More Linux Server Topics - Network Diagram - About This Site

 

Chapter 23

The NTP Server

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

In This Chapter

Chapter 23

The NTP Server

What is NTP?

Download and Install The NTP Package

The /etc/ntp.conf File

How To Get NTP Started

Determining If NTP Is Synchronized Properly

Configuring Cisco Devices To Use An NTP Server

Firewalls and NTP

 

 

© Peter Harrison, www.linuxhomenetworking.com

 

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =

You can keep accurate time under Linux by synchronizing your system clock with a Network Time Protocol (NTP) Server. A list of available servers may be found at:

 

http://www.eecis.udel.edu/~mills/ntp/servers.html

 

What is NTP?

Network Time Protocol (NTP) is a protocol used to help synchronize your system clock with an accurate time source. There are a number of "Stratum 1" (NTP sites using an atomic clock for timing) and "Stratum 2" (NTP sites with slightly less accurate time sources) sites that allow the general public to synchronize with them. It is good practice to have at least one server on your network be the local time server for all your other devices, this makes the correlation of system events on different systems much easier. 


There are a number of freely available NTP client programs for Windows. You can use them to practice with your new NTP server.

Download and Install The NTP Package 

Most RedHat Linux software products are available in the RPM format. Downloading and installing RPMs isn’t hard. If you need a refresher, the chapter on RPMs covers how to do this in detail.

·     The latest version of the RPM for RedHat 8.0 is:

 

ntp-4.1.1-1.i386.rpm

 

·     Install the package using the following command:

 

[root@bigboy tmp]# rpm -Uvh ntp-4.1.1-1.i386.rpm

 

The /etc/ntp.conf File 

This is the main configuration file for Linux NTP in which you place the IP addresses of the stratum 1 and stratum 2 servers you want to use. Here is a sample of a home configuration using a pair of sample Internet based NTP servers:

 

·     First we specify the servers we’re interested in:

 

server  otherntp.server.org    # A stratum 1 server at server.org

server  ntp.research.gov       # A stratum 2 server at research.gov

 

·     Then we restrict the type of access you allow these servers. In this example we’re not allowing them to modify or query our Linux NTP server.

 

restrict otherntp.server.org   mask 255.255.255.255 nomodify notrap noquery

restrict ntp.research.gov      mask 255.255.255.255 nomodify notrap noquery

 

The mask statement 255.255.255.255 is really a subnet mask limiting access to the single IP address of the remote NTP servers.

 

·     Now list the NTP clients on our home network which should be querying our server for the time (notice that the noquery has been removed):

 

restrict 192.168.1.0 mask 255.255.255.0 notrust nomodify notrap

 

In this case the mask statement has been expanded to include all 255 possible IP addresses on our local network.

·     We also want to make sure that localhost (The universal IP address used to refer to a Linux server itself) has full access without any restricting keywords:

 

restrict 127.0.0.1

 

·     Last, but most importantly, you need to make sure the default restrict statement is removed. It will override all other restrict statements and you’ll find your NTP server will only be communicating properly with itself. If the line is there, comment it out like this:

 

#restrict default ignore

 

·     Save the file

·     Do the following commands twice for each new server added to /etc/ntp.conf

 

[root@bigboy tmp]# ntpdate otherntp.research.gov

24 Mar 18:16:36 ntpdate[10254]: step time server 200.100.20.10 offset -15.266188 sec

[root@bigboy tmp]# ntpdate otherntp.research.gov 

24 Mar 18:16:43 ntpdate[10255]: adjust time server 200.100.20.10 offset -0.000267 sec

 

How To Get NTP Started

·     To get NTP configured to start at boot:

 

[root@bigboy tmp]# chkconfig --level 35 ntpd on

 

·     To start/stop/restart NTP after booting:

 

[root@bigboy tmp]# /etc/init.d/ntpd start
[root@bigboy tmp]# /etc/init.d/ntpd stop
[root@bigboy tmp]# /etc/init.d/ntpd restart

 

Remember to restart the NTP process every time you make a change to the conf file for the changes to take effect on the running process 

·     You can test whether the NTP process is running with the following command, you should get a response of plain old process ID numbers:

 

[root@bigboy tmp]# pgrep ntpd

 


 

Determining If NTP Is Synchronized Properly 

·     Use the following command to see the servers with which you are synchronized:

 

[root@bigboy tmp]# ntpq -p
 

Sample output:


     remote          refid       st t when poll reach  delay   offset   jitter
==============================================================================
-jj.cs.umb.edu   gandalf.sigmaso  3 u   95 1024  377  31.681  -18.549    1.572
milo.mcs.anl.go  ntp0.mcs.anl.go  2 u  818 1024  125  41.993  -15.264    1.392
-mailer1.psc.edu ntp1.usno.navy.  2 u  972 1024  377  38.206   19.589   28.028
-dr-zaius.cs.wis ben.cs.wisc.edu  2 u  502 1024  357  55.098    3.979    0.333
+taylor.cs.wisc. ben.cs.wisc.edu  2 u  454 1024  347  54.127    3.379    0.047
-ntp0.cis.strath harris.cc.strat  3 u  507 1024  377 115.274   -5.025    1.642
*clock.via.net   .GPS.            1 u  426 1024  377 107.424   -3.018    2.534
ntp1.conectiv.c  0.0.0.0         16 u    - 1024    0   0.000    0.000  4000.00
 

·     A telltale sign that you haven’t got proper synchronization is when all the remote servers have jitters of 4000 with delay and reach values of zero.

 

     remote           refid      st t when poll reach   delay   offset  jitter

==============================================================================

 LOCAL(0)        LOCAL(0)        10 l    -   64    7    0.000    0.000   0.008

 ntp-cup.externa 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 snvl-smtp1.trim 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 nist1.aol-ca.tr 0.0.0.0         16 u    -   64    0    0.000    0.000 4000.00

 

This could be caused by:

o        The restrict default ignore statement  in the /etc/ntp.conf file not being commented out.

o        A firewall blocking access to your Stratum 1 and 2 NTP servers

 

Configuring Cisco Devices To Use An NTP Server 

Cisco IOS

Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201. An explanation of the commands used follows.

 

ciscorouter> enable

password: *********

ciscorouter# config t

ciscorouter(config)# ntp update-calendar
ciscorouter(config)# ntp server 192.168.1.100
ciscorouter(config)# ntp server 192.168.1.201
ciscorouter(config)# exit

ciscorouter# wr mem
 

o        ntp server: Forms a server association with another system.

o        ntp update-calendar: Configures the system to update its hardware clock from the software clock at periodic intervals. 

 

CAT OS 

Here are the commands you would use to make your router synchronize with NTP servers with IP addresses 192.168.1.100 and 192.168.1.201. An explanation of the commands used follows.

 

ciscoswitch> enable
password: *********
ciscoswitch# set ntp client enable
ciscoswitch# ntp server 192.168.1.100
ciscoswitch# ntp server 192.168.1.100

ciscoswitch# exit

 

o        ntp server: Forms a server association with another system.

o        set ntp client enable: Activate the NTP client 

o         

Firewalls and NTP 

NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (ie. greater than 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.

A sample Linux iptables firewall script snippet is in the Appendix.