Hi! I just joined my server to the pool few days ago as I have been paying my server since last few years and it is extremely underutilized till now (average load of less than 1%, I use it to host my personal blog only). I have a few questions:
I configured everything according to Arch Linux’s NTP wiki (Network Time Protocol daemon - ArchWiki). Any additional configuration required for like, safety and security, in particular to the setup of NTP server? The usual things like using key based ssh login and iptables etc is already in place. Is the sample configuration given sufficient?
I saw some topics on abuse of NTP servers and also getting IP blacklisted. I’m hosting my personal blog on my server too, hence I would like to know if it is okay for me to actually “involve” my server in this NTP thingy…
Is it possible to change the region my server is serving? I actually saw this (Adding servers to the China zone) and I wondered if my server could be set to serve China region users only, because the target audience of my personal blog is only china users. I would be very happy to serve any regions that are in need, esp China. My server is fully accessible within China.
I have another server which is IPv6 only (actually, the scaleway’s stardust instance). Is it okay to join the pool as a ntp server?
Is there any sort of monitoring for NTP servers that you guys usually use? Currently I only monitored whether the NTP service is running using Zabbix.
Please let me know if I got anything wrong. I’m just trying to help out since my server is extremely underutilized (with a lot of bandwidth and performance) and I have been paying the server every year as a student, so it is completely a waste, and I’m looking to help on volunteer projects. Thanks again!
Welcome! I started out in the same situation. I had a vastly underutilized server and figured I’d put it in the pool. I should warn you it can be addicting – I currently have seven servers in the pool, several of which are VMs in underserved regions doing nothing but NTP.
On the abuse front – I have read several such threads here, but I have participated in the pool for more than a decade, and currently have seven servers in the pool, and don’t believe I have ever received a single abuse complaint. (Except for an incident years ago during the monlist exploit, where I neglected to patch a server and it started pushing 1 Gbps as part of a DDoS. But that just led to me fixing it and thanking them for the notice.)
The pool treats each IPv4 or IPv6 address as a separate server, so an IPv6-only host would be fine.
Personally I don’t use any sort of monitoring, but would be interested in hearing what others are doing.
Thanks for sharing this guys.
Im also a newbee (started in Jan 2023), but im running two physical NTP appliances (Meinberg M200 and a Meinberg M300), which have monitoring built-in for many parameters.
I can really recommend using these (although they are expensive to buy).
Appreciate your reply! It surely is addicting as hell, I was extremely happy to see my servers have traffics coming in, and that my server load is now finally more than 1% Now everyday I have something new to check when I turn on my computer: my NTP server score haha
Thanks for your sharing on the configuration options and abuse incident. That makes me fell better and less worried about being abused, I’ll look into the rate limiting option just in case. In the coming days, maybe I will going to let my ipv6-only instance to join the pool too. It’s a bit too bad that both my VPS servers are located in europe and not any other location. I wish I could have joined my home server (in Malaysia) to the pool so that I could contribute to different location, but unfortunately we’re having a dynamic IP. Because I can see from the homepage that europe server counts are soooo huge xD
I never been so happy before in owning a server Also some little motivation for me to keep on renewing my server contract
Wow, you’re on a different league bro. I didn’t even know there’s such thing as a NTP appliance, wow! I guess this would make it a NTP server higher than stratum 3?
Having an dedicated appliance does not automatically mean a lower stratum.
the stratum a server operates on is mostly dependent on the stratum of the reference source your server gets its time from (and some configuration options). The stratum of your server is the stratum of the reference source+1.
I am using ntpd from ntp.org and to reduce the potential for abuse of my
servers I have this line in ntp.conf:
restrict default limited kod notrap nomodify nopeer noquery
As most requests to ntpd are UDP, it is kind of easy to abuse them.
Especially when the ISP of the source of the malicious packets does not
follow best practice to filter out source packets not from his own
network. So any public NTP server could be abused to send unwanted
traffic to a third party IP address.
As you can see on my graphs [1], my server has a constantly higher
inbound packet rate (green) then outbound (blue). From mid February
until mid March it was even significantly higher then usual, but not
much harm done to any third party as most of this requests have not been
answered. I never got any complain that my server is sending unwanted
traffic.
The ISPs for this IP is doing DDoS detection and protection and on some
point started to block and unblock traffic in a very short time frame to
this IP quite often (even multiple times per day). This did send emails
to me each time from an informational support ticket they created. I did
explain to them that I do run a NTP server in the Pool which can cope
with this “DDoS” and also does have measures in place to reduce
back-scatter. They did then exclude this IP with Port UDP 123 from their
DDoS detection.
The stats are create with MRTG and a script using ‘ntpq -c sysstats -c
iostats’ with using the ‘packets received’ and ‘packets sent’ numbers.
– I currently have seven servers in the pool, several of which are VMs in underserved regions doing nothing but NTP.
Now everyday I have something new to check when I turn on my computer: my NTP server score haha
Also some little motivation for me to keep on renewing my server contract