NTP on Linux

A couple of months ago I have some task to create an environment of all network devices in order to be synchronize with differentiation of maximum 2 seconds. Which is impossible to set manually beside of using a Network Time Protocol (NTP) synchronization. This protocol works on Stratum number hierarchy where the lowest number should be the most reliable. NTP need TCP port 123 in order to communicate, do a further check on an exclusion inside the iptables script.

For those who wants a straight-forward setup, NTP can also run on Windows environment which is out-of-scope discussion within this blog. It was easy task anyway by using a left click of a mouse within a Windows interface.

Packages that we need to get from the repository are ntp and ntpdate.
Within Debian derivative run the command #apt-get install ntp ntpdatentp_install

In Slackware there is no automation for each installation, so that we exactly need to know those packages dependencies.

Next step is the most interesting computing experience for anyone who loves Linux environment, which is script editing in order to configure the synchronizing server. The script was located on /etc/ntp.conf then find a line that starts with:

# pool.ntp.org maps to about 1000 low-stratum NTP servers.
# Your server will pick a different set every time
# it starts up.  Please consider joining the
# pool http://www.pool.ntp.org/join.html
server 0.id.pool.ntp.org iburst
server 1.id.pool.ntp.org iburst
server 2.id.pool.ntp.org iburst
server 3.id.pool.ntp.org iburst

The security part was to restrict synchronization locally for a loopback adapter and for the primary host do a broadcasting.

# Local users may interrogate the ntp
# server more closely.
restrict ::1

# If you want to provide time to your
# local subnet, change the next line.
# (Again, the address is an example only.)

Restart the service where currently this is pre-configured as an Init script, including for the setup of IP config (static IP, gateway, DNS) by run command #service ntp restartntp_services

The last one is to monitor the synchronization between the public Stratum which is only possible to be done after all the configuration script and command was good. Run the command #ntpq -pntp_query

The local Clients synchronization can be determine by run command #ntpdc -c monlist

Update!!! This command was vulnerable of DoS attack as it was mention by this CVE-2013-5211

Below is the propose script modification to be applied and very recommended to create the egress filtering on each data packet flow on your firewall in order to prevent any further DoS attack inside of the network.

# By default, exchange time with everybody, but don't allow configuration.
restrict default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict mask notrust

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: