Sep 192007
 

Sponsored Link

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (Jitter).

Using NTP is a great way to keep your system clock set correctly. It works by contacting a number of servers around the world, asking them for the time and then calculating what the correct local time is from their responses.

Install NTP server in Debian

#apt-get install ntp ntpdate ntp-server

This will install all the required packages for NTP

Configuring NTP Server

By Default main configuration file located at /etc/ntp.conf

Default configuration file looks like below

#/etc/ntp.conf, configuration for ntpd

driftfile /var/lib/ntp/ntp.drift
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to more than 300 low-stratum NTP servers.
# Your server will pick a different set every time it starts up.
# *** Please consider joining the pool! ***
# *** ***
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst

# By default, exchange time with everybody, but don't allow configuration.
# See /usr/share/doc/ntp-doc/html/accopt.html for details.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access,
# but only if cryptographically authenticated
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet,
# de-comment the next lines. Please do this only if you trust everybody
# on the network!
#disable auth
#broadcastclient

Example Configuration

You need to add a number of servers to the server list. The Debian default is pool.ntp.org which works but isn't always amazingly accurate because it makes no attempt to use time servers near you. If you want more accuracy use the time servers either on your continent (for instance europe.pool.ntp.org) or your country (for instance uk.pool.ntp.org) one of your local country servers.The optimal number of servers to listen to is three but two will also give a good accuracy. If your ISP runs a time server for you it is worth including it in your server list as it will often be more accurate than the pooled servers and will help keep the load down on the pool.

I am using the following two servers for my configuration

server ntp0.pipex.net
server ntp1.pipex.net

Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict otherntp.server.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery

The mask 255.255.255.255 statement is really a subnet mask limiting access to the single IP address of the remote NTP servers.

If this server is also going to provide time for other computers, such as PCs, other Linux servers and networking devices, then you'll have to define the networks from which this server will accept NTP synchronization requests. You do so with a modified restrict statement removing the noquery keyword to allow the network to query your NTP server. The syntax is:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords

restrict 127.0.0.1

Save the file and exit

Now you need to run the ntpdate command against your server

#ntpdate ntp0.pipex.net

restart NTP for these settings to take effect using the following command

#/etc/init.d/ntp restart

You can now configure other Linux hosts on your network to synchronize with this new master NTP server in a similar fashion.

Determining If NTP Is Synchronized Properly

Use the ntpq command to see the servers with which you are synchronized. It provided you with a list of configured time servers and the delay, offset and jitter that your server is experiencing with them. For correct synchronization, the delay and offset values should be non-zero and the jitter value should be under 100.

#ntpq -p

Output looks like below

A star by any one of the names means that the system clock is synchronising with the NTP clock. If you don't have a star (as in the example above) it means that the clocks are unreachable, already synchronized to this server or has an outrageous synchronization distance. Try running ntpdate (you will need to stop the ntp server) with your first ntp server as an argument. This will set your system clock fairly accuratly and mean that the server will be able to choose a clock to synchronize with.

Firewall Configuration for NTP

NTP servers communicate with one another using UDP with a destination port of 123. Unlike most UDP protocols, the source port isn't a high port (above 1023), but 123 also. You'll have to allow UDP traffic on source/destination port 123 between your server and the Stratum 1/2 server with which you are synchronizing.

NTP Client Configuration

If you want to configure ntp client you need to install the following packages

#apt-get install ntp ntp-simple ntpdate

Configuring NTP client

You need to edit the /etc/ntp.conf file you need to point the following settings to NTP server ip address

Server configuration settings

server 192.168.1.1

Restrict the type of access you allow these servers. In this example the servers are not allowed to modify the run-time configuration or query your Linux NTP server.

restrict default notrust nomodify nopeer

Localhost configuration

restrict 192.168.1.1

In this case the mask statement has been expanded to include all 255 possible IP addresses on the local network.

We also want to make sure that localhost (the universal IP address used to refer to a Linux server itself) has full access without any restricting keywords

restrict 127.0.0.1

Now you need to save and exit the file

run ntpdate command against your server

ntpdate 192.168.1.1

Restart ntp service using the following command

/etc/init.d/ntp restart

If you use the date command to change time, it is worth setting also the hardware clock to the correct time. Otherwise, the time is wrong after the next reboot, since the hardware clock keeps the time when power is turned off. When the clock in the operating system shows the correct time, set the hardware clock like this

#hwclock --systohc

se the ntpq command to see the servers with which you are synchronized

#ntpq
#ntpdc -p

Sponsored Link

 Posted by at 11:24 am

  10 Responses to “NTP Server and Client Configuration in debian”

  1. When are you plan to upgrade article?
    ntp-simple ntpdate is no longer in debian lenny

  2. sorry, both are available

  3. How to open firewall with iptables on debian 4…

  4. apt-cache search ntp-server

    and output empty
    where package ntp-server….?

    do i am scan all cd…?
    i was scan 9 cd debian etch on my system….n i have 21 cd…

  5. help me….
    i want make ntp server on my network…

    pc server(debian)—–pc router(debian—–pc client(windows)…

    i want make ntp server lokal..just lokal n my pc server not connect internet

  6. Currently setting up a stratum 1 server – what is the typical setup for the ntp.conf file. For instance, I understand I need to include

    server 127.127.20.0 minpoll 4 maxpoll 4

    to read my gps receiver and set the polling parameters. But, is the gps receiver the only device the stratum 1 server gets its time from, or should other stratum 1 servers be listed as peers to help further refine and improve my stratum 1′s time?

    Any input would be appreciated thank you!

  7. What can I do, to get ntpdate running well on a virtual server?

  8. Great thanks for your article. It’s really usefull.

  9. Hello,

    I am a newbie on linux. I am trying to fix this for 4 days but still unable to sync with the Internet time server.
    I am trying to do synchronize to the internet time server using my internal server (running on redhat) but it does not work at all.
    After configuring the ntp.conf, i stop the ntpd and start again and still did not work. i able to update the Internet time server using ntpdate commad.

    Please comment on my configuration and show me show direction. :(

    [root@app3 ~]# ntpq -p
    remote refid st t when poll reach delay offset jitter
    ==============================================================================
    LOCAL(0) .LOCL. 10 l 8 64 1 0.000 0.000 0.001

    [root@app3 ~]# /etc/init.d/ntpd stop
    Shutting down ntpd: [ OK ]

    Configuration file:

    Running on:
    [root@app3 /]# /bin/bash –version
    GNU bash, version 3.2.25(1)-release (i686-redhat-linux-gnu)
    Copyright (C) 2005 Free Software Foundation, Inc.

    I am able to update using ntpdate:
    [root@app3 /]# ntpdate sg.pool.ntp.org
    1 Apr 16:42:22 ntpdate[4812]: adjust time server 202.150.213.154 offset 0.036360 sec

    Configuration file on /etc/ntp.conf

    restrict default ignore
    restrict 127.0.0.1

    #allow synchronization sources from the internet servers
    restrict server 3.sg.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
    restrict server 0.asia.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
    restrict server 2.asia.pool.ntp.org mask 255.255.255.255 nomodify notrap noquery

    #allow our internal server to synch to this server
    restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap noquery notrust

    server 127.127.1.0 #local system clock
    fudge 127.127.1.0 stratum 10
    driftfile /etc/ntp/drift
    logfile /var/log/ntp.log

  10. Peter,

    add following lice to your ntp.conf to point ntpd to server you choose:

    server sg.pool.ntp.org

    JS

 Leave a Reply

(required)

(required)

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>