Owner of a server

Hello,

I am the network administrator of Royal Observatory of Belgium. We have 2 stratum1 and 2 stratum 2 servers. They are registered as ‘no pool’ in ntp.org.
BUT, they seems to be added on ntppool by somebody and 1 is used by “pool.ntp.org”. And this is a big problem for us because our network is not designed for such number of requests (the problem is the firewall)
Question : How to remove this servers form the pools ? (I don’t know who added these servers and I am not the owner on ntppoll ). I can obviously prove that I am the one responsible
And prevent anyone from doing so in the future.

Thank you for your answers
Regards,
Henri

2 Likes

Dear @henri.martin welcome to the community!

Unfortunately, there is no verification process in place to add a server into the pool. So anybody can add any IP address (including yours) to the pool. (The pool will just automatically trim off those IP addresses that do not have running NTP service.)
Multiple possible verification options were discussed extensively at: https://community.ntppool.org/t/verification-step-to-add-a-server/

Hi Henri, the “official” answer is to log a call via the form on pool.ntp.org: the internet cluster of ntp servers

…but if you message me (I’m a volunteer admin on the pool) the IP addresses on here I can move them to a “locked” list that means they cannot be added back into the pool in future without admin intervention.

(One of the jobs on @ask’s To Do list is to add some process for authentication of new servers before they are added to the pool)

2 Likes

Hello,
I have send 2 messages to @ask … I have also try to manage this servers, but it is impossible to find who added the servers …
The IP to lock are:
193.190.230.37 (ntp2.oma.be)
193.190.230.65 (ntp1.oma.be)
193.190.230.66 (ntp3.oma.be)

Many Thanks

Henri

1 Like

Thank you for the answer.
A lot of ‘solutions’ are difficult to implement on hardware ntp servers like our stratum 1 server.
I can allow/ block IP on the firewall, but it is not a good solution to limit request …

Henri

1 Like

That is right, it is not a good solution to limit requests. However, blocking predefined IP addresses on the firewall to query the hardware NTP server may enable verification to deny adding a server to the pool.

Hi, I’ve set the netspeed for 193.190.230.37 to zero as a temporary measure. The other two were already in the inactive pool. The person who added 193.190.230.37 has added a number of other servers that don’t look to be their’s so I’ve flagged to @ask.

3 Likes

The result is spectacular on the number of ntp requests and on the firewall load !
mrtg

Many Thanks
Henri

2 Likes

I had not thought of this solution. If you know the IP address of the verification servers…
Henri

1 Like

Yes, blocking the monitoring IP address effectively drops the score under 10 in less than an hour and that leads to drastic decrease of the NTP traffic too.

1 Like

Is there a list of monitoring IP addresses?

There was… but I think it’s out of date. If you run the traceroute command it originates from 139.178.70.121, so it might be that… :man_shrugging:

NTP Pool monitoring server is currently monsjc1.ntppool.net (139.178.70.122).

When the new monitoring system is enabled there may be dozens of monitoring IP clients.

6 Likes