Mikaela
/
shell-things
mirror of https://gitea.blesmrt.net/mikaela/shell-things.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
shell-things/etc/chrony
History
Aminda Suomalainen 0ee83e9a90
chrony/sources: enable xleave with ~everything 
I was unable to find much information about this, but see the previous commit and Brave Leo said

> Yes, it's generally acceptable to use interleaved mode with a public NTP (Network Time Protocol) server, as long as you comply with the server's usage policies. This mode allows for time synchronization while also providing a fallback if the primary time source fails. However, keep in mind that public NTP servers are often subject to heavy traffic, so they may not provide the most accurate or timely synchronization.
 		2024-04-29 06:55:16 +03:00
..
conf.d chrony/conf.d: add .FIXME suffix to ca-certificates.conf, clarifying comments 2023-11-16 20:19:39 +02:00
sources.d chrony/sources: enable xleave with ~everything 2024-04-29 06:55:16 +03:00
README.md run prettier 2023-02-21 17:54:39 +02:00
chrony.conf chrony: cut chrony.d/ into conf.d/ and sources.d/ 2021-01-29 12:56:38 +02:00

README.md

Chrony config files

For some reason Debian package for Chrony doesnt include other config files so that has to be done by hand like

confdir /etc/chrony/chrony.d

Windows

Refer to ../../Windows/time/README.md

Other random notes

On pools, the default maxsources is 4 and pools would be resolved until there would be 4 names while the documentation for Telia and Snopyta says they have only 3. Cloudflare again resolves to two per IP version, so I assume that means 2.

Commands of interest:

Chrony itself

Note: -N uses names specified in config instead of reverse name lookupping then.

  • chrony -N activity - what sources are doing
  • chrony -N authdata - can show that server uses NTS
  • chrony -N ntpdata - a lot of data on the servers
  • chronyc offline - offline mode
  • chronyc online - reconnects servers
  • chrony -N sources - used timeservers and their statuses
  • chrony -N tracking - local status (stratum and own clock etc.)

nmap

Checking that something is an NTP server? Needs root:

nmap -sU -p 123 --script=ntp-info 192.168.0.1

Checking that something has NTS?

nmap -p 4460 -Pn ntp.example.net

In GitHub user jauderhos curated NTS list user cadusilva suggests this command instead:

chronyd -Q -t 3 'server NTP_SERVER_HERE iburst nts maxsamples 1'

Firewall configuration

In case local clients or peers are wanted,

ufw allow from 192.168.0.0/16 to any port 123 proto udp
ufw allow from fe80::/10 to any port 123 proto udp

A bit wide 192.168.x.x, but so is conf.d/local-servers,conf and fe80://10 isnt ULA either.