Article covers 1 below scenario (#1) :
1. NTP Server available from the internet
Synchronize an internal NTP server from publicly available servers on the Internet, making it a stratum 2 or 3 server. However,
as with any externally provided service, it is also an entry point for attackers. In addition, obtaining time from the Internet is less
accurate. For secure environments where synchronized time is critical, the use of a public time server would not be appropriate
2. NTP Server unavailable from internet
Designate a machine as the time authority, using its internal clock as the arbitrary time source. However, as this time source
wanders all of the NTP clients connected to it will wander with it. While the primary clock could be manually adjusted to the true
time occasionally, this would cause all of the clients to jump when the server adjusts. If a clock is ever adjusted to shift more than 17
minutes, all of the NTP client software will abort due to the sudden time shift. This option can still provide a synchronized network
and may be acceptable in a few rare cases, but in any sort of large installation it is critical to keep the clocks synchronized with some
maintained time standard.
But there are additional ones too :
3. Obtain an NTP Server appliance to use as a stratum 1 server.
This is the easiest choice for providing an accurate, reliable, secure
and autonomous UTC-synchronized network.
4. Obtain an external time source such as a GPS or CDMA reference to create a stratum 1 server.
This external time reference is then
connected to an existing server to create a stratum 1 time server. Although this method is more difficult to setup and configure it will
provide an accurate, reliable, secure and autonomous UTC-synchronized network
Scenarios 3 and 4 are illustrated on the picture below.
1. NTP Server available from the internet
In this scenario NTP Server is available from internet and each client synchronizes its time to local NTP server centos11.yakobe.pl in LAN network which has connection to publicly available NTP servers.
________________
/ \
/ \
| INTERNET |---------------|
| | |
\ / |
\________________/ |-- centos22.yakobe.pl
| | (local NTP Server)
| |
| |-- redhat6.yakobe.pl
centos11.yakobe.pl --| (NTP Client)
(local NTP Server) |
|-- redhat5.yakobe.pl
(NTP Client)
IP Addressing Scheme
| HOSTNAME | centos11.yakobe.pl | centos22.yakobe.pl | redhat5.yakobe.pl | redhat6.yakobe.pl |
| IP Address ETH0 | 10.0.2.15 | 10.0.2.14 | 192.168.56.124 | 192.168.56.125 |
| IP Address ETH1 | 192.168.56.127 | 192.168.56.126 | - | - |
| Mask | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 | 255.255.255.0 |
| Default Gateway | 10.0.2.2 | 10.0.2.2 | 192.168.56.127 | 192.168.56.127 |
NTP protocol synchro time based on algorithm outlined more closely here.
In order to setup your own NTP server you need to have time source. You can set it up with pool servers or with dedicated ntp servers or mixed both.
I suggest to use mixed mode, so e.g. one pool of servers and two dedicated public servers.
List can be gathered from http://ntp.org.
Pool of NTP Servers
Can be found http://www.pool.ntp.org/zone/europe
We choose country and in square brackets we see nr of servers in each pool.
Poland — pl.pool.ntp.org (38)
When we request DNS query for FQDN pl.pool.ntp.org we that there is DNS load balancing set on DNS server which has authority for that zone. After each question we get different IP address of the same FQDN pl.pool.ntp.org. Then when some server is not working NTP Servers generates another question DN query and receives other IP address of the same FQDN pl.pool.ntp.org.
jakubn@ibmr61e:~$ dig pl.pool.ntp.org ; <<>> DiG 9.7.0-P1 <<>> pl.pool.ntp.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11336 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;pl.pool.ntp.org. IN A ;; ANSWER SECTION: pl.pool.ntp.org. 390 IN A 149.156.70.5 pl.pool.ntp.org. 390 IN A 194.110.116.145 pl.pool.ntp.org. 390 IN A 62.129.245.35 ;; Query time: 1681 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Oct 4 13:10:28 2011 ;; MSG SIZE rcvd: 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - jakubn@ibmr61e:~$ dig pl.pool.ntp.org ; <<>> DiG 9.7.0-P1 <<>> pl.pool.ntp.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48205 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;pl.pool.ntp.org. IN A ;; ANSWER SECTION: pl.pool.ntp.org. 371 IN A 62.129.245.35 pl.pool.ntp.org. 371 IN A 194.110.116.145 pl.pool.ntp.org. 371 IN A 149.156.70.5 ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Oct 4 13:10:46 2011 ;; MSG SIZE rcvd: 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - jakubn@ibmr61e:~$ dig pl.pool.ntp.org ; <<>> DiG 9.7.0-P1 <<>> pl.pool.ntp.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47958 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;pl.pool.ntp.org. IN A ;; ANSWER SECTION: pl.pool.ntp.org. 300 IN A 149.156.70.5 pl.pool.ntp.org. 300 IN A 62.129.245.35 pl.pool.ntp.org. 300 IN A 194.110.116.145 ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Oct 4 13:11:58 2011 ;; MSG SIZE rcvd: 81 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - jakubn@ibmr61e:~$ dig pl.pool.ntp.org ; <<>> DiG 9.7.0-P1 <<>> pl.pool.ntp.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30528 ;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;pl.pool.ntp.org. IN A ;; ANSWER SECTION: pl.pool.ntp.org. 249 IN A 194.110.116.145 pl.pool.ntp.org. 249 IN A 149.156.70.5 pl.pool.ntp.org. 249 IN A 62.129.245.35 ;; Query time: 2 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Tue Oct 4 13:12:49 2011 ;; MSG SIZE rcvd: 81Dedicated public NTP Servers
List can be obtained from http://support.ntp.org/bin/view/Servers/StratumOneTimeServers Stratum 1 is server directly connected to stratum 0, the actual time source (clock).Stratum 2 is server connected to stratum 1 server so it is always best to choose either stratum 1 or stratum 2 for time source. For the purpose of this exercise I choosed the follwing servers :
- PL ntp1.tp.pl OpenAccess Jacek Igalson (jacek.igalson@telekomunikacja.pl)
- PL time.coi.pw.edu.pl OpenAccess Marek Majchrowski, Emil Grochocki, ntp@coi.pw.edu.pl1.1 Install NTP Server yum install ntp-4.2.2p1-15.el5.centos This is version 4 of NTP protocol. Please remember that protocol version 1 is deprecated and conf of NTP protocol ver4 differs from NTP ver3. 1.2 Conf NTP Server Before starting NTPD daemon, it is best to synchronize your local time to ntp servers you choosed with this spell ntpdate -b 0.pl.pool.ntp.org 1.pl.pool.ntp.org ntp1.tp.pl time.coi.pw.edu.pl b.ntp.setilabs.net ntp2.net.icm.edu.pl Then start NTPD daemon service ntpd start Now conf your local instance of NTP server. # vi /etc/ntp.conf
# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # remote servers server 0.pl.pool.ntp.org iburst server 1.pl.pool.ntp.org iburst server ntp1.tp.pl iburst #stratum 1 server time.coi.pw.edu.pl iburst #stratum 1 server b.ntp.setilabs.net iburst #stratum 2 server ntp2.net.icm.edu.pl iburst #stratum 2 # local peer peer 10.0.2.15 peer 10.0.2.14 # full access for myselfe restrict 127.0.0.1 # local net can query restrict 192.168.56.0 mask 255.255.255.0 nomodify notrap nopeer # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. driftfile /var/lib/ntp/drift # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 # To increase the ability to detect and eliminate fasletickers (espec dur start) tos minclock 4 minsane 4! ! !
There must be minimum of 4 upstream time servers to synchronize time with to allow ntp algorithm remove fake ntp time servers. If you put more then 4 upstream NTP servers in /etc/ntp.conf, your machine will boot up longer but you get more precise time. For systems that are very sensitive to issues regarding accurate time-stamps, you should have at least six or seven servers listed in your /etc/ntp.conf, and perhaps as many as nine. It will take your system a little longer to settle down to good time sync on boot, but the additional robustness, and accuracy will be worth it. MOre closely configuration options are described HERE. Now conf your NTP client. vi /etc/ntp.conf
Actually this is the same file as in NTP Server and the same ports are used for communication, tcp123/udp123 both for incomming and outcomming traffic. You can distribute ntp server addresses by DHCP or manually input those addresses into /etc/ntp.conf file.
# Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. restrict default kod nomodify notrap nopeer noquery # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 restrict -6 ::1 server 192.168.56.127 server 192.168.56.126 server 127.127.1.0 fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/driftNow we can inspect what is being done in our ntp client. ntpdc -c peers
remote local st poll reach delay offset disp ======================================================================= =LOCAL(0) 127.0.0.1 10 64 377 0.00000 0.000000 0.03154 =192.168.56.126 192.168.56.126 16 64 0 0.00000 0.000000 3.99217 *192.168.56.127 192.168.56.195 2 64 377 0.00087 2.632507 0.06465! ! !
A + denotes symmetric active, a - indicates symmetric passive, a = means the remote server is being polled in client mode, a ^ indicates that the server is broadcasting to this address, a ~ denotes that the remote peer is sending broadcasts and a * marks the peer the server is currently synchronizing to. LOCAL means that if there will be no NTP server to synchro time with, local time source will be used, meaning that this client starts using its own NTP Server at 127.127.1.0 addr.
