Configuring NTP Time Server

Posted by: on March 13th, 2012 | Categories: Linux | Tags: , , ,

Having a time server in your organization can help you resolve a lot of network issues that you always wonder why is it happening. Linux provides you with a very cool and powerful NTP time server, plus its really easy to install and setup as well. you can pretty much sync all your network devices, routers, switches, windows PCs, Linux Servers and even iPhones with your Linux NTP Server. if you are one of those organizations who needs to follow compliancy standards like the PCI standard and you have to keep time-stamped security logs, then you must have a time server running in your network to make sure you are getting the correct time stamps in your logs.

In this article I will be showing you the easy steps to setup a new NTP server in your organization using CentOS or RHEL, they both work the same exact way.

1- Installing NTP:

Check first if NTPD service is installed, run the following command:

[root@myserver /]# rpm -qa ntp
ntp-4.2.4p8-2.el6.centos.x86_64

if it’s not installed, then you need to install it using yum

[root@myserver /]# yum -y install ntp
[root@myserver/ ]# chkconfig ntpd on

 

2- Configuring NTP:

/etc/ntp.conf is the main NTP service configuration file. You can configure your server to run as a time server or you can configure it to run as a client machine that requests time updates from a time server from the same configuration file.

I. Configuring it as an NTP Client:

To configure a Linux machine to Sync with your local time server you need to add the the DNS name or the IP address of your NTP server into your ntp.conf file. Also, you want to restrict your server to only Sync with your local or or public Time Server.

a. In the ntp.conf file, add the following line(s) for every NTP server that you want to Sync your machine’s clock with, this basically tells your server not to receive any time updates except from that IP address

restrict 192.168.1.10 mask 255.255.255.255 nomodify notrap noquery
restrict 192.168.1.11 mask 255.255.255.255 nomodify notrap noquery

b. hash (#) any public NTP servers that you don’t want to Sync your server with, and add the DNS name(s) or the IP(s) of you own NTP Server(s), you may have more than one NTP server in your organization.

server 192.168.1.10
server 192.168.1.11

c. Now, after you are done from the modifications, save the config file, then stop the ntpd service from running

[root@myserver /]# service ntpd stop

d. first you manually need to Sync your server clock with the time server or one of them if you have more than 1 server in your organazation, then start the NTP service again – this is known as the initial Synchronization of your time.

[root@myserver /]# ntpdate 192.168.1.10
13 Mar 11:14:47 ntpdate[31064]: adjust time server 192.168.1.10 offset -0.004156 sec
[root@myserver /]# service ntpd start
ntpd: Synchronizing with time server:                      [  OK  ]
Starting ntpd:                                             [  OK  ]

e. Verify that your server clock is now Syncing with your NTP server

[root@myserver /]# ntpq -p
 remote               refid           st  t when  poll  reach  delay  offset   jitter
=====================================================================================
 *ntp1.mydomain.com   209.51.161.238   2  u    4   64    1     6.322  76957.6   0.000
 +ntp2.mydomain.com   209.51.161.238   2  u    3   64    1    23.764  76951.3   0.000

 

II. Configuring it as a NTP Server:

Time Servers are measured by how accurate their clock is, this unit of measurement in time servers is known as the “Stratum” – the lowest the Stratum is, the most accurate your server is. this rate can go a low as “st 1” and as high as “st 16”.

The only time that you can get a “Stratum 1” time server is that you have to actually buy an appliance known as the “Atomic Clock” or a “GPS Clock” and use it as a time server inside your organization, and they range from $2500 and upto $5000 depends on how many requests it can handle, usually you will find these devices in government organizations, research centers and universities, and there is a plenty of them opened for public use. You can find them listed under http://www.ntpd.org website.

When you configure it as an NTP server, you just need to point to an IP for a public Stratum 1 or 2 NTP Time Server, just select the best one for you from ntp.org, try first to look for stratum 1 and if you are not lucky you should find Stratum 2 or 3 at least. if you can find any server near your location, then your only choice is to use the time server pools that comes built-in with your OS, for example, RHEL points to the following NTP server pools by default unless you disable them and use your own, so as other Linux distributions:

server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org

Next, you’ll have to define the networks from which your server will accept NTP requests. You do so with the “restrict” statement in /etc/ntp.conf file removing the “noquery” keyword to allow the network to query your NTP server

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

 

Note:
If you are running your NTP behind a Firewall or if you have iptables running on the server, then you need to open UDP Port 123 for source and destination between your server and the server which you are synchronizing with.

 

 

Print Friendly

No comments yet.
You must be logged in to post a comment.