Ntpsec security configuration

kiokoman1 · September 17, 2025, 10:45am

hello,

Lately, I’ve been having trouble getting a score of 20 from my NTP server. Initially, it hovered around 9 or 10. I noticed several timeouts in the logs. Initially, I blamed my ISP until I discovered that NTPsec implements internal security limits that can be disabled with “unrestrict default noquery limited.”

After disabling NTPsec’s internal security, the score returned to 20. I don’t think this is the best solution, as it’s probably now subject to DDOS reflection. Does anyone have any settings to suggest? My current configuration:

#/etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntpsec/ntp.drift
Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list
#Enable this if you want statistics to be logged.
statsdir /var/log/ntpsec/
#statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
#By default, exchange time with everybody, but don’t allow configuration.
restrict default notrap nomodify nopeer noquery
restrict -6 default notrap nomodify nopeer noquery
#Needed for adding pool entries
restrict source notrap nomodify noquery
unrestrict default noquery limited  # ← added this to solve my low score and time out from monitoring server
logfile /var/log/ntp.log
server 127.127.20.0 mode 24 time1 0.0 iburst prefer minpoll 4 maxpoll 6
fudge 127.127.20.0 flag1 1 flag3 1 time1 0.0 time2 0.500 refid GPS
server 192.168.200.203
server 192.168.200.204
server 192.168.200.212
server ntp1.inrim.it
server ntp2.inrim.it
pool 0.it.pool.ntp.org

paulgear · September 21, 2025, 3:22am

I suspect it’s just the default rate limit (1 per second average) that’s getting in your way. Here are the relevant parts of my working pool config for NTPsec:

...
restrict -4 default notrap nomodify nopeer noquery
restrict -6 default notrap nomodify nopeer noquery
restrict 127.0.0.1
restrict ::1
restrict source notrap nomodify noquery
limit average 3
...

davehart · September 29, 2025, 7:15pm

I am exceedingly curious if you suffer the same sort of reduced pool scoring after commenting out limit average 3, or equivalent using ntpq [...] -c ":config limit average 1" at runtime.

If so, I think further investigation is in order, because no monitor should be querying so frequently. It would only make sense if the monitor is behind carrier-grade NAT, or if there are otherwise many or misbehaving clients sharing the same querying IP address.

paulgear · September 30, 2025, 8:00am

Done just now, @davehart - feel free to keep an eye on pool.ntp.org: Statistics for 2001:44b8:2100:3f00::7b:402 to see if it changes anything.

paulgear · September 30, 2025, 11:34pm

@davehart Looks like no apparent change overnight - seems your suspicion was right. Perhaps @kiokoman1’s ISP is doing some filtering?

Topic		Replies	Views
NTP server stability since day one Server operators	14	2696	May 14, 2018
The score's all over the place Server operators	5	656	December 7, 2023
Server started keeping a bad time Server operators	9	3355	February 15, 2018
Secure ntp.conf against DDoS abuse Server operators	10	6509	September 13, 2017
Fine tuning ntp.conf Server operators	3	1371	April 27, 2019

Ntpsec security configuration

Related topics