More Linux Server Topics - Network Diagram - About This Site
Chapter 23
The NTP Server
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
In This Chapter
Download and Install The NTP Package
Determining If NTP Is Synchronized Properly
Configuring Cisco Devices To Use An NTP Server
© Peter Harrison, www.linuxhomenetworking.com
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
You can keep accurate time under Linux by synchronizing your system clock with a Network Time Protocol (NTP) Server. A list of available servers may be found at:
http://www.eecis.udel.edu/~mills/ntp/servers.html
What is NTP?
Network Time Protocol (NTP) is a protocol used to help synchronize your system clock with an accurate time source. There are a number of "Stratum 1" (NTP sites using an atomic clock for timing) and "Stratum 2" (NTP sites with slightly less accurate time sources) sites that allow the general public to synchronize with them. It is good practice to have at least one server on your network be the local time server for all your other devices, this makes the correlation of system events on different systems much easier.
There are a number of freely available NTP client programs for Windows. You can use them to practice with your new NTP server.
Download and Install The NTP Package
Most RedHat Linux software products are available in the RPM format. Downloading and installing RPMs isn’t hard. If you need a refresher, the chapter on RPMs covers how to do this in detail.
· The latest version of the RPM for RedHat 8.0 is:
ntp-4.1.1-1.i386.rpm
· Install the package using the following command:
[root@bigboy tmp]# rpm -Uvh ntp-4.1.1-1.i386.rpm
The /etc/ntp.conf File
This is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use. Here is a sample of a home configuration using a pair of sample Internet based NTP servers:
· First we specify the servers we’re interested in:
server otherntp.server.org # A stratum 1 server at server.org
server ntp.research.gov # A stratum 2 server at research.gov
· Then we restrict the type of access you allow these servers. In this example we’re not allowing them to modify or query our Linux NTP server.
restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
The mask statement 255.255.255.255 is really a subnet mask limiting access to the single IP address of the remote NTP servers.
· Now list the NTP clients on our home network which should be querying our server for the time (notice that the noquery has been removed):
restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap
In this case the mask statement has been expanded to include all 255 possible IP addresses on our local network.
· We also want to make sure that localhost (The universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:
restrict 127.0.0.1
· Last, but most importantly, you need to make sure the default restrict statement is removed. It will override all other restrict statements and you’ll find your NTP server will only be communicating properly with itself. If the line is there, comment it out like this:
#restrict default ignore
· Save the file
· Do the following commands twice for each new server added to /etc/ntp.conf
[root@bigboy tmp]# ntpdate otherntp.research.gov
24 Mar 18:16:36 ntpdate[10254]: step time server 200.100.20.10 offset -15.266188 sec
[root@bigboy tmp]# ntpdate otherntp.research.gov
24 Mar 18:16:43 ntpdate[10255]: adjust time server 200.100.20.10 offset -0.000267 sec
How To Get NTP Started
· To get NTP configured to start at boot:
[root@bigboy tmp]# chkconfig --level 35 ntpd on
· To start/stop/restart NTP after booting:
[root@bigboy tmp]# /etc/init.d/ntpd start
[root@bigboy tmp]# /etc/init.d/ntpd stop
[root@bigboy tmp]# /etc/init.d/ntpd restart
Remember to restart the NTP process every time you make a change to the conf file for the changes to take effect on the running process
· You can test whether the NTP process is running with the following command, you should get a response of plain old process ID numbers:
[root@bigboy tmp]# pgrep ntpd
Determining If NTP Is Synchronized Properly
· Use the following command to see the servers with which you are synchronized:
[root@bigboy tmp]# ntpq -p
Sample output:
remote
refid st t when poll reach
delay offset jitter
==============================================================================
-jj.cs.umb.edu gandalf.sigmaso 3 u 95 1024
377 31.681 -18.549 1.572
milo.mcs.anl.go ntp0.mcs.anl.go 2 u 818 1024 125
41.993 -15.264 1.392
-mailer1.psc.edu ntp1.usno.navy. 2 u 972 1024 377
38.206 19.589 28.028
-dr-zaius.cs.wis ben.cs.wisc.edu 2 u 502 1024 357
55.098 3.979 0.333
+taylor.cs.wisc. ben.cs.wisc.edu 2 u 454 1024 347
54.127 3.379 0.047
-ntp0.cis.strath harris.cc.strat 3 u 507 1024 377
115.274 -5.025 1.642
*clock.via.net
.GPS. 1
u 426 1024 377 107.424 -3.018 2.534
ntp1.conectiv.c 0.0.0.0
16 u - 1024 0
0.000 0.000 4000.00
· A telltale sign that you haven’t got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of zero.
remote refid st t when poll reach delay offset jitter
==============================================================================
LOCAL(0) LOCAL(0) 10 l - 64 7 0.000 0.000 0.008
ntp-cup.externa 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
snvl-smtp1.trim 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
nist1.aol-ca.tr 0.0.0.0 16 u - 64 0 0.000 0.000 4000.00
This could be caused by:
o The restrict default ignore statement in the /etc/ntp.conf file not being commented out.
o A firewall blocking access to your Stratum 1 and 2 NTP servers
Configuring Cisco Devices To Use An NTP Server
Cisco IOS
Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201. An explanation of the commands used follows.
ciscorouter> enable
password: *********
ciscorouter# config t
ciscorouter(config)# ntp update-calendar
ciscorouter(config)# ntp server 192.168.1.100
ciscorouter(config)# ntp server 192.168.1.201
ciscorouter(config)# exit
ciscorouter# wr mem
o ntp server: Forms a server association with another system.
o ntp update-calendar: Configures the system to update its hardware clock from the software clock at periodic intervals.
CAT OS
Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201. An explanation of the commands used follows.
ciscoswitch> enable
password: *********
ciscoswitch# set ntp client enable
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# exit
o ntp server: Forms a server association with another system.
o set ntp client enable: Activate the NTP client
o
Firewalls and NTP
NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (ie. greater than 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.
A sample Linux iptables firewall script snippet is in the Appendix.