Difference between revisions of "Network Time Protocol"
(→Install and configure ntpd on CentOS) |
|||
(4 intermediate revisions by the same user not shown) | |||
Line 2: | Line 2: | ||
==Install and configure <code>ntpd</code> on [[CentOS]]== | ==Install and configure <code>ntpd</code> on [[CentOS]]== | ||
+ | |||
+ | ''Note: The following has been tested on CentOS 7.4.'' | ||
+ | |||
* Install the necessary packages: | * Install the necessary packages: | ||
− | $ yum install ntp | + | $ yum install -y ntp |
− | *Turn on the <code>ntpd</code> service persistently: | + | * Turn on the <code>ntpd</code> service persistently: |
− | $ | + | $ systemctl start ntpd && systemctl enable ntpd |
− | * Synchronize the system clock with <code>0.pool.ntp.org</code> server: | + | * [Optional] Synchronize the system clock with <code>0.pool.ntp.org</code> server: |
$ ntpdate pool.ntp.org | $ ntpdate pool.ntp.org | ||
− | + | * Locate your geographically closest server pools from http://www.pool.ntp.org/en/ | |
− | + | ||
− | + | ||
− | + | ||
− | + | ||
− | * Locate your geographically | + | |
$ for i in africa asia europe north-america south-america; do \ | $ for i in africa asia europe north-america south-america; do \ | ||
curl -s <nowiki>http://www.pool.ntp.org/zone/$i</nowiki>|sed -n -e '/<nowiki><pre></nowiki>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done | curl -s <nowiki>http://www.pool.ntp.org/zone/$i</nowiki>|sed -n -e '/<nowiki><pre></nowiki>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done | ||
Line 45: | Line 43: | ||
* Since I am in North America, I will add the lines above for North America to the following two files: | * Since I am in North America, I will add the lines above for North America to the following two files: | ||
− | $ | + | $ vim /etc/ntp.conf |
− | server 0.north-america.pool.ntp.org | + | server 0.north-america.pool.ntp.org iburst |
− | server 1.north-america.pool.ntp.org | + | server 1.north-america.pool.ntp.org iburst |
− | server 2.north-america.pool.ntp.org | + | server 2.north-america.pool.ntp.org iburst |
− | server 3.north-america.pool.ntp.org | + | server 3.north-america.pool.ntp.org iburst |
− | + | ||
− | $ | + | $ vim /etc/ntp/step-tickers |
0.north-america.pool.ntp.org | 0.north-america.pool.ntp.org | ||
1.north-america.pool.ntp.org | 1.north-america.pool.ntp.org | ||
2.north-america.pool.ntp.org | 2.north-america.pool.ntp.org | ||
3.north-america.pool.ntp.org | 3.north-america.pool.ntp.org | ||
− | + | ||
+ | Note: The NTP Pool recommendations suggest adding the <code>iburst</code> option for each NTP server. That is, if a given server is unreachable, <code>iburst</code> will send a burst of eight packets instead of the usual one packet. Do ''not'' use the <code>burst</code> option, as that is consider abuse because it will send out eight packets on every poll interval, whereas <code>iburst</code> will only send eight packets the first time. | ||
+ | |||
+ | You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to <code>ntpq</code> and <code>ntpdc</code> queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the <code>restrict</code> line in your <code>/etc/ntp.conf</code> file: | ||
+ | restrict default nomodify notrap nopeer noquery kod limited | ||
+ | |||
+ | Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany): | ||
+ | $ curl -s <nowiki>http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//'</nowiki> | ||
+ | server 0.de.pool.ntp.org | ||
+ | server 1.de.pool.ntp.org | ||
+ | server 2.de.pool.ntp.org | ||
+ | server 3.de.pool.ntp.org | ||
* Finally, restart the NTP daemon: | * Finally, restart the NTP daemon: | ||
− | $ | + | $ systemctl restart ntpd |
* You can also list out your server pools and get details with the following: | * You can also list out your server pools and get details with the following: | ||
Line 67: | Line 76: | ||
* Use <code>[[tcpdump]]</code> to watch the NTP traffic: | * Use <code>[[tcpdump]]</code> to watch the NTP traffic: | ||
$ tcpdump dst port 123 | $ tcpdump dst port 123 | ||
+ | |||
+ | * Add [[iptables]] rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments): | ||
+ | |||
+ | -I INPUT -p udp --dport 123 -j ACCEPT | ||
+ | -I OUTPUT -p udp --sport 123 -j ACCEPT | ||
+ | |||
+ | Or, if you are using FirewallD: | ||
+ | |||
+ | $ sudo firewall-cmd --permanent --add-service=ntp | ||
+ | $ sudo firewall-cmd --reload | ||
==External links== | ==External links== |
Latest revision as of 21:38, 9 April 2018
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Install and configure ntpd
on CentOS
Note: The following has been tested on CentOS 7.4.
- Install the necessary packages:
$ yum install -y ntp
- Turn on the
ntpd
service persistently:
$ systemctl start ntpd && systemctl enable ntpd
- [Optional] Synchronize the system clock with
0.pool.ntp.org
server:
$ ntpdate pool.ntp.org
- Locate your geographically closest server pools from http://www.pool.ntp.org/en/
$ for i in africa asia europe north-america south-america; do \ curl -s http://www.pool.ntp.org/zone/$i|sed -n -e '/<pre>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done server 0.africa.pool.ntp.org server 1.africa.pool.ntp.org server 2.africa.pool.ntp.org server 3.africa.pool.ntp.org server 0.asia.pool.ntp.org server 1.asia.pool.ntp.org server 2.asia.pool.ntp.org server 3.asia.pool.ntp.org server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 3.europe.pool.ntp.org server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org server 3.north-america.pool.ntp.org server 0.south-america.pool.ntp.org server 1.south-america.pool.ntp.org server 2.south-america.pool.ntp.org server 3.south-america.pool.ntp.org
- Since I am in North America, I will add the lines above for North America to the following two files:
$ vim /etc/ntp.conf server 0.north-america.pool.ntp.org iburst server 1.north-america.pool.ntp.org iburst server 2.north-america.pool.ntp.org iburst server 3.north-america.pool.ntp.org iburst $ vim /etc/ntp/step-tickers 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org 3.north-america.pool.ntp.org
Note: The NTP Pool recommendations suggest adding the iburst
option for each NTP server. That is, if a given server is unreachable, iburst
will send a burst of eight packets instead of the usual one packet. Do not use the burst
option, as that is consider abuse because it will send out eight packets on every poll interval, whereas iburst
will only send eight packets the first time.
You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to ntpq
and ntpdc
queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the restrict
line in your /etc/ntp.conf
file:
restrict default nomodify notrap nopeer noquery kod limited
Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany):
$ curl -s http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//' server 0.de.pool.ntp.org server 1.de.pool.ntp.org server 2.de.pool.ntp.org server 3.de.pool.ntp.org
- Finally, restart the NTP daemon:
$ systemctl restart ntpd
- You can also list out your server pools and get details with the following:
$ ntpdc -l $ ntpdc -p
- Use
tcpdump
to watch the NTP traffic:
$ tcpdump dst port 123
- Add iptables rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments):
-I INPUT -p udp --dport 123 -j ACCEPT -I OUTPUT -p udp --sport 123 -j ACCEPT
Or, if you are using FirewallD:
$ sudo firewall-cmd --permanent --add-service=ntp $ sudo firewall-cmd --reload