Network Time Protocol

From Christoph's Personal Wiki
Revision as of 21:38, 9 April 2018 by Christoph (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Network Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks.

Install and configure ntpd on CentOS

Note: The following has been tested on CentOS 7.4.

  • Install the necessary packages:
$ yum install -y ntp
  • Turn on the ntpd service persistently:
$ systemctl start ntpd && systemctl enable ntpd
  • [Optional] Synchronize the system clock with 0.pool.ntp.org server:
$ ntpdate pool.ntp.org
$ for i in africa asia europe north-america south-america; do \
  curl -s http://www.pool.ntp.org/zone/$i|sed -n -e '/<pre>/,/<\/pre>/p'|sed -e 's/<[^>]*>//g'; done
server 0.africa.pool.ntp.org
server 1.africa.pool.ntp.org
server 2.africa.pool.ntp.org
server 3.africa.pool.ntp.org

server 0.asia.pool.ntp.org
server 1.asia.pool.ntp.org
server 2.asia.pool.ntp.org
server 3.asia.pool.ntp.org

server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

server 0.north-america.pool.ntp.org
server 1.north-america.pool.ntp.org
server 2.north-america.pool.ntp.org
server 3.north-america.pool.ntp.org

server 0.south-america.pool.ntp.org
server 1.south-america.pool.ntp.org
server 2.south-america.pool.ntp.org
server 3.south-america.pool.ntp.org
  • Since I am in North America, I will add the lines above for North America to the following two files:
$ vim /etc/ntp.conf
server 0.north-america.pool.ntp.org iburst
server 1.north-america.pool.ntp.org iburst
server 2.north-america.pool.ntp.org iburst
server 3.north-america.pool.ntp.org iburst

$ vim /etc/ntp/step-tickers
0.north-america.pool.ntp.org
1.north-america.pool.ntp.org
2.north-america.pool.ntp.org
3.north-america.pool.ntp.org

Note: The NTP Pool recommendations suggest adding the iburst option for each NTP server. That is, if a given server is unreachable, iburst will send a burst of eight packets instead of the usual one packet. Do not use the burst option, as that is consider abuse because it will send out eight packets on every poll interval, whereas iburst will only send eight packets the first time.

You should also make sure your server does not allow NTP reflection attacks (i.e., disable management queries). You also do not want to be vulnerable to ntpq and ntpdc queries that attempt to modify the state of the server. You can also restrict clients from too eagerly making requests and enforce rate limiting. To do all of this, add or update the restrict line in your /etc/ntp.conf file:

restrict default nomodify notrap nopeer noquery kod limited

Or, to use a specific country pool (closer is better for syncing), one can do the following (in this example, the pools for Germany):

$ curl -s http://www.pool.ntp.org/zone/de | sed -n '/<pre>/,/<\/pre>/p' | sed '/pre/d;s/^[ \t]\{1,\}//'
server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org
  • Finally, restart the NTP daemon:
$ systemctl restart ntpd
  • You can also list out your server pools and get details with the following:
$ ntpdc -l
$ ntpdc -p
  • Use tcpdump to watch the NTP traffic:
$ tcpdump dst port 123
  • Add iptables rules (note: NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster, then you will need to open port 123 to UDP traffic to allow the other servers to connect to it. You can open port 123 for UDP traffic with the following iptables arguments):
-I INPUT -p udp --dport 123 -j ACCEPT
-I OUTPUT -p udp --sport 123 -j ACCEPT

Or, if you are using FirewallD:

$ sudo firewall-cmd --permanent --add-service=ntp
$ sudo firewall-cmd --reload

External links