Monday, April 14, 2008

Network Time Protocol (NTP) - Server Configuration

(NOTE: This documentation is based on my experience in SuSE Linux. Settings may vary in other flavour of Linux)

NTP is the standard for time synchronization. NTP is responsible for ensuring that all the servers on the Internet are time synchronized; that is they all refer to the same time. To reach this goal, all the servers communicate the same time, no matter what time zone they are in. This time is known as Universal Time Coordinated (UTC); a server receives its time in UTC and then calculates its local time from that from by using the time zone setting and any daylight saving time settings. More about NTP …

[ Tip: Time zone can be changed in /etc/sysconfig/clock file. Once changed, the service /etc/init.d/boot.clock should be restarted. ]

A server can determine its time in two ways.

(1) By synchronizing with another NTP time server (or

If a server synchronizes with an NTP time server, the stratum used on that server will be determined by the server it is synchronizing with; if a server synchronizes with a stratum 3 time server, it will automatically become a stratum 4 time server by itself. (What is stratum?)

(2) By using a reference clock

If a server uses a reference clock, the server does not get its time from a server on the Internet but will determine its own time. The default stratum used is determined by the type and brand of reference clock that is used. If it is a reliable clock such as a clock related to GPS, the default stratum setting will be high; if it is a less reliable clock (such as the local clock in a computer), the default stratum will be lower.

Configuring a Standard-Alone NTP Time Server

You need just 2 elements to configure your own NTP time server.

(1) The configuration file (/etc/ntp.conf)

(2) And the daemon process (/etc/init.d/xntpd)

The configuration file (/etc/ntp.conf)

(a) Configuring ntp.conf

Add following lines in /etc/ntp.conf file.

server 127.127.1.0

fudge 127.127.1.0 stratum 10

server ntp.yourprovider.somewhere minpoll 4 maxpoll 15

First line specifies what NTP process should use if the connection with the NTP time server is lost for a longer period; this line makes sure the local in your server will not drift too much. This line references a local clock.

Second line defines what should happen when the server falls back to the local external reference clock mentioned on the first line. This line starts with the keyword fudge to indicate a situation that is not normal. In this situation, the server should use the local clock, and the server sets its stratum to 10. By using this stratum, the server indicates that it is not very trustworthy but ensures that it can be used as a time source anyway.

The last line shows what should happen under the normal circumstances. It refers to an IP address or server name on the network of the Internet provider. The values for the minpoll and maxpoll parameters are kind of weird; they refer to the power of 2 that should be used. Therefore, minpoll 4 in fact is 2^4, which equals 16 seconds. The default value is 1024 i.e. 2^10. You can use any value from 4 to 17. The minpoll determines how often a client should try to synchronize its time when time currently is not synchronized properly. The maxpoll value indicates how often synchronization should occur if time is synchronized properly.

[ Tip: Looking for an NTP time server, visit http://www.ntp.org/. You can also set pool.ntp.org as your time server, which is publicly available time server on the Internet. ]

(b) Tuning Your NTP Server

Using the NTP Drift File: No matter how secure the local clock on your computer is, it always has a small defect: either the clock is running too fast or the clock is running too slow. This difference is referred to as the drift factor of the clock. To adjust the clock, NTP Process maintains a file called drift file, which is automatically created when NTP started first time. The drift file default location is /var/lib/ntp/drift/ntp.drift. You can tune where the file is created by using the driftfile parameter in ntp.conf:

driftfile /var/lib/ntp/drift/ntp.drift

(c) Securing Your NTP Server

If you want to restrict rest of the world to access NTP server, but allow your local network, add following lines in ntp.conf file.

restrict default noquery notrust nomodify

restrict 127.0.0.1

restrict 192.168.0.0 mask 255.255.255.0

You can also do this restriction in your firewall too.

The Daemon xntpd

Once configurations setting are done successfully, start the NTP Daemon with following command:

rcxntpd restart

Adding this service to default run-levels:

insserv xntpd

No comments: