0

I'm having major woes trying to get ntp working on several ubuntu 12.04 servers. Note this is NTP to keep the time set on those servers. Not to distribute the time! I've installed several of those machines as VirtualBox VMs and the behaviour is the same across all of them. They are working fine for all other tasks, namely Web/SSH servers. They can reach the outside, the outside can reach them, the iptables firewall config should allow NTP as well:

# Accept all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT

Looking at the output of starting the ntp server:

me@machine:~$ sudo service ntp start
 * Starting NTP server ntpd                                [ OK ] 
me@ machine:~$ ps aux | grep ntp
ntp 10152  0.0  0.4  37780  2160 ? Ss 04:17 0:06 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:114

Then looking at ntp entries in syslog:

Feb  5 20:17:36 machine ntpd[10151]: ntpd 4.2.6p3@1.2290-o Tue Jun  5 20:12:08 UTC 2012 (1)
Feb  5 20:17:36 machine ntpd[10152]: proto: precision = 0.392 usec
Feb  5 20:17:36 machine ntpd[10152]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
Feb  5 20:17:36 machine ntpd[10152]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
Feb  5 20:17:36 machine ntpd[10152]: Listen and drop on 1 v6wildcard :: UDP 123
Feb  5 20:17:36 machine ntpd[10152]: Listen normally on 2 lo 127.0.0.1 UDP 123
Feb  5 20:17:36 machine ntpd[10152]: Listen normally on 3 eth0 XX.XX.XX.XX UDP 123
Feb  5 20:17:36 machine ntpd[10152]: Listen normally on 4 lo ::1 UDP 123
Feb  5 20:17:36 machine ntpd[10152]: Listen normally on 5 eth0 ffff::fff:fff:767 UDP 123
Feb  5 20:17:36 machine ntpd[10152]: peers refreshed
Feb  5 20:17:36 machine ntpd[10152]: Listening on routing socket on fd #22 for interface updates

Nothing out of the ordinary there it seems. But the time on the machines is still out, and the drift files are not being written.

So let's look at ntpq output:

me@machine:~$ sudo ntpq -p
ntpq: read: Connection refused

Well crap. What's going on here? ntp server is running, the port is not being blocked by iptables. So let's look at /etc/ntp.conf (all comments removed):

driftfile /var/lib/ntp/ntp.drift
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

server ntp.ubuntu.com

restrict 127.0.0.1
restrict ::1

Again, nothing odd in there I think. So let's try and have a look at someone else's time server:

me@machine:~$ ntpdate -q
 6 Feb 06:15:13 ntpdate[15084]: no servers can be used, exiting

Ok, so Google revealed that ntpdate is not using the the config file, tells us to use ntpdate-debian instead:

me@machine:~$ ntpdate-debian -q
server 169.229.70.183, stratum 0, offset 0.000000, delay 0.00000
server 204.2.134.163, stratum 0, offset 0.000000, delay 0.00000
server 216.37.64.2, stratum 0, offset 0.000000, delay 0.00000
server 15.185.186.215, stratum 0, offset 0.000000, delay 0.00000
server 142.54.181.202, stratum 0, offset 0.000000, delay 0.00000
server 198.55.111.50, stratum 0, offset 0.000000, delay 0.00000
server 67.227.252.196, stratum 0, offset 0.000000, delay 0.00000
server 108.61.73.243, stratum 0, offset 0.000000, delay 0.00000
server 75.98.226.178, stratum 0, offset 0.000000, delay 0.00000
server 173.230.149.23, stratum 0, offset 0.000000, delay 0.00000
server 205.133.32.18, stratum 0, offset 0.000000, delay 0.00000
server 69.50.219.51, stratum 0, offset 0.000000, delay 0.00000
server 67.212.118.201, stratum 0, offset 0.000000, delay 0.00000
server 67.217.112.181, stratum 0, offset 0.000000, delay 0.00000
server 174.36.71.205, stratum 0, offset 0.000000, delay 0.00000
server 198.60.22.240, stratum 0, offset 0.000000, delay 0.00000
server 91.189.94.4, stratum 0, offset 0.000000, delay 0.00000
server 91.189.89.199, stratum 0, offset 0.000000, delay 0.00000
 6 Feb 06:15:32 ntpdate[15087]: no server suitable for synchronization found

Good heavens, jesus, joseph mary and the donkey! What on earth is going on here? Does anyone have any clue as to why none of those debian/ubuntu VM's can synch NTP time?

Balthasar
  • 113
  • 5
  • 1
    what happens when you run `ntpdate -d -v us.pool.ntp.org` Your syslog paste is missing some info. You did not paste enough of it. It does not give any info about trying to connect to ntp.ubuntu.com – dfc Feb 06 '14 at 20:06
  • There's nothing more in the syslog, it never falls through to the backup server ntp.ubuntu.com. I have however got it to work on the (identical) VM that is not with that colocation provider. That along with the debug output and the fact that the same error occurs on OS X machines hosted with them leads me to believe that they are blocking NTP traffic. Their support which usually responds within 1 hour has been silent for 8 hours+ now… Abbreviated output from ntpdate follows: – Balthasar Feb 06 '14 at 21:13
  • No formatting possible in responses apparently… `me@machine:~$ ntpdate -d -v us.pool.ntp.org 6 Feb 20:54:03 ntpdate[5264]: ntpdate 4.2.6p3@1.2290-o Tue Jun 5 20:12:09 UTC 2012 (1) host found : krillin.ecansol.net transmit(50.23.135.154) 50.23.135.154: Server dropped: no data server 50.23.135.154, port 123 stratum 0, precision 0, leap 00, trust 000 transmitted 4, in filter 4 filter offset: 0.000000 0.000000 0.000000 0.000000 delay 0.00000, dispersion 64.00000 offset 0.000000 6 Feb 20:54:11 ntpdate[5264]: no server suitable for synchronisation found` – Balthasar Feb 06 '14 at 21:16
  • 1
    The ISP just confirmed that this is what's happening, they've shut down UDP 123 IN/OUT of their entire network due to the reflection attacks. – Balthasar Feb 06 '14 at 22:29

0 Answers0