Last updated on September 8, 2020 by Sarmed Rahman
Network Time Protocol (NTP) is used to synchronize system clocks of different hosts over network. All managed hosts can synchronize their time with a designated time server called an NTP server. An NTP server on the other hand synchronizes its own time with any public NTP server, or any server of your choice. The system clocks of all NTP-managed devices are synchronized to the millisecond precision.
In a corporate environment, if they do not want to open up their firewall for NTP traffic, it is necessary to set up in-house NTP server, and let employees use the internal server as opposed to public NTP servers. In this tutorial, we will describe how to configure a CentOS system as an NTP server. Before going into the detail, let's go over the concept of NTP first.
Due to manufacturing variances, all (non-atomic) clocks do not run at the exact same speed. Some clocks tend to run faster, while some run slower. So over a large timeframe, the time of one clock gradually drifts from another, causing what is known as clock drift or time drift. To minimize the effect of clock drift, the hosts using NTP should periodically communicate with a designated NTP server to keep their clock in sync.
Time synchrony across different hosts is important for things like scheduled backup, intrusion detection logging, distributed job scheduling or transaction bookkeeping. It may even be required as part of regulatory compliance.
NTP clocks are organized in a layered hierarchy. Each level of the hierarchy is called a stratum. The notion of stratum describes how many NTP hops away a machine is from an authoritative time source.
Stratum 0
is populated with clocks that have virtually no time drifts, such as atomic clocks. These clocks cannot be directly used over the network. Stratum N
(N
> 1) servers synchronize their time against Stratum N
-1 servers. Stratum N
clocks may be connected with each other over network.
NTP supports up to 15
stratums in the hierarchy. Stratum 16
is considered unsynchronized and unusable.
Now let's proceed to set up an NTP server on CentOS.
First of all, we need to make sure that the time zone of the server is set up correctly. In CentOS 7, we can use the timedatectl
command to view and change the server time zone (e.g., Australia/Adelaide
)
# timedatectl list-timezones | grep Australia # timedatectl set-timezone Australia/Adelaide # timedatectl
Go ahead and set up necessary software using yum
.
# yum install ntp
Then we will add the global NTP servers to synchronize time with.
# vim /etc/ntp.conf
server 0.oceania.pool.ntp.org server 1.oceania.pool.ntp.org server 2.oceania.pool.ntp.org server 3.oceania.pool.ntp.org
By default, NTP server logs are saved in /var/log/messages
. If you want to use a custom log file, that can be specified as well.
logfile /var/log/ntpd.log
If you opt for a custom log file, make sure to change its ownership and SELinux context.
# chown ntp:ntp /var/log/ntpd.log # chcon -t ntpd_log_t /var/log/ntpd.log
Now initiate NTP service and make sure it's added to startup.
# systemctl restart ntp # systemctl enable ntp
We can use the ntpq
command to check how the local server's clock is synchronized via NTP.
The following table explains the output columns.
remote |
The sources defined at ntp.conf . * indicates the current and best source; + indicates that these sources are available as NTP source. Sources marked with - are considered unusable. |
refid |
The IP address of the clock with which the remote server clock is synchronized with. |
st |
Stratum |
t |
Type. u is for unicast. Other values may include local, multicast, broadcast. |
when |
The time elapsed (in seconds) since the last contact with the server. |
poll |
Polling frequency with the server in seconds. |
reach |
An octal value that indicates whether there are any errors in communication with the server. The value 377 indicates 100% success. |
delay |
The round trip time between our server and the remote server. |
offset |
The time difference between our server and the remote server in milliseconds. |
jitter |
The average time difference in milliseconds between two samples. |
By default, NTP server allows incoming queries from all hosts. If you want to filter incoming NTP synchronization connections, you could add a rule in your firewall to filter the traffic.
# iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 123 -j ACCEPT # iptables -A INPUT -p udp --dport 123 -j DROP
The rule will allow NTP traffic (on port UDP/123
) from 192.168.1.0/24
, and deny traffic from all other networks. You can update the rule to match your requirements.
End-hosts need NTP client software (e.g., ntp
or Chrony) to synchronize time against the server. The ntp
or Chrony package can be easily installed using yum
or apt-get
. After installing the client package, run the command with the IP address of the server.
# ntpdate -u <server-IP-address>
Or:
# chrony -q 'server <server-IP-address>
If you are using Windows, look for Internet Time
under Date and Time
settings.
If you want to synchronize the time of a Cisco device, you can use the following command from the global configuration mode.
# ntp server <server-IP-address>
NTP enabled devices from other vendors have their own parameters for Internet time. Please check the documentation of the device if you want to synchronize its time with the NTP server.
To sum up, NTP is a protocol that keeps the clocks across all your hosts in sync. We have demonstrated how we can set up an NTP server, and let NTP enabled devices synchronize their time against the server.
Hope this helps.
This website is made possible by minimal ads and your gracious donation via PayPal or credit card
Please note that this article is published by Xmodulo.com under a Creative Commons Attribution-ShareAlike 3.0 Unported License. If you would like to use the whole or any part of this article, you need to cite this web page at Xmodulo.com as the original source.
Xmodulo © 2021 ‒ About ‒ Write for Us ‒ Feed ‒ Powered by DigitalOcean