Keeping Your Linux Server On Time With NTP
Time is important. A large part of our lives revolves around our use of it . A key to time management is ensuring that when we talk about times with other people, we are all using the same one.
The concept of time zones and synchronized time revolutionized how people dealt with each other when communicating and travelling over long distances. The key to this idea is that time should be exactly the same for everyone within the same timezone. Also different time zones will be consistently separated by pre-defined time differences. It’s hard to imagine now but at one point every town once ran on its own local version of time. Imagine the impact these days! Nightmare!
One problem we face is that most clocks have a certain degree of inaccuracy. While you may set a clock correctly, as time passes it will slowly creep out of ‘true’ time. This is the case for a computer’s clock as it is for a clockwork watch. Unfortunately for computers, a number of tools you use may be actually time sensitive, as they make use of the computer’s clock for various functions. Some communications protocols may also rely on having accurate matching times on either end for the communication to succeed. Also it’s helpful when debugging issues that the system clock matches the time users see when reporting problems. It’s not difficult to see that being off by only a few minutes can make it much harder to find details in log files.
The solution to these time inconsistencies is NTP, or Network Time Protocol. The basis for this tool is the number of servers whose time is set from an authoritative clock. Other servers then synchronize their time with these original ones and then offer time to other servers as a chain for synchronization. Tools exist to allow a computer to query these time servers for the correct time and communicate this with other servers.
We’ll be looking at the ntp daemon which runs on your server constantly to periodically check the time on the server and ensures accuracy. When making alterations, the tool won’t change the time instantly. Instead, it will increase or decrease the speed at which the clock runs for a period of time until it synchronizes.
To install it on Debian and Ubuntu use:
sudo apt-get update
sudo apt-get install ntp
For CentOS and RedHat use:
sudo yum install ntp
You can manage Configuration for NTP in the /etc/ntp/ntpd.conf file. This is where the NTP pool servers are set so that your server can set time.
For the majority of applications your distribution’s default servers will normally be sufficient. You can leave ines relating to drift files and statistics with your distribution’s defaults. There are a number of restriction lines that deal with how your server can communicate with others.
Modern distribution settings tend to follow best practice, but can limit you from sharing your server’s time with others. If you are only setting the time on your server, then you are ready to go without any hassle.
NTP Security Concerns
You can share your server’s time with others. But please note that over recent years NTP has been used and abused in order to perform DDoS attacks. To achieve this, public NTP servers are forced to provide time updates to specific servers in order to flood their network interfaces. In order to prevent your server being involved in this sort of attack, it’s recommended that you configure your server to only respond to NTP requests from specific servers that you trust.
This means that when setting your restrict statement to limit who can query your server for times, it is recommended that you either specify the servers directly to a few. You can also use the smallest subnets required for configuration. For example:
restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap
This line makes use of an IP address and subnet mask to specify that IPs 192.168.0.0 through 192.168.0.255 can query the NTP server. You can adjust the IP address and subnet mask in order to match the subnet that you want to be able to query the server. Alternately leaving out the word mask and the subnet mask specifies an individual IP address.
Once you have NTP configured to your needs you can then start it with the following commands:
systemctl enable ntp
systemctl start ntp
For CentOS/Red Hat:
systemctl enable ntpd
systemctl start ntpd
Never miss another post. Sign up for the weekly 100TB newsletter or follow us on Facebook and Twitter.
Originally published at blog.100tb.com.