Advance

How to install and configure NTP Server and Client on Debian

How to install and configure NTP Server and Client on Debian
1
(1)

To know more about Network Time Protocol, in this article we will learn How to install and configure NTP Server and Client on Debian. As you know, time synchronization is important for many reasons ranging from application time stamps to security to proper log entries and NTP presents a unique ability for companies to synchronize the clocks of all the systems within the company.

As it is very difficult from a troubleshooting standpoint to determine when and under what conditions a particular event might be occurring when an organization’s systems all maintain different clock times. NTP  provides an easy way to ensure that all systems will maintain the correct time which in turn can greatly simplify the burden on administrators/tech support.

But how does NTP work?

NTP works on the premise of synchronization with reference clocks, also known as ‘stratum 0‘ servers. And then, all other NTP servers then become a lower-level strata server based upon how far they are from a reference server.

The start of the NTP chain is a stratum 1 server which is always directly connected to a stratum 0 reference clock. From here, lower-level strata servers are connected via a network connection to a higher strata level server.

Have a look at the below diagram to get more in touch with this guide.

Diagram of NTP

 

It would be expensive to set up a stratum 0 or stratum 1 server, we will focus on the lower strata server setup.

Recommended Article: How to Find Out Which Process Listening On A Particular Port

How to install and configure NTP Server and Client on Debian

Rather than having all of the hosts on the network querying out to public NTP servers, one server(s) will contact the public NTP system and then provide time for all hosts within the local network. Join us to finish the steps of this guide and learn How to Install and Configure NTP Server and Client on Debian.

To conserve network bandwidth as well as provide some increased security through NTP restrictions and cryptography, it is better to use an internal NTP server. To see how this differs from the first diagram, please see the second diagram below.

Internal Diagram of NTP

Installation of NTP Server

 Firstly, you need to install the NTP server software to set up an internal NTP structure. The software package in Debian called ‘NTP‘ currently contains all of the server utilities necessary to set up an NTP hierarchy
pt-get install ntp  dpkg --get-selections ntp          [Can be used to confirm NTP is installed]  dpkg -s ntp                        [Can also be used to confirm NTP is installed]
Note: Root or sudo access is assumed.

Configuration of NTP Server

In this step, after installing the NTP you will configure what higher stratum servers to query for time. The configuration file for NTP is stored at ‘/etc/ntp.conf‘ and can be modified with any text editor. this file will contain special parameters for hosts querying this NTP server and the fully qualified domain names of the higher-level servers, restrictions set for this NTP server.

Now you are ready to start the configuration process. Which needs the higher-level servers to be configured. By default, Debian will put the Debian NTP pool in the configuration file. These are fine for most purposes but an administrator can visit NIST to specify certain servers or to use all of NIST’s servers in a round-robin fashion.

we would configure specific servers. The configuration file is broken into some major sections and is configured by default for IPv4 and IPv6, but to start the configuration process, the configuration file must be opened with a text editor.

nano /etc/ntp.conf
Please consider that the first few sections (driftfilestatsdir, and statistics) are fine set to the defaults. But the next section contains the higher-level servers through which this server should request time.
The syntax for each server entry is very simple:
server <fully qualified domain name> <options>  server time.nist.gov iburst â     [sample entry]
It is a good idea to have several higher strata servers to choose from on this list. This server will query all of the servers in the list to determine which one is the most reliable. For this tutorial, we use the https://tf.nist.gov/tf-cgi/servers.cgi to obtain the servers.
servers of NTP

Configuration of NTP Restrictions

The NTP restrictions are used to allow or dis-allow hosts to interact with the NTP server. The default for NTP is served time to anyone but does not allow configuration on both IPv4 and IPv6 connections.

This server is currently only used on an IPv4 network so IPv6 was disabled by two means. The first thing done to disable IPv6 on the NTP server was to change the defaults that the daemon starts. This was accomplished by changing the line in ‘/etc/default/ntp‘.

nano /etc/default/ntp  
NTPD_OPTS='-4 -g' [Add the ' -4 ' to this line to tell NTPD to only listen to IPv4]  

Back in the main configuration file (/etc/ntp.conf), the NTP daemon will be automatically configured to share time with all IPv4/6 hosts but not allow configuration. This can be seen by the following two lines:

# By default, exchange time with everybody, but don't allow configuaration.  restrict -4 default kod notrap nomodify nopeer noquery  restrict -6 default kod notrap nomodify nopeer noquery

NTPD works on an allowed unless denied basis. Since IPv6 was disabled, the ‘restrict -6‘ line can be removed or commented out with a ‘ #

# By default don't answer anything - HRT 04/09/2018  restrict default ignore

This changes the default behavior for NTP to ignore all messages because restricting clauses will be used to fine-tune access to this NTP server for the hosts that need access.

To let the server know who is allowed to query the server for time and what else they are allowed to do with the NTP server, we mention that a private network of 172.27.0.0/16 will be used to build the restrict stanza.

restrict 172.27.0.0 mask 255.255.0.0 limited kod nomodify notrap nopeer noquery

what does this line do? it informs the server to allow any host from the 172.27.0.0/16 network to access the server for time. The parameters after the mask help to control what any of the hosts on this network can do when querying the server.

To verify more these restrict options, review the below.

  • Limited: Indicates that if a client should abuse the number of packets rate control, the packets will be discarded by the server. If the Kiss of Death packet is enabled, it will be sent back to the abusive host. The rates are configurable by an admin but the defaults are assumed here.
  • KOD: Kiss of Death. If a host violates the limit of packets to the server, the server will respond with s KoD packet to the violating host.
  • Notrap: Decline mode 6 control messages. These control messages are used for remote logging programs.
  • Nomodify: Prevents ntpq and ntpdc queries that would modify the server’s configuration but informational queries are still permitted.
  • Noquery: This option prevents hosts from querying the server for information. For example, without this option hosts can use ntpdc or ntpq to determine where a particular time server is getting it’s time from or other peer time servers that it may be communicating with.

 

 

Querying NTP Server Network

As it is a moderately restrictive configuration for a network, there will be some issues with the time servers that this server wishes to query.

Therefore, a restricted statement needs to be added for each of the time servers that are being queried to correct this issue. These restrict stanzas ensure that this server can access higher-level servers to get the appropriate time off-set. Below are the proper stanzas for allowing the servers previously configured in the ntp.conf file.

Server Restricts of NTP

 

If you remember, back just before step three, a list of servers was determined to be the primary NTP servers for this server to query. As configured currently though, the ‘restrict default ignore‘ stanza will prevent this server from communicating with the servers configured.

This can be changed by creating a specific server/restrict stanza for each server. This is an easy process and must be done for each server.

  • Server 129.6.15.28: This line must have the IP address rather than the hostname. This is for safety and will help avoid issues should DNS be compromised.
  • restrict 129.6.15.28 mask 255.255.255.255 nomodify notrap nopeer noquery: This line does quite a bit. The first part allows server 129.6.15.28. The nomodify, nopeer, notrap and noquery restrict what the server (129.6.15.28) is allowed to do to this NTP server.
nslookup time-a.nist.gov    [The system will reply back with the IP address]  

Now, the system will be ready to start keeping track of time. The configuration changes now need to be saved and the NTP service needs to be restarted.

service ntp restart

Synchronize with the configured NTP servers, make be done after a while, but the process can easily be monitored with ‘ntpdc‘ or ‘ntpq‘ utilities.

ntpdc -pn   [This utility will provide basic information about the higher level NTP servers]  ntpq -pn    [This utility will provide slightly more information than 'ntpdc']

please be aware that the arguments in the two commands do the same thing. The ‘-p‘ will print a list of peers as well as the current state and the ‘-n‘ will tell the utilities to show the remote server’s IP address rather than the hostname.

Checking Server Information of NTP

Importantly, the piece of this ‘ntpdc’ output is the far left of the IP addresses is noticeable. The asterisk ( * ) character indicates that the server has chosen that server’s clock to synchronize time.

Provides Server Information of NTP

Let’s speak more about this output, the asterisk ( * ) character is important again, as it indicates a synchronization. The other symbols have meanings as well, for instance, the plus ( + ) symbol denotes possible candidates for synchronization and then the minus ( – ) indicates an outlier that is discarded for the time being. The minus indicates that the particular server isn’t the best option and should not be meant that other servers won’t be used.

In conclusion, you assume that the server’s time zone has been set properly, the server will be reflecting the right time and have synced with an upper strata server! At this point, more internal servers can be added, and ‘peered’ or hosts within the network can be directed to the new internal NTP server rather than having to query out to the public NTP servers.

 

NTP Client Configuration

As the purpose behind this server setup was to create a Strata 2 server that an internal network could query for time, in this step the server is running

Assuming that a Linux machine is attempting to gather time from the newly created Strata 2 server. The first step on the Linux host is to install the NTP package:

apt-get install ntp

By running this, you can install the same NTP package that was just installed on the server but this time, NTP will be configured to look at the local server rather than public NTP servers. On the host, open the configuration file ‘/etc/ntp.conf‘.

nano /etc/ntp.conf

Much of the configuration will be the same on this Linux host except the server stanzas will now point to the internal server as seen below.

 

Client-Configuration

 

Next, save the configuration and exit nano (or any text editor you used). At this point, the client is configured to listen to time from the newly created server! Next restart the NTP service and confirm that the host is synchronizing with the newly created Debian NTP server.

Note: Be sure to substitute the appropriate server name and IP addresses in the green boxes.

service ntp restart  ntpdc -pn  ntpq -pn

When you see the shot below, you could ensure that this host is synchronizing clocks with the newly created NTP server. This is confirmed both with ‘ntpdc‘ and ‘ntpq‘ by verifying the asterisk ( * ) by the IP address of the local NTP server.

Time-Synchronization

 

Time-Synchronization

 

By reaching this point, the Debian server is pulling the correct time from the Strata 1 servers and then handing out the proper time to the internal network hosts. other devices can be configured to query this NTP server as well for the time now.

Recommended Article: How To Install Composer on Debian 10 with 5 Step [complete]

Good job! You’re all and this particular configuration has been tested and works with multiple Cisco devices, other Debian Linux servers, and several Debian/Ubuntu-based distributions.

 

Dear user, we hope you would enjoy this tutorial How to Install and Configure NTP Server and Client on Debian, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.

How useful was this post?

Click on a star to rate it!

Average rating 1 / 5. Vote count: 1

No votes so far! Be the first to rate this post.

View More Posts
Tom Veitch
Eldernode Writer
We Are Waiting for your valuable comments and you can be sure that it will be answered in the shortest possible time.

Leave a Reply

Your email address will not be published. Required fields are marked *

We are by your side every step of the way

Think about developing your online business; We will protect it compassionately

We are by your side every step of the way

+8595670151

7 days a week, 24 hours a day