How to install and configure NTP Server (ntpd) to
synchronize Linux server clock over the Internet on CentOS, RHEL,
Fedora
Every now and then I have to work on servers running
CentOS or
Fedora Linux. Very typical problem that I observe on many
servers which I have to inherit is the previous administrator did
not know about the existence of
NTP (Network Time Protocol)
or forgot to install the ntpd server. As a consequence the many
installed server services did not have a correct clock and at some
specific cases this caused issues for web applications running on
the server or any CMS installed etc.
The
NTP Daemon is existing in GNU / linux since the early
days of Linux and it served quite well so far. The
NTP
protocol has been used since the early days of the internet and for
centuries is a standard protocol for BSD UNIX.
ntp is available in I believe all Linux distributions
directly as a precompiled binary and can be installed on Fedora,
CentOS with:
[root@centos ~]# yum install ntp
ntpd synchronizes the server clock with one of the
/etc/ntp.conf defined RedHat NTP list
server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org
To Synchronize manually the server system clock the
ntp
CentOS rpm package contains a tool called
ntpdate :
Hence its a good practice to use
ntpdate to synchronize the
local server time with a internet server, the way I prefer to do
this is via a government owned ntp server
time.nist.gov,
e.g.
[root@centos ~]# ntpdate time.nist.gov
8 Feb 14:21:03 ntpdate[9855]: adjust time server 192.43.244.18
offset -0.003770 sec
Alternatively if you prefer to use one of the
redhat servers
use:
[root@centos ~]# ntpdate 0.rhel.pool.ntp.org
8 Feb 14:20:41 ntpdate[9841]: adjust time server 72.26.198.240
offset 0.005671 sec
Now as the system time is set to a correct time via the ntp server,
the ntp server is to be launched:
[root@centos ~]# /etc/init.d/ntpd start
...
To permanently enable the
ntpd service to start up in boot
time issue also:
[root@centos ~]# chkconfig ntpd on
Using
chkconfig and
/etc/init.d/ntpd cmds, makes the
ntp server to run permanently via the ntpd daemon:
[root@centos ~]# ps ax |grep -i ntp 29861 ? SLs 0:00 ntpd -u
ntp:ntp -p /var/run/ntpd.pid -g
If you prefer to synchronize periodically the system clock instead
of running permanently a network server listening (for increased
security), you should omit the above
chkconfig ntpd on and
/etc/init.d/ntpd start commands and instead set in root
crontab the time to get synchronize lets say every 30 minutes, like
so:
[root@centos ~]# echo '30 * * * * root /sbin/ntpd -q -u
ntp:ntp' > /etc/cron.d/ntpd
The time synchronization via crontab can be also done using the
ntpdate cmd. For example if you want to synchronize the
server system clock with a network server every 5 minutes:
[root@centos ~]# crontab -u root -e
And paste inside:
*/5 * * * * /sbin/ntpdate time.nist.gov 2>1 >
/dev/null
ntp package is equipped with
ntpq -
Standard NTP
Query Program. To get very basic stats for the running ntpd
daemon use:
[root@centos ~]# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
B1-66ER.matrix. 192.43.244.18 2 u 47 64 17 149.280 41.455
11.297
*ponderosa.piney 209.51.161.238 2 u 27 64 37 126.933 32.149
8.382
www2.bitvector. 132.163.4.103 2 u 1 64 37 202.433 12.994
13.999
LOCAL(0) .LOCL. 10 l 24 64 37 0.000 0.000 0.001
The
remote field shows the servers to which currently the
ntpd service is connected. This IPs are the servers which
ntp uses to synchronize the local system server clock.
when
field shows when last the system was synchronized by the remote
time server and the rest is statistical info about connection
quality etc.
If the ntp server is to be run in daemon mode (ntpd to be running
in the background). Its a good idea to allow ntp connections from
the local network and filter incoming connections to port num 123
in /etc/sysconfig/iptables :
-A INPUT -s 192.168.1.0/24 -m state --state NEW -p udp
--dport 123 -j ACCEPT
-A INPUT -s 127.0.0.1 -m state --state NEW -p udp --dport 123 -j
ACCEPT
-A INPUT -s 0.0.0.0 -m state --state NEW -p udp --dport 123 -j
DROP
Restrictions on which IPs can be connected to the ntp server can
also be implied on a ntpd level through /etc/ntp.conf. For example
if you would like to add the local network IPs range 192.168.0.1/24
to access ntpd, in ntpd.conf should be added policy:
# Hosts on local network are less restricted.
restrict 192.168.0.1 mask 255.255.255.0 nomodify
notrap
To deny all access to any machine to the ntpd server add in
/etc/ntp.conf:
restrict default ignore
After making any changes to ntp.conf , a server restart is required
to load the new config settings, e.g.:
[root@centos ~]# /sbin/service ntpd
restart
In most cases I think it is better to imply restrictions on a
iptables (firewall) level instead of bothering change the default
ntp.conf
Once ntpd is running as daemon, the server listens for UDP
connections on udp port 123, to see it use:
[root@centos ~]# netstat -tulpn|grep -i ntp
udp 0 0 10.10.10.123:123 0.0.0.0:* 29861/ntpd
udp 0 0 80.95.28.179:123 0.0.0.0:* 29861/ntpd
udp 0 0 127.0.0.1:123 0.0.0.0:* 29861/ntpd
udp 0 0 0.0.0.0:123 0.0.0.0:* 29861/ntpd