The NTP (Network Time Protocol RFC-1305) is a widely used Internet time protocol on most Linux systems. This service runs in the background and periodically gets time updates from one or more servers.
Many large networks use NTP to ensure accurate log file timestamps and often deploy a stratum 2 or level 2 server in their network to serve the rest of the clients.
In this article we will talk about configuring a basic NTP server, as well as ways to secure NTP. Let’s start by talking about the changes that will be needed on your firewall. Also note that this tutorial should work for all modern Red Hat based systems including Fedora and CentOS.
NTP servers communicate over port 123 UDP and unlike most UDP protocols the source port is NOT a high port, but uses 123 as well. The firewall must be configured to allow UDP on both source and destination ports 123 between your new NTP server and the Stratum 1 server. What is a stratum 1 server? Its the highest server in your NTP hierarchical of servers.
For this article we will use the following as our stratum 1 servers:
0.us.pool.ntp.org
wwv.nist.gov
Below is an example iptables rule that allows NTP traffic from ANY source. This is just an example and should be checked against your security policy, especially if your system is accessible from the internet.
iptables -I INPUT -p udp --dport 123 -j ACCEPT
You can edit the iptables rule anyway you like. Also the above rule only makes the service accessible until the next reboot, which would wipe the abvoe rule out. To learn more about Linux firewalls and how to use them read the following articles.
Introduction to Firewalld Basics
Now that we have our firewall rules in place to allow NTP synchronization, let’s get the service installed and started.
Most modern Linux/UNIX distributions come with NTP already installed. For Red Hat based distros you can install the NTP package with yum.
yum install ntp -y
The main configuration file for NTP in Red Hat based linux based systems is ntp.conf located in the /etc directory. For this first step we will open that file in our favorite editor and place the servers we want to use in the following format. Servers may already exists in the /etc/ntp.conf file, you can replace them or use the defaults.
server 0.us.pool.ntp.org
server wwv.nist.gov
Now we have to restrict the access these time servers will have on our system. In the example below we are telling NTP that these servers are not allowed to modify run-time configuration or query our system. The specified mask below is limiting the access to a single IP, or single host subnet.
restrict 0.us.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict wwv.nist.gov mask 255.255.255.255 nomodify notrap noquery
Now since we are setting up a server to “serve” time to other clients we have to tell it from which networks to allow NTP requests. We use the same basic restrict statement as above, but this time you will notice the noquery option is removed allowing said network to query this server. The following example allows everyone within the 10.0.0.0/24 network to query the server.
restrict 10.0.0.0 mask 255.255.255.0 nomodify notrap
As with most services localhost gets full access. For this we use the same restrict statement but with no options.
restrict 127.0.0.1
That’s it, we have now configured our NTP server to pull time synchronization from stratum 1 servers, and accept time synchronization requests from computers on our network. Now we have to start the service and make sure the service starts at boot. Before we go crazy let’s make sure everything is working as expected and also run an initial update.
First, let’s run an initial synchronization.
ntpq -p 0.us.pool.ntp.org
Expected output:
remote refid st t when poll reach delay offset jitter
==============================================================================
*0.us.pool.ntp.org 128.32.206.55 3 u 15 64 377 0.870 -0.164 0.170
The important thing to note in the above output is delay, offset and jitter should all be NON ZERO numbers and the jitter should be under 100. You can run the initial synchronization multiple times if you wish.
Now that we have done our initial sync and check completed, let’s start the service.
/etc/init.d/ntpd start
or
service ntpd start
When the service is started you should see something similar to this in your logs (/var/log/messages).
Mar 31 13:07:04 bighat ntpdate[18253]: step time server 66.191.139.149 offset 0.000574 sec
Ensure the service starts at boot:
chkconfig ntpd on
That's it, now you can configure your client systems to connect to this system as a time source.