This blog only covers the NTP server configuration and things you need to pay attention when setting up a NTP server.
What NTP server to choose?
You have the following 4 choices of choosing a NTP server:
- NTP server from the internet: You can Synchronize an internal NTP server from publicly available servers on the internet, making it a stratum 2 or 3 server. However, as with any externally provided service, it is also an entry point for attackers. In addition, obtaining time from the internet is less accurate.
- NTP Server unavailable from internet: You can also designate a machine as the time authority, using its internal clock as the arbitrary time souce. However, as this time source wanders all of the NTP clients conncted to it will wander with it. While the primary clock could be manually adjusted to the true time occasionally, this would cause all of the clients to jump when the server adjusts. But if a clock is ever adjusted to shift more than 17 minutes, all of the NTP client software will abort due to the sudden time shift.
- Obtain an NTP server appliance to use as a stratum 1 server: This is the easiest choice for providing an accurate, reliable, secure and autonomous UTC-synchronized network.
- Obtain an external time source such as a GPS or CDMA reference to create a stratum 1 server: This external time reference is then connected to an existing server to create a stratum 1 time server. Although this method is more difficult to setup and configure it will provide an accurate, reliable, secure and autonomous UTC-synchronized network.
Choice #1 is the most popular choice. We mainly focus on #1 here in this article.
Choose a NTP server from internet:
In this scenario we have a local NTP server t1.ca, other servers tx.ca connect to t1.ca to synchronize its local time. t1.ca sync is owns time from a public NTP server, for example, pool.ntp.org. In order to setup your own NTP server you need to have time source in /etc/ntp.conf file. I suggest you to use both pool servers and dedicated ntp servers (http://ntp.org/).
Install NTP server:
# yum install ntpNote that protocol version 1 is deprecated.
Configure NTP:
# vi /etc/ntp.conf # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # remote servers server 0.north-america.pool.ntp.org iburst server 1.north-america.pool.ntp.org iburst server 2.north-america.pool.ntp.org iburst server 3.north-america.pool.ntp.org iburst # local peer peer 10.0.2.15 peer 10.0.2.14 # full access for myselfe restrict 127.0.0.1 # local net can query restrict 192.168.56.0 mask 255.255.255.0 nomodify notrap nopeer # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. driftfile /var/lib/ntp/drift # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 # To increase the ability to detect and eliminate fasletickers (espec dur start) tos minclock 4 minsane 4
Note: There must be minimum of 4 upstream time servers to synchronize time with to allow ntp algorithm remove fake ntp time servers. But if you put more than 4 upstream NTP servers in /etc/ntp.conf, you machine will boot up longer.
Start NTP daemon:
# Before you start, use "ntpd -gq" to synchronize your local time to nto servers. # ntpd -gq # service ntpd start
We can inspect our NTP server peers:
# ntpq -c peers remote refid st t when poll reach delay offset jitter ============================================================================== +time.tritn.com 134.121.64.86 2 u 65 64 3 83.887 0.000 1.995 +time.gac.edu 147.84.59.145 2 u 48 64 3 36.361 0.000 3.505 *162.250.145.46 199.249.223.123 2 u 14 64 7 44.685 0.000 4.020 +ccadmin.cycores 130.207.244.240 2 u 26 64 3 26.835 0.000 1.795 LOCAL(0) .LOCL. 10 l 1 64 7 0.000 0.000 0.001
"+": symmectic active
"-": symmetric passive
"=": remote server is been polled in client mode
"^": the server is broadcasting to this address
"~": remote peer is sending broadcasts
"*": marks the peer the server is currently synchronizing to
No comments:
Post a Comment