Difference between revisions of "Network Time Protocol"

From Christoph's Personal Wiki
Jump to: navigation, search
(Install and configure ntpd on CentOS)
 
(3 intermediate revisions by the same user not shown)
Line 2: Line 2:
  
 
==Install and configure <code>ntpd</code> on [[CentOS]]==
 
==Install and configure <code>ntpd</code> on [[CentOS]]==
 +
 +
''Note: The following has been tested on CentOS 7.4.''
 +
 
* Install the necessary packages:
 
* Install the necessary packages:
  $ yum install ntp ntpdate ntp-doc
+
  $ yum install -y ntp
  
*Turn on the <code>ntpd</code> service persistently:
+
* Turn on the <code>ntpd</code> service persistently:
  $ chkconfig ntpd on
+
  $ systemctl start ntpd && systemctl enable ntpd
  
* Synchronize the system clock with <code>0.pool.ntp.org</code> server:
+
* [Optional] Synchronize the system clock with <code>0.pool.ntp.org</code> server:
 
  $ ntpdate pool.ntp.org
 
  $ ntpdate pool.ntp.org
  
* Start the NTP server. The following will continuously adjusts system time from upstream NTP server (i.e., o need to run <code>ntpdate</code>):
+
* Locate your geographically closest server pools from http://www.pool.ntp.org/en/
$ /etc/init.d/ntpd start
+
$ #~OR~
+
$ service ntpd start
+
 
+
* Locate your geographically closet server pools from http://www.pool.ntp.org/en/
+
 
  $ for i in africa asia europe north-america south-america; do \
 
  $ for i in africa asia europe north-america south-america; do \
 
   curl -s <nowiki>http://www.pool.ntp.org/zone/$i</nowiki>|sed -n -e '/<nowiki><pre></nowiki>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done
 
   curl -s <nowiki>http://www.pool.ntp.org/zone/$i</nowiki>|sed -n -e '/<nowiki><pre></nowiki>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done
Line 45: Line 43:
  
 
* Since I am in North America, I will add the lines above for North America to the following two files:
 
* Since I am in North America, I will add the lines above for North America to the following two files:
  $ cat >> /etc/ntp.conf <<EOF
+
  $ vim /etc/ntp.conf
  server 0.north-america.pool.ntp.org
+
  server 0.north-america.pool.ntp.org iburst
  server 1.north-america.pool.ntp.org
+
  server 1.north-america.pool.ntp.org iburst
  server 2.north-america.pool.ntp.org
+
  server 2.north-america.pool.ntp.org iburst
  server 3.north-america.pool.ntp.org
+
  server 3.north-america.pool.ntp.org iburst
  EOF
+
   
  $ cat >> /etc/ntp/step-tickers <<EOF
+
  $ vim /etc/ntp/step-tickers
 
  0.north-america.pool.ntp.org
 
  0.north-america.pool.ntp.org
 
  1.north-america.pool.ntp.org
 
  1.north-america.pool.ntp.org
 
  2.north-america.pool.ntp.org
 
  2.north-america.pool.ntp.org
 
  3.north-america.pool.ntp.org
 
  3.north-america.pool.ntp.org
  EOF
+
 
 +
Note: The NTP Pool recommendations suggest adding the <code>iburst</code> option for each NTP server. That is, if a given server is unreachable, <code>iburst</code> will send a burst of eight packets instead of the usual one packet. Do ''not'' use the <code>burst</code> option, as that is consider abuse because it will send out eight packets on every poll interval, whereas <code>iburst</code> will only send eight packets the first time.
 +
 
 +
You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to <code>ntpq</code> and <code>ntpdc</code> queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the <code>restrict</code> line in your <code>/etc/ntp.conf</code> file:
 +
  restrict default nomodify notrap nopeer noquery kod limited
 +
 
 +
Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany):
 +
$ curl -s <nowiki>http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//'</nowiki>
 +
server 0.de.pool.ntp.org
 +
server 1.de.pool.ntp.org
 +
server 2.de.pool.ntp.org
 +
server 3.de.pool.ntp.org
  
 
* Finally, restart the NTP daemon:
 
* Finally, restart the NTP daemon:
  $ service ntpd restart
+
  $ systemctl restart ntpd
  
 
* You can also list out your server pools and get details with the following:
 
* You can also list out your server pools and get details with the following:
Line 67: Line 76:
 
* Use <code>[[tcpdump]]</code> to watch the NTP traffic:
 
* Use <code>[[tcpdump]]</code> to watch the NTP traffic:
 
  $ tcpdump dst port 123
 
  $ tcpdump dst port 123
 +
 +
* Add [[iptables]] rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments):
 +
 +
-I INPUT -p udp --dport 123 -j ACCEPT
 +
-I OUTPUT -p udp --sport 123 -j ACCEPT
 +
 +
Or, if you are using FirewallD:
 +
 +
$ sudo firewall-cmd --permanent --add-service=ntp
 +
$ sudo firewall-cmd --reload
  
 
==External links==
 
==External links==

Latest revision as of 21:38, 9 April 2018

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Install and configure ntpd on CentOS

Note: The following has been tested on CentOS 7.4.

  • Install the necessary packages:
$ yum install -y ntp
  • Turn on the ntpd service persistently:
$ systemctl start ntpd && systemctl enable ntpd
  • [Optional] Synchronize the system clock with 0.pool.ntp.org server:
$ ntpdate pool.ntp.org
$ for i in africa asia europe north-america south-america; do \
  curl -s http://www.pool.ntp.org/zone/$i|sed -n -e '/<pre>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done
server 0.africa.pool.ntp.org
server 1.africa.pool.ntp.org
server 2.africa.pool.ntp.org
server 3.africa.pool.ntp.org

server 0.asia.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
server 3.asia.pool.ntp.org

server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

server 0.south-america.pool.ntp.org
server 1.south-america.pool.ntp.org
server 2.south-america.pool.ntp.org
server 3.south-america.pool.ntp.org
  • Since I am in North America, I will add the lines above for North America to the following two files:
$ vim /etc/ntp.conf
server 0.north-america.pool.ntp.org iburst
server 1.north-america.pool.ntp.org iburst
server 2.north-america.pool.ntp.org iburst
server 3.north-america.pool.ntp.org iburst

$ vim /etc/ntp/step-tickers
0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org

Note: The NTP Pool recommendations suggest adding the iburst option for each NTP server. That is, if a given server is unreachable, iburst will send a burst of eight packets instead of the usual one packet. Do not use the burst option, as that is consider abuse because it will send out eight packets on every poll interval, whereas iburst will only send eight packets the first time.

You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to ntpq and ntpdc queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the restrict line in your /etc/ntp.conf file:

restrict default nomodify notrap nopeer noquery kod limited

Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany):

$ curl -s http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//'
server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org
  • Finally, restart the NTP daemon:
$ systemctl restart ntpd
  • You can also list out your server pools and get details with the following:
$ ntpdc -l
$ ntpdc -p
  • Use tcpdump to watch the NTP traffic:
$ tcpdump dst port 123
  • Add iptables rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments):
-I INPUT -p udp --dport 123 -j ACCEPT
-I OUTPUT -p udp --sport 123 -j ACCEPT

Or, if you are using FirewallD:

$ sudo firewall-cmd --permanent --add-service=ntp
$ sudo firewall-cmd --reload

External links