I am the network administrator of Royal Observatory of Belgium. We have 2 stratum1 and 2 stratum 2 servers. They are registered as ‘no pool’ in ntp.org.
BUT, they seems to be added on ntppool by somebody and 1 is used by “pool.ntp.org”. And this is a big problem for us because our network is not designed for such number of requests (the problem is the firewall)
Question : How to remove this servers form the pools ? (I don’t know who added these servers and I am not the owner on ntppoll ). I can obviously prove that I am the one responsible
And prevent anyone from doing so in the future.
Thank you for your answers
Dear @henri.martin welcome to the community!
Unfortunately, there is no verification process in place to add a server into the pool. So anybody can add any IP address (including yours) to the pool. (The pool will just automatically trim off those IP addresses that do not have running NTP service.)
Multiple possible verification options were discussed extensively at: https://community.ntppool.org/t/verification-step-to-add-a-server/
Hi Henri, the “official” answer is to log a call via the form on pool.ntp.org: the internet cluster of ntp servers
…but if you message me (I’m a volunteer admin on the pool) the IP addresses on here I can move them to a “locked” list that means they cannot be added back into the pool in future without admin intervention.
(One of the jobs on @ask’s To Do list is to add some process for authentication of new servers before they are added to the pool)
I have send 2 messages to @ask … I have also try to manage this servers, but it is impossible to find who added the servers …
The IP to lock are:
Thank you for the answer.
A lot of ‘solutions’ are difficult to implement on hardware ntp servers like our stratum 1 server.
I can allow/ block IP on the firewall, but it is not a good solution to limit request …
That is right, it is not a good solution to limit requests. However, blocking predefined IP addresses on the firewall to query the hardware NTP server may enable verification to deny adding a server to the pool.
Hi, I’ve set the netspeed for 22.214.171.124 to zero as a temporary measure. The other two were already in the inactive pool. The person who added 126.96.36.199 has added a number of other servers that don’t look to be their’s so I’ve flagged to @ask.
The result is spectacular on the number of ntp requests and on the firewall load !
I had not thought of this solution. If you know the IP address of the verification servers…
Yes, blocking the monitoring IP address effectively drops the score under 10 in less than an hour and that leads to drastic decrease of the NTP traffic too.
Is there a list of monitoring IP addresses?
There was… but I think it’s out of date. If you run the traceroute command it originates from 188.8.131.52, so it might be that…
NTP Pool monitoring server is currently monsjc1.ntppool.net (184.108.40.206).
When the new monitoring system is enabled there may be dozens of monitoring IP clients.