Configure an NTP/SNTP client and server

Submitted by David Gaspard on Apr 5, 2013

*migrated from https://research.cc.gatech.edu/tso/content/configure-ntp-client-only

From the NSA guide:

3.10.2.1 Configure an NTP Client

There are a number of options for configuring clients to work with the reference NTP server. It is possible to run
ntpd as a service (i.e., continuously) on each host, configuring clients so that the ntp protocol ignores all network
access. This still introduces an additional network listener on client machines, and is therefore not recommended.
This guide instead recommends running ntpd periodically via cron. It is also possible to run ntpdate via cron
with the -u option, but it is being obsoleted in favor of ntpd.
Alternately, even if the server is running the reference NTP implementation, it is possible for clients to access it
using SNTP. See Section 3.10.3.2 for information about configuring SNTP clients.

3.10.2.1.1 Set Up Client NTP Configuration File

A valid configuration file for the client system’s ntpd must exist at /etc/ntp.conf. Ensure that /etc/ntp.
conf contains the following line, where ntp-server is the hostname or IP address of the site NTP server:
server ntp-server
Note: The ntpd software also includes authentication and encryption support which allows for clients to verify the
identity of the server, and thus guarantee the integrity of time data with high probability. See ntpd documentation
at http://www.ntp.org for more details on implementing this recommended feature.

3.10.2.1.2 Run ntpd using Cron

Create a file /etc/cron.d/ntpd containing the following crontab:
15 * * * * root /usr/sbin/ntpd -q -u ntp:ntp
The -q option instructs ntpd to exit just after setting the clock, and the -u option instructs it to run as the
specified user.
Note: When setting the clock for the first time, execute the above command with the -g option, as ntpd
will refuse to set the clock if it is significantly different from the source.
This crontab will execute ntpd to synchronize the time to the NTP server at 15 minutes past every hour. (It is
possible to choose a different minute, or to vary the minute between machines in order to avoid heavy traffic to
the NTP server.) Hourly synchronization should be sufficiently frequent that clock drift will not be noticeable.

3.10.2.2 Configure an NTP Server
The site’s NTP server contacts a central NTP server, probably either one provided by your ISP or a public time
server, to obtain accurate time data. The server then allows other machines on your network to request the time
data.
The NTP server configuration file is located at /etc/ntp.conf.
112 CHAPTER 3. SERVICES
3.10.2.2.1 Enable the NTP Daemon
If this machine is an NTP server, ensure that ntpd is enabled at boot time:
# chkconfig ntpd on
3.10.2.2.2 Deny All Access to ntpd by Default
Edit the file /etc/ntp.conf. Prepend or correct the following line:
restrict default ignore
Since ntpd is a complex software package which listens for network connections and runs as root, it must be
protected from network access by unauthorized machines. This setting uses ntpd’s internal authorization to deny
all access to any machine, server or client, which is not specifically authorized by other policy settings.

3.10.2.2.3 Specify a Remote NTP Server for Time Data
Find the IP address, server-ip , of an appropriate remote NTP server. Edit the file /etc/ntp.conf, and
add or correct the following lines:
restrict server-ip mask 255.255.255.255 nomodify notrap noquery
server server-ip
If your site does not require time data to be accurate, but merely to be synchronized among local machines, this
step can be omitted, and the NTP server will default to providing time data from the local clock. However, it is
a good idea to periodically synchronize the clock to some source of accurate time, even if it is not appropriate to
do so automatically.
The previous step disabled all remote access to this NTP server’s state data. This NTP server must contact a
remote server to obtain accurate data, so NTP’s configuration must allow that remote data to be used to modify
the system clock. The restrict line changes the default access permissions for that remote server. The server
line specifies the remote server as the preferred NTP server for time data. If you intend to synchronize to more
than one server, specify restrict and server lines for each server.
Note: It would be possible to specify a hostname, rather than an IP address, for the server field. However, the
restrict setting applies only to network blocks of IP addresses, so it is considered more maintainable to use the
IP address in both fields.

3.10.2.2.4 Allow Legitimate NTP Clients to Access the Server
Determine an appropriate network block, netwk , and network mask, mask , representing the machines on
your network which will synchronize to this server. Edit /etc/ntp.conf and add the line:
restrict netwk mask mask nomodify notrap
Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears before the final LOG and
DROP lines for the RH-Firewall-1-INPUT chain:
113
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT
If the clients are spread across more than one netblock, separate restrict and ACCEPT lines should be added for
each netblock.
The iptables configuration is needed because the default iptables configuration does not allow inbound access to
any services. See Section 2.5.5 for more information about iptables.
Note: The reference NTP implementation will refuse to serve time data to clients until enough time has elapsed
that the server host’s time can be assumed to have settled to an accurate value. While testing, wait ten minutes
after starting ntpd before attempting to synchronize clients.

3.10.3 Configure OpenNTPD if Appropriate
OpenNTPD is an implementation of the SNTP protocol which is provided as a simple alternative to the reference
NTP server. Advantages of OpenNTPD include simplicity of configuration and a smaller codebase, though it also
lacks many of the management and other protocol features used by the reference NTP server. This simplicity
comes at the cost of degraded time accuracy, but SNTP is probably accurate enough for most sites with typical
monitoring requirements.

3.10.3.1 Obtain NTP Software
If your site intends to use the OpenNTPD implementation, it is necessary to compile and install the software.
(If your site intends to use the reference NTP implementation, no installation is necessary.)
1. Obtain the software by downloading an appropriate source version, openntpd-version .tar.gz, from
http://www.openntpd.org/portable.html.
2. Unpack the source code:
$ tar xzf openntpd-version .tar.gz
3. Configure and compile the source. (By default, the code will be compiled for installation into /usr/
local):
$ cd openntpd-version
$ ./configure --with-privsep-user=ntp
$ make
4. As root, install the resulting program into /usr/local:
# make install
The configuration option --with-privsep-user=ntp tells OpenNTPD to use the existing system account ntp
for the non-root portion of its operation.

3.10.3.2 Configure an SNTP Client
OpenNTPD runs only in daemon mode — there is no command line suitable to be run from cron. However, this
is considered reasonably safe for client use because the daemon does not listen on any network ports by default,
and because OpenNTPD is a small codebase with no remote management interface or other complex features.
114 CHAPTER 3. SERVICES
However, it is possible to run a time-stepping program, such as rdate(1), from cron instead of configuring the
daemon as outlined in this section.

3.10.3.2.1 Enable the NTP Daemon
Edit the file /etc/rc.local. Add or correct the following line:
/usr/local/sbin/ntpd -s

3.10.3.2.2 Configure the Client NTP Daemon to Use the Local Server
Edit the file /usr/local/etc/ntpd.conf. Add or correct the following line:
server local-server.example.com
where local-server.example.com is the hostname of the site’s local NTP or SNTP server.

3.10.3.3 Configure an SNTP Server
The SNTP server obtains time data from a remote server, and then listens on a network interface for time queries
from local machines.
3.10.3.3.1 Enable the NTP Daemon
Edit the file /etc/rc.local. Add or correct the following line:
/usr/local/sbin/ntpd -s
Since OpenNTPD is third-party software, it does not have a standard startup script, so the daemon is started
at boot using the local facility.
3.10.3.3.2 Listen for Client Connections
Edit the file /usr/local/etc/ntpd.conf. Add or correct the following line:
listen on ipaddr
where ipaddr is the primary IP address of this server.
By default, ntpd does not listen for any connections over a network. Listening must be actively enabled on NTP
servers so that clients may obtain time data.
115
3.10.3.3.3 Allow Legitimate NTP Clients to Access the Server
Determine an appropriate network block, netwk , and network mask, mask , representing the machines on
your network which will synchronize to this server.
Edit /etc/sysconfig/iptables. Add the following line, ensuring that it appears before the final LOG and
DROP lines for the RH-Firewall-1-INPUT chain:
-A RH-Firewall-1-INPUT -s netwk /mask -m state --state NEW -p udp --dport 123 -j ACCEPT
The iptables configuration is needed because the default iptables configuration does not allow inbound access to
any services. See Section 2.5.5 for more information about iptables.
3.10.3.3.4 Specify a Remote NTP Server for Time Data
Find the hostname, server-host , of an appropriate remote NTP server. Edit the file /usr/local/etc/
ntpd.conf, and add or correct the following line:
server server-host
This setting configures ntpd to obtain time data from the remote host. To use multiple time servers, add one
line for each server.

Filing Categories

Identifier Categories

Specific categories

GeneralTSO

Georgia Institute of Technology