Network Time Protocol
Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.
Install and configure ntpd on CentOS
Note: The following has been tested on CentOS 7.4.
- Install the necessary packages:
$ yum install -y ntp
- Turn on the
ntpdservice persistently:
$ systemctl start ntpd && systemctl enable ntpd
- [Optional] Synchronize the system clock with
0.pool.ntp.orgserver:
$ ntpdate pool.ntp.org
- Locate your geographically closest server pools from http://www.pool.ntp.org/en/
$ for i in africa asia europe north-america south-america; do \ curl -s http://www.pool.ntp.org/zone/$i|sed -n -e '/<pre>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done server 0.africa.pool.ntp.org server 1.africa.pool.ntp.org server 2.africa.pool.ntp.org server 3.africa.pool.ntp.org server 0.asia.pool.ntp.org server 1.asia.pool.ntp.org server 2.asia.pool.ntp.org server 3.asia.pool.ntp.org server 0.europe.pool.ntp.org server 1.europe.pool.ntp.org server 2.europe.pool.ntp.org server 3.europe.pool.ntp.org server 0.north-america.pool.ntp.org server 1.north-america.pool.ntp.org server 2.north-america.pool.ntp.org server 3.north-america.pool.ntp.org server 0.south-america.pool.ntp.org server 1.south-america.pool.ntp.org server 2.south-america.pool.ntp.org server 3.south-america.pool.ntp.org
- Since I am in North America, I will add the lines above for North America to the following two files:
$ vim /etc/ntp.conf server 0.north-america.pool.ntp.org iburst server 1.north-america.pool.ntp.org iburst server 2.north-america.pool.ntp.org iburst server 3.north-america.pool.ntp.org iburst $ vim /etc/ntp/step-tickers 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org 3.north-america.pool.ntp.org
Note: The NTP Pool recommendations suggest adding the iburst option for each NTP server. That is, if a given server is unreachable, iburst will send a burst of eight packets instead of the usual one packet. Do not use the burst option, as that is consider abuse because it will send out eight packets on every poll interval, whereas iburst will only send eight packets the first time.
You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to ntpq and ntpdc queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the restrict line in your /etc/ntp.conf file:
restrict default nomodify notrap nopeer noquery kod limited
Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany):
$ curl -s http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//'
server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org
- Finally, restart the NTP daemon:
$ systemctl restart ntpd
- You can also list out your server pools and get details with the following:
$ ntpdc -l $ ntpdc -p
- Use
tcpdumpto watch the NTP traffic:
$ tcpdump dst port 123
- Add iptables rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments):
-I INPUT -p udp --dport 123 -j ACCEPT -I OUTPUT -p udp --sport 123 -j ACCEPT
Or, if you are using FirewallD:
$ sudo firewall-cmd --permanent --add-service=ntp $ sudo firewall-cmd --reload
