To configure a Linux computer as a basic NTP server, we need to go through the following steps:
Installing the NTP package
For CentOs, RedHat and Fedora distributions
yum install ntp
For Ubuntu and Debian distributions
apt-get install ntp
or
sudo apt-get install ntp
Configuring the NTP service
With your favorite text editor open the file /etc/ntp.conf to perform the following:
Specifying OUR external server for time synchronization
Our Time source (or sources) are specified in the lines starting with server. These are the servers to which our local server synchronizes. Here is an example:
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
Default server addresses vary according to the Linux distribution. You can use the default ones or specify the NTP server of your preference. It is recommended to use the servers for your country or region specified in pool.ntp.org Server link: http://support.ntp.org/bin/view/Servers/NTPPoolServers.
It is recommended than more than one ntp server is present for redundancy in case one of the servers fail.
You might have noticed the word iburst in every line. The iburst option reduces the time in the initial synchronization and it is the default option.
The specified servers are used in a round-robin fashion. If you wish you to use one server above others, add the options prefer at the end of the server line like this:
server 0.centos.pool.ntp.org prefer
Allow clients restricted time synchronization with our time server
If you want to allow any client to synchronize to your NTP server just add the line
restrict default kod nomodify notrap nopeer noquery
- default: every client
- kod: if access is denied, send a “kiss of death” packet. It’s used to prevent abuse of the server. See more here.
- nomodify: client can not modify the server
- notrap: prevents ntpdc control message protocol traps
- nopeer: deny packets trying to establish a peer association
- noquery: clients can not query status information from our server (like our Operating System or NTP server version); however, they can still get time sync from our NTP server. If you want to block time synchronization you should add the option noserve.
Allow localhost IP to perform any function in the NTP server
The localhost ip 127.0.0.1 is often used for administrative functions; hence, to bypass the “default” restrict policy, add:
restrict 127.0.0.1
restrict ::1
The above lines give the localhost IP address unrestricted access to the NTP server operations.
Specifying the Location of the Drift File
The driftfile keeps track of clock deviations.
driftfile /var/lib/ntp/ntp.drift
That’s pretty much it for a basic configuration, but let’s just add some extra features for security. (This post doesn’t cover advanced security options like authentication).
Allow only specific clients to synchronize with our NTP server
If you added the noserve option in the restrict default line you might want to add specif hosts or networks which will be allowed to synchronize with your server. They usually are hosts or networks in your LAN, or otherwise known devices. For example:
If you want to allow the network 10.10.10.0/24 to query your NTP server add the following line:
restrict 10.10.10.0 mask 255.255.255.0 nomodify notrap nopeer
If you want to allow the specific host 10.10.10.2 to query your NTP server add the following line:
restrict 10.10.10.2 nomodify notrap nopeer -> mask 255.255.255.255 is assumed
That network and that host would be able to query your server for time sync and get status information from your server.
Using Local Clock as Backup
In case your server loses access to the Internet, it’s a good idea to failover to the server internal clock.
server 127.127.1.0 -> NTP server’s own pseudo address
fudge 127.127.1.0 stratum 12
Use stratum 10 to 15 so it’s never used unless no external server is reachable.
Configuring Logging Parameters
Specify a file path for the logs, although no mandatory it is very useful for debugging:
logfile /var/log/ntp.log
A complete basic /etc/ntp.conf should look like this (As you can imagine the -6 lines, are intended for IPv6 protocol) :
server 127.127.1.0
fudge 127.127.1.0 stratum 12
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log
Starting the NTP Service
For CentOs and RHEL/RedHat distributions
/etc/init.d/ntpd start
or
service ntpd start
For Debian and Ubuntu distributions (notice there’s a d missing)
/etc/init.d/ntp start
or
service ntp start
For Fedora and CentOS/Redhat/RHEL 7 distributions
systemctl start ntpd.service
The system will start synchronizing.
Verifying the NTP operation
Enter the command:
# ntpq -p
And you’ll see an output similar as the follow:
Values will be moving through time. The entry marked with the * is the server currently in use. If you see errors or no server association in a few minutes, probably the NTP service has not started. Review the log file to obtain more information.
Sync the local clock with the external NTP server for the first time
Issue the following command:
ntpdate –u 18.26.4.105 -> or any server your NTP server is syncing to
Make the NTP service start when the computer boots
To add the ntp service to the list of daemons which start at startup:
For CentOs and RHEL/RedHat distributions
chkconfig ntpd on
For Debian and Ubuntu distributions (notice there’s a d missing)
systemctl enable ntp.service
o for Debian Jessie (Debian 8)
systemctl enable ntp
For Fedora and CentOS/Redhat/RHEL 7 distributions
systemctl enable ntpd
360techstuff 