Tuesday, April 29, 2014

Linux - NTP Server

NTP stands for (Network Time Protocol) and is a TCP/IP protocol for synchronising time over a netwrok. A high level description of NTP protocol is a NTP client requests current time from NTP server, then uses it to set its own clock.

This blog only covers the NTP server configuration and things you need to pay attention when setting up a NTP server.

What NTP server to choose?
You have the following 4 choices of choosing a NTP server:

  1. NTP server from the internet: You can Synchronize an internal NTP server from publicly available servers on the internet, making it a stratum 2 or 3 server. However, as with any externally provided service, it is also an entry point for attackers. In addition, obtaining time from the internet is less accurate.
  2. NTP Server unavailable from internet: You can also designate a machine as the time authority, using its internal clock as the arbitrary time souce. However, as this time source wanders all of the NTP clients conncted to it will wander with it. While the primary clock could be manually adjusted to the true time occasionally, this would cause all of the clients to jump when the server adjusts. But if a clock is ever adjusted to shift more than 17 minutes, all of the NTP client software will abort due to the sudden time shift.
  3. Obtain an NTP server appliance to use as a stratum 1 server: This is the easiest choice for providing an accurate, reliable, secure and autonomous UTC-synchronized network.
  4. Obtain an external time source such as a GPS or CDMA reference to create a stratum 1 server: This external time reference is then connected to an existing server to create a stratum 1 time server. Although this method is more difficult to setup and configure it will provide an accurate, reliable, secure and autonomous UTC-synchronized network.

Choice #1 is the most popular choice. We mainly focus on #1 here in this article.

Choose a NTP server from internet:

In this scenario we have a local NTP server t1.ca, other servers tx.ca connect to t1.ca to synchronize its local time. t1.ca sync is owns time from a public NTP server, for example, pool.ntp.org. In order to setup your own NTP server you need to have time source in /etc/ntp.conf file. I suggest you to use both pool servers and dedicated ntp servers (http://ntp.org/).

Install NTP server:
# yum install ntp

Note that protocol version 1 is deprecated.

Configure NTP:
# vi /etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict -6 ::1

# Hosts on local network are less restricted.
#restrict mask nomodify notrap
# remote servers
server 0.north-america.pool.ntp.org iburst
server 1.north-america.pool.ntp.org iburst
server 2.north-america.pool.ntp.org iburst
server 3.north-america.pool.ntp.org iburst

# local peer

# full access for myselfe

# local net can query
restrict mask nomodify notrap nopeer

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server # local clock
fudge stratum 10

# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# To increase the ability to detect and eliminate fasletickers (espec dur start)
tos minclock 4 minsane 4

Note: There must be minimum of 4 upstream time servers to synchronize time with to allow ntp algorithm remove fake ntp time servers. But if you put more than 4 upstream NTP servers in /etc/ntp.conf, you machine will boot up longer.

Start NTP daemon:
# Before you start, use "ntpd -gq" to synchronize your local time to nto servers.
# ntpd -gq
# service ntpd start

We can inspect our NTP server peers:
# ntpq -c peers
     remote           refid      st t when poll reach   delay   offset  jitter
+time.tritn.com    2 u   65   64    3   83.887    0.000   1.995
+time.gac.edu    2 u   48   64    3   36.361    0.000   3.505
*  2 u   14   64    7   44.685    0.000   4.020
+ccadmin.cycores  2 u   26   64    3   26.835    0.000   1.795
 LOCAL(0)        .LOCL.          10 l    1   64    7    0.000    0.000   0.001

"+": symmectic active
"-": symmetric passive
"=": remote server is been polled in client mode
"^": the server is broadcasting to this address
"~": remote peer is sending broadcasts
"*": marks the peer the server is currently synchronizing to

No comments: