I am the network administrator of Royal Observatory of Belgium. We have 2 stratum1 and 2 stratum 2 servers. They are registered as ‘no pool’ in ntp.org.
BUT, they seems to be added on ntppool by somebody and 1 is used by “pool.ntp.org”. And this is a big problem for us because our network is not designed for such number of requests (the problem is the firewall)
Question : How to remove this servers form the pools ? (I don’t know who added these servers and I am not the owner on ntppoll ). I can obviously prove that I am the one responsible
And prevent anyone from doing so in the future.
Unfortunately, there is no verification process in place to add a server into the pool. So anybody can add any IP address (including yours) to the pool. (The pool will just automatically trim off those IP addresses that do not have running NTP service.)
Multiple possible verification options were discussed extensively at: https://community.ntppool.org/t/verification-step-to-add-a-server/
…but if you message me (I’m a volunteer admin on the pool) the IP addresses on here I can move them to a “locked” list that means they cannot be added back into the pool in future without admin intervention.
(One of the jobs on @ask’s To Do list is to add some process for authentication of new servers before they are added to the pool)
Hello,
I have send 2 messages to @ask … I have also try to manage this servers, but it is impossible to find who added the servers …
The IP to lock are:
193.190.230.37 (ntp2.oma.be)
193.190.230.65 (ntp1.oma.be)
193.190.230.66 (ntp3.oma.be)
Thank you for the answer.
A lot of ‘solutions’ are difficult to implement on hardware ntp servers like our stratum 1 server.
I can allow/ block IP on the firewall, but it is not a good solution to limit request …
That is right, it is not a good solution to limit requests. However, blocking predefined IP addresses on the firewall to query the hardware NTP server may enable verification to deny adding a server to the pool.
Hi, I’ve set the netspeed for 193.190.230.37 to zero as a temporary measure. The other two were already in the inactive pool. The person who added 193.190.230.37 has added a number of other servers that don’t look to be their’s so I’ve flagged to @ask.
Yes, blocking the monitoring IP address effectively drops the score under 10 in less than an hour and that leads to drastic decrease of the NTP traffic too.
