View previous topic :: View next topic |
Author |
Message |
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Thu Feb 18, 2016 1:08 pm Post subject: [SOLVED] NTPd refuse connection from localhost |
|
|
Hello,
Using Gentoo AMD64 up-to-date, i'm having trouble connecting to ntpd from localhost.
Code: | # netstat -an | grep 123
udp 0 0 87.98.138.80:123 0.0.0.0:*
udp 0 0 87.98.140.248:123 0.0.0.0:*
udp 0 0 91.121.50.194:123 0.0.0.0:*
udp 0 0 176.31.253.63:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp6 0 0 fe80::3a60:77ff:fe4:123 :::*
udp6 0 0 2001:41d0:8:e3f::1:123 :::*
udp6 0 0 2001:41d0:8:e3f::2:123 :::*
udp6 0 0 2001:41d0:8:e3f::4:123 :::*
udp6 0 0 ::1:123 :::*
udp6 0 0 :::123 :::*
# ntpdc -c iostats
localhost: timed out, nothing received
***Request timed out
# /usr/bin/ntpq -c rv
localhost: timed out, nothing received
***Request timed out
|
/etc/conf.d/ntp-client
Code: | # /etc/conf.d/ntp-client
# Command to run to set the clock initially
# Most people should just leave this line alone ...
# however, if you know what you're doing, and you
# want to use ntpd to set the clock, change this to 'ntpd'
NTPCLIENT_CMD="ntpdate"
# Options to pass to the above command
# This default setting should work fine but you should
# change the default 'pool.ntp.org' to something closer
# to your machine. See http://www.pool.ntp.org/ or
# try running `netselect -s 3 pool.ntp.org`.
NTPCLIENT_OPTS="-s -b -u ntp.unice.fr ntp.imag.fr" |
/etc/conf.d/ntpd
Code: | # /etc/conf.d/ntpd
# Options to pass to the ntpd process
# Most people should leave this line alone ...
# however, if you know what you're doing, feel free to tweak
NTPD_OPTS="-g -u ntp:ntp" |
/etc/ntp.conf
Code: | # NOTES:
# - you should only have to update the server line below
# - if you start getting lines like 'restrict' and 'fudge'
# and you didnt add them, AND you run dhcpcd on your
# network interfaces, be sure to add '-Y -N' to the
# dhcpcd_ethX variables in /etc/conf.d/net
# Name of the servers ntpd should sync with
# Please respect the access policy as stated by the responsible person.
#server ntp.example.tld iburst
# Common pool for random people
#server pool.ntp.org
server ntp.unice.fr
server ntp.imag.fr
server 0.fr.pool.ntp.org
server 1.fr.pool.ntp.org
server 2.fr.pool.ntp.org
server 3.fr.pool.ntp.org
##
# A list of available servers can be found here:
# http://www.pool.ntp.org/
# http://www.pool.ntp.org/#use
# A good way to get servers for your machine is:
# netselect -s 3 pool.ntp.org
##
# you should not need to modify the following paths
driftfile /var/lib/ntp/ntp.drift
# Warning: Using default NTP settings will leave your NTP
# server accessible to all hosts on the Internet.
# If you want to deny all machines (including your own)
# from accessing the NTP server, uncomment:
#restrict default ignore
# To deny other machines from changing the
# configuration but allow localhost:
restrict default kod nomodify nopeer notrap noquery
restrict 127.0.0.1
# To allow machines within your network to synchronize
# their clocks with your server, but ensure they are
# not allowed to configure the server or used as peers
# to synchronize against, uncomment this line.
#
#restrict 192.168.0.0 mask 255.255.255.0 nomodify nopeer notrap
logfile /var/log/ntp.log |
I got nothing in the logs.
Any idea ?
Thanks,
Last edited by Shadow AOK on Wed Feb 24, 2016 11:09 am; edited 2 times in total |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Feb 18, 2016 4:37 pm Post subject: |
|
|
Well, telnet localhost 123 attempts a TCP connection, but NTP is listening only on UDP ports so that doesn't work... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Thu Feb 18, 2016 4:40 pm Post subject: |
|
|
Indeed.
Okay, so port 123 is open on localhost, but that doesn't tell me why ntpq doesn't work. |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Feb 18, 2016 4:41 pm Post subject: |
|
|
Where did you get ntpq, I did not get it installed on my Gentoo machine with the openntpd package. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Feb 18, 2016 4:47 pm Post subject: |
|
|
Ah great I installed the wrong package... At least the BSD version I have is smaller... _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Thu Feb 18, 2016 4:47 pm Post subject: |
|
|
And it doesn't help |
|
Back to top |
|
|
eccerr0r Watchman
Joined: 01 Jul 2004 Posts: 9679 Location: almost Mile High in the USA
|
Posted: Thu Feb 18, 2016 4:49 pm Post subject: |
|
|
Well, you could try openntpd (but not advocating it, use whichever you want). Due to a sheer mistake I'm using openntpd and at least my machine seems to sync ntp client/server... at least it seems to work. _________________ Intel Core i7 2700K/Radeon R7 250/24GB DDR3/256GB SSD
What am I supposed watching? |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Fri Feb 19, 2016 10:38 am Post subject: Re: NTPd refuse connection from localhost |
|
|
Shadow AOK wrote: | Using Gentoo AMD64 up-to-date, i'm having trouble connecting to ntpd from localhost. |
No problem here, with a more restrictive configuration :
Code: | $ cat /etc/ntp.conf
server 192.168.1.1
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
restrict 127.0.0.1
restrict 192.168.1.1 nomodify nopeer notrap
restrict default ignore
$ ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
*192.168.1.1 194.57.169.1 3 u 993 1024 377 0.106 -0.273 1.003
# equery u ntp
[ Legend : U - final flag setting for installation]
[ : I - package is installed with flag ]
[ Colors : set, unset ]
* Found these USE flags for net-misc/ntp-4.2.8_p6:
U I
- - caps : Use Linux capabilities library to control privilege
- - debug : Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful
backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
- - ipv6 : Add support for IP version 6
- - openntpd : Allow ntp to be installed alongside openntpd
+ + parse-clocks : Add support for PARSE clocks
+ + readline : Enable support for libreadline, a GNU line-editing library that almost everyone wants
- - samba : Provide support for Samba's signing daemon (needed for Active Directory domain controllers)
- - snmp : Add support for the Simple Network Management Protocol if available
+ + ssl : Add support for Secure Socket Layer connections
+ + threads : Add threads support for various packages. Usually pthreads
- - vim-syntax : Pulls in related vim syntax scripts
- - zeroconf : Support for DNS Service Discovery (DNS-SD) |
Did you upgrade glibc ? If so, did you restart the computer after ? |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Fri Feb 19, 2016 10:42 am Post subject: |
|
|
I upgraded glibc but i still need to reboot.
But i think I had the issue before the upgrade.
I'll reboot in an hour and try again. |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Mon Feb 22, 2016 10:15 am Post subject: |
|
|
Rebooted and it didn't help. |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Tue Feb 23, 2016 10:59 am Post subject: |
|
|
Could you launch ntpd in debug mode, and test the connection in another terminal ?
Code: | # service ntpd stop
# ntpd -g -u ntp:ntp -dD 3 |
|
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Tue Feb 23, 2016 2:47 pm Post subject: |
|
|
Tried and i haven't more info in the logs or on the screen. |
|
Back to top |
|
|
freke l33t
Joined: 23 Jan 2003 Posts: 977 Location: Somewhere in Denmark
|
Posted: Tue Feb 23, 2016 4:16 pm Post subject: |
|
|
No idea if ntpq/ntpdc defaults to ipv6 or ipv4?
Could try ntpq -c rv 127.0.0.1 ?
Alternatively add 'restrict ::1' to ntp.conf for ipv6? |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Tue Feb 23, 2016 4:17 pm Post subject: |
|
|
No idea but I already tried forcing it to use ipv4.
Both of your solutions didn't change anything.
It's no big deal, but thanks for the help. |
|
Back to top |
|
|
Syl20 l33t
Joined: 04 Aug 2005 Posts: 619 Location: France
|
Posted: Wed Feb 24, 2016 10:52 am Post subject: |
|
|
So you see the client attempts in the debug trace ? I wondered if the problem could be related to hardening components, like netfilter/iptables, or SElinux, or grsecurity... if you use some of them. But if the ntpd server sees clients connection attempts, and refuses to answer, this is a ntpd problem. Perhaps re-emerging ntp would help, but I don't think so.
Did you try to comment temporarly the "restict default ... " line in ntp.conf ? Restrict directives are often the cause of a quiet ntpd daemon. |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Wed Feb 24, 2016 10:54 am Post subject: |
|
|
I tried commenting the restrict line and it works this way. |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Wed Feb 24, 2016 10:57 am Post subject: |
|
|
And it works partially with the restrict lines if I allow the server wan ip (it's a dedicated server).
It's strange it uses the wan ip instead of localhost to talk to ntp through 127.0.0.1.
Quote: | # ntpq -c rv => works
# ntpdc -c iostats
localhost: timed out, nothing received
***Request timed out |
Looks like ntpdc is deprecated anyway.
It's oday, i can do everything with ntpq.
Thanks |
|
Back to top |
|
|
freke l33t
Joined: 23 Jan 2003 Posts: 977 Location: Somewhere in Denmark
|
Posted: Wed Feb 24, 2016 3:08 pm Post subject: |
|
|
Missing loopback-interface?
Actually - probably not since netstat shows listening on 127.0.0.1 and ::1 |
|
Back to top |
|
|
Shadow AOK n00b
Joined: 26 Jun 2006 Posts: 48 Location: Lyon, France
|
Posted: Wed Feb 24, 2016 3:25 pm Post subject: |
|
|
Not at all, indeed. |
|
Back to top |
|
|
|