To know more about Network Time Protocol, in this article we will learn How to install and configure NTP Server and Client on Debian. As you know, time synchronization is important for many reasons ranging from application time stamps to security to proper log entries and NTP presents a unique ability for companies to synchronize the clocks of all the systems within the company.
As it is very difficult from a troubleshooting standpoint to determine when and under what conditions a particular event might be occurring when an organization’s systems all maintain different clock times. NTP provides an easy way to ensure that all systems will maintain the correct time which in turn can greatly simplify the burden on administrators/tech support.
Table of Contents
But how does NTP work?
NTP works on the premise of synchronization with reference clocks, also known as ‘stratum 0‘ servers. And then, all other NTP servers then become a lower-level strata server based upon how far they are from a reference server.
The start of the NTP chain is a stratum 1 server which is always directly connected to a stratum 0 reference clock. From here, lower-level strata servers are connected via a network connection to a higher strata level server.
Have a look at the below diagram to get more in touch with this guide.
It would be expensive to set up a stratum 0 or stratum 1 server, we will focus on the lower strata server setup.
Also, the below articles could be useful:
How to install and configure NTP Server and Client on Debian
To conserve network bandwidth as well as provide some increased security through NTP restrictions and cryptography, it is better to use an internal NTP server. To see how this differs from the first diagram, please see the second diagram below.
Installation of NTP Server
pt-get install ntp dpkg --get-selections ntp [Can be used to confirm NTP is installed] dpkg -s ntp [Can also be used to confirm NTP is installed]
Configuration of NTP Server
In this step, after installing the NTP you will configure what higher stratum servers to query for time. The configuration file for NTP is stored at ‘/etc/ntp.conf‘ and can be modified with any text editor. this file will contain special parameters for hosts querying this NTP server and the fully qualified domain names of the higher-level servers, restrictions set for this NTP server.
Now you are ready to start the configuration process. Which needs the higher-level servers to be configured. By default, Debian will put the Debian NTP pool in the configuration file. These are fine for most purposes but an administrator can visit NIST to specify certain servers or to use all of NIST’s servers in a round-robin fashion.
we would configure specific servers. The configuration file is broken into some major sections and is configured by default for IPv4 and IPv6, but to start the configuration process, the configuration file must be opened with a text editor.
server <fully qualified domain name> <options> server time.nist.gov iburst â [sample entry]
Configuration of NTP Restrictions
This server is currently only used on an IPv4 network so IPv6 was disabled by two means. The first thing done to disable IPv6 on the NTP server was to change the defaults that the daemon starts. This was accomplished by changing the line in ‘/etc/default/ntp‘.
NTPD_OPTS='-4 -g' [Add the ' -4 ' to this line to tell NTPD to only listen to IPv4]
Back in the main configuration file (/etc/ntp.conf), the NTP daemon will be automatically configured to share time with all IPv4/6 hosts but not allow configuration. This can be seen by the following two lines:
# By default, exchange time with everybody, but don't allow configuaration. restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
NTPD works on an allowed unless denied basis. Since IPv6 was disabled, the ‘restrict -6‘ line can be removed or commented out with a ‘ #
# By default don't answer anything - HRT 04/09/2018 restrict default ignore
This changes the default behavior for NTP to ignore all messages because restricting clauses will be used to fine-tune access to this NTP server for the hosts that need access.
To let the server know who is allowed to query the server for time and what else they are allowed to do with the NTP server, we mention that a private network of 172.27.0.0/16 will be used to build the restrict stanza.
restrict 172.27.0.0 mask 255.255.0.0 limited kod nomodify notrap nopeer noquery
what does this line do? it informs the server to allow any host from the 172.27.0.0/16 network to access the server for time. The parameters after the mask help to control what any of the hosts on this network can do when querying the server.
To verify more these restrict options, review the below.
- Limited: Indicates that if a client should abuse the number of packets rate control, the packets will be discarded by the server. If the Kiss of Death packet is enabled, it will be sent back to the abusive host. The rates are configurable by an admin but the defaults are assumed here.
- KOD: Kiss of Death. If a host violates the limit of packets to the server, the server will respond with s KoD packet to the violating host.
- Notrap: Decline mode 6 control messages. These control messages are used for remote logging programs.
- Nomodify: Prevents ntpq and ntpdc queries that would modify the server’s configuration but informational queries are still permitted.
- Noquery: This option prevents hosts from querying the server for information. For example, without this option hosts can use ntpdc or ntpq to determine where a particular time server is getting it’s time from or other peer time servers that it may be communicating with.
Querying NTP Server Network
As it is a moderately restrictive configuration for a network, there will be some issues with the time servers that this server wishes to query.
Therefore, a restricted statement needs to be added for each of the time servers that are being queried to correct this issue. These restrict stanzas ensure that this server can access higher-level servers to get the appropriate time off-set. Below are the proper stanzas for allowing the servers previously configured in the ntp.conf file.
If you remember, back just before step three, a list of servers was determined to be the primary NTP servers for this server to query. As configured currently though, the ‘restrict default ignore‘ stanza will prevent this server from communicating with the servers configured.
This can be changed by creating a specific server/restrict stanza for each server. This is an easy process and must be done for each server.
- Server 22.214.171.124: This line must have the IP address rather than the hostname. This is for safety and will help avoid issues should DNS be compromised.
- restrict 126.96.36.199 mask 255.255.255.255 nomodify notrap nopeer noquery: This line does quite a bit. The first part allows server 188.8.131.52. The nomodify, nopeer, notrap and noquery restrict what the server (184.108.40.206) is allowed to do to this NTP server.
nslookup time-a.nist.gov [The system will reply back with the IP address]
Now, the system will be ready to start keeping track of time. The configuration changes now need to be saved and the NTP service needs to be restarted.
service ntp restart
Synchronize with the configured NTP servers, make be done after a while, but the process can easily be monitored with ‘ntpdc‘ or ‘ntpq‘ utilities.
ntpdc -pn [This utility will provide basic information about the higher level NTP servers] ntpq -pn [This utility will provide slightly more information than 'ntpdc']
please be aware that the arguments in the two commands do the same thing. The ‘-p‘ will print a list of peers as well as the current state and the ‘-n‘ will tell the utilities to show the remote server’s IP address rather than the hostname.
Importantly, the piece of this ‘ntpdc’ output is the far left of the IP addresses is noticeable. The asterisk ( * ) character indicates that the server has chosen that server’s clock to synchronize time.
Let’s speak more about this output, the asterisk ( * ) character is important again, as it indicates a synchronization. The other symbols have meanings as well, for instance, the plus ( + ) symbol denotes possible candidates for synchronization and then the minus ( – ) indicates an outlier that is discarded for the time being. The minus indicates that the particular server isn’t the best option and should not be meant that other servers won’t be used.
In conclusion, you assume that the server’s time zone has been set properly, the server will be reflecting the right time and have synced with an upper strata server! At this point, more internal servers can be added, and ‘peered’ or hosts within the network can be directed to the new internal NTP server rather than having to query out to the public NTP servers.
NTP Client Configuration
As the purpose behind this server setup was to create a Strata 2 server that an internal network could query for time, in this step the server is running
Assuming that a Linux machine is attempting to gather time from the newly created Strata 2 server. The first step on the Linux host is to install the NTP package:
apt-get install ntp
By running this, you can install the same NTP package that was just installed on the server but this time, NTP will be configured to look at the local server rather than public NTP servers. On the host, open the configuration file ‘/etc/ntp.conf‘.
Much of the configuration will be the same on this Linux host except the server stanzas will now point to the internal server as seen below.
Next, save the configuration and exit nano (or any text editor you used). At this point, the client is configured to listen to time from the newly created server! Next restart the NTP service and confirm that the host is synchronizing with the newly created Debian NTP server.
Note: Be sure to substitute the appropriate server name and IP addresses in the green boxes.
service ntp restart ntpdc -pn ntpq -pn
When you see the shot below, you could ensure that this host is synchronizing clocks with the newly created NTP server. This is confirmed both with ‘ntpdc‘ and ‘ntpq‘ by verifying the asterisk ( * ) by the IP address of the local NTP server.
By reaching this point, the Debian server is pulling the correct time from the Strata 1 servers and then handing out the proper time to the internal network hosts. other devices can be configured to query this NTP server as well for the time now.
Good job! You’re all and this particular configuration has been tested and works with multiple Cisco devices, other Debian Linux servers, and several Debian/Ubuntu-based distributions.
Dear user, we hope you would enjoy this tutorial How to Install and Configure NTP Server and Client on Debian, you can ask questions about this training in the comments section, or to solve other problems in the field of Eldernode training, refer to the Ask page section and raise your problems in it.