NTP: Setting up an NTP server

Setting up an NTP server

chrony is the default service on newer OS releases (Red Hat 7.2 and later, any recent Ubuntu release).

chrony has several advantages over ntpd:

  • Quicker synchronisation.
  • Better response to changes in clock frequency (very useful for VMs).
  • Periodic polling of time servers isn’t required.

It lacks some features like broadcast, multicast, and Autokey packet authentication. When this is required, or for systems that are going to be switched on continuously ntpd is a better choice.

A more comprehensive comparison list is available here:

https://chrony.tuxfamily.org/comparison.html

Locate a pool or set as close as possible to you from any public ntp servers.

https://www.pool.ntp.org/en/

Setting a chrony NTP server

chrony is installed by default on many distros. If you don’t already have it, install it.

Edit the configuration file.

# vi /etc/chrony.conf

Make the following changes.

# Edit the time sources of your choice
# iburts helps making initial sync faster

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Helps stabilising initial sync on restarts

driftfile /var/lib/chrony/drift

# Allows serving time even if above sources aren't available

local stratum 8

# Opens the NTP port to respond to client's requests
# Edit it with your client's subnet

allow 192.168.1.0/24

# Enables support for the settime command in chronyc

manual

Start and enable the service.

# systemctl start chronyd

# systemctl enable chronyd

Check the firewall configuration in the last section.

Chrony client configuration

server [IP/HOSTNAME OF ABOVE SERVER] iburst
driftfile /var/lib/chrony/drift
logdir /var/log/chrony
log measurements statistics tracking

Checking chrony

[Check if the service is running]
$ systemctl status chrony

[Display the system's clock performance]
$ chronyc tracking

[Display time sources]
$ chronyc sources

More information on chrony:

https://chrony.tuxfamily.org/faq.html

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_the_chrony_suite

Setting an ntpd NTP server

Install ntpd for your distro if not already present.

# yum install ntp
# dnf install ntp
# apt install ntp

Syncing to the server’s own system clock

If the system is going to be isolated, with no internet connection, or any other time source available you can use its internal clock.

Edit /etc/ntp.conf.

# To point ntpd to sync with its own system clock
server 127.127.1.0 prefer 
fudge 127.127.1.0
driftfile /etc/ntp.drift
tracefile /etc/ntp.trace

This will work in a network “island”, but it won’t be a correct time. It is best to sync from other time sources (next section).

Syncing to other NTP servers

# Edit the time sources of your choice
# iburts helps making initial sync faster
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Insert your own subnet address
# nomodify - Disallows clients from configuring the server
# notrap - Clients can't be used as peers for time sync
restrict 192.168.1.0 netmask 255.255.255.0 nomodify notrap

# Indicates where to keep logs
logfile /var/log/ntp.log

Start, enable and check ntpd status:

# systemctl start ntpd
# systemctl enable ntpd
# systemctl status ntpd

Remember that you will need to open your firewall to allow NTP queries. There are some instructions further down.

ntpd client configuration

server [IP/HOSTNAME OF ABOVE SERVER] iburst
driftfile /var/lib/ntp/drift

Checking ntpd

$ ntpq -p
$ date -R

More information on ntpd:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system_administrators_guide/ch-configuring_ntp_using_ntpd

Firewall

Remember that you might need to open your firewall for clients to connect to your server.

[Red Hat / CentOS]

# firewall-cmd --add-service=ntp --permanent
# firewall-cmd --reload

[Ubuntu]

# ufw allow ntp

or

# ufw allow 123/udp

You might want to also modify the rule to limit access only to certain subnets or clients.

You can add lines to chrony and ntpd configurations to allow IPv6 traffic. You would need to add also additional firewall rules. IPv4 shown here for simplicity (and also because I don’t have the requirement). 🙂