
Do you need extra config/software on the servers to make the pool work, or does chrony handle all?
Nope, itās far more simple then that.
You use your DNS-registrar/server.
All you do is e.g.
A-record - IP-server1 - ntp.heppen.be
A-record - IP server 2 - ntp.heppen.be
AAAA-record - IP server 3 - ntp.heppen.be
And the DNS-server you use does the rest, it goes round-robin.
Itās also very handy to register all servers in the ntppoolā¦.as they show up all at once.
But the ntppool decides what to do.
As my āprivateā pool isnāt very well known by most users, it serves my purpose fine.
And the rest is served by the normal pool.
My friends and my systems use my pool mostly.
1 Like
I contribute only VPSās but there are dozens of them around the world. I had issues only with couple providers.
Elastika.pe in Peru looked nice at first, trying to contribute in underserved South American region. How ever any attempt to bring it live ended up with hitting their strict firewall rules, something above 1 Mbit/s (NTP packets are small so itās a lot if them). I tried to solve it via tickets, to ease up the rules, they said itās too many packets, wonāt change the firewall, I should throttle my use. Which isnāt possible when you are the only server in the region, any netspeed is the same (this could be fixed by sharing the netspeed with whole continent). They didnāt want to refund, so it ended up as waste of money and time (yearly contract).
There were couple issues with overworking the lowest plan of single shared CPU but thatās usually solved by lowering the netspeed. Even $5-$7 per year deals have been contributing in significant way with high netspeeds.
And then thereās India which apparently hates my public NTP servers. At least the cyber police which seems incompetent enough that when they spot my IP in the logs they send lazily filled request to the provider for KYC and further info. Happened to me with two dufferent providers and several different VPS services. One provider suspended them second time already, the other suspended and deleted, in the end stopped offering India location completely. To their credit they refunded above my suspended time so I redirected the resources to other regions which never got into such trouble.
So as long as I watch the monthly bandwidth allocation I donāt have many problems with resource usage.
1 Like
@ajiv
your first rule should be set to ACCEPT so that any connections that have nothing to do with ntp can get a valid reply as destination-unreachable
The second rule is correctly set as DROP, so only ntp udp 123 connections are affected
Youāre right, thanks. Iāve now changed the examples in my post accordingly. This does not really make much of a difference in my use case (nearly all the traffic on these servers is NTP anyway), but it is indeed better in general to not block the ICMP errors at the firewall.