Solved

Setting up an NTP server on Debain Woody

Posted on 2004-08-03
28
1,235 Views
Last Modified: 2009-07-29
Hi

I currently have a handful of hosts on my network synchronising time using my ISP's ntp server and the ntpdate command via cron.

I would like to run my own ntp server on a Debian Woody server.

What configuration would I need to make in ntp.conf to achieve this? This server needs to continue to get time from my ISP, but also act as an ntp server for clients on my LAN.


Gareth
0
Comment
Question by:localgareth
  • 14
  • 11
  • 3
28 Comments
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Basically you just need set
server <name_of_ISP_ntp_server_or_its_IP-Address>
and perhaps (if you have any local firewall) allow connections to the ntp port (123).
Then you do the same setup on all the other hosts, but (of course) using your main ntp servers name_or_IP... Using ntpdate from cron _might_ be OK, but ntp is really designed to run like this... So why not do so;-)

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Hi Glenn

So any host taking its time from a ntp server also acts as an ntp server itself?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and there might be other things you _could_ set, but really none that you _need_ set.
If you want to have the main server poll more timesources, just add another server line... It'll be smart enough to extract the best possible time.
If you want two servers to act as timesource fallbacks for each other, you can also set them to poll different servers on the net (or perhaps a GPS clock or somesuch) and then have them be "peer other_server"... And the clients would then have these two as servers... But you really don't need anytrhing more complex than the first for "fairly certain whithin the second" accuracy.
You can check the message file that it starts syncing (after changing the config and restarting ntpd) and perhaps poll ISP ntpd and your ntpd with ntpdate during a day to see that it works OK.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ah crossing posts.
Basically "yes".
Unless you tell it otherwise.
Things to be aware of is the "stratum"... This is a factor that determine how good the time rweally is... A stratum 1 has it's own atomic clock, while a stratum 2 asks one or more stratum 1 etc. Your server will likely have a rather low stratum, so ... if the "client servers" think they have a higher stratum, they will not take the time from your server.
But usually this is not a problem (and the logs will show if it is a problem for you).

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
"rather low stratum" meaning a rather high value ... 10-16 depending on what the ISPs ntp stratum would be and ... well some other stuff.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
IIRC, the default config would lead to a client thinking itself to be the lowliest beast possible... stratum 16. So it shouldn't be a problem.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Glenn, thanks for the tips.

I think I've broken something now :-(

My ntp server has the following config...

# /etc/ntp.conf, configuration for ntpd
logfile /var/log/ntp/ntpd
driftfile /etc/ntp.drift
statsdir /var/log/ntp/
server ntp.demon.co.uk

I start the daemon, using /etc/init.d/ntp-server start

But when I run 'ntpdate 10.253.253.48' from a host on my network... I get '3 Aug 12:39:16 ntpdate[15036]: no server suitable for synchronization found'.

Any ideas?


Gareth
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
It might take a couple of minutes for it to "rev up its engine", so try again and see what you get.
Also, check the message log for any messages from ntpd, or the /var/log/ntp/ntpd file.

As an example, here's a working ntp.conf from my central server:
# Scam for local machines clock
fudge   127.127.1.0 stratum 10
# Servers on the internet
server ifi.uio.no
server ntp.lth.se version 3
# driftfile
driftfile /etc/ntp/drift
# Don't use authentication... It's a protected LAN
authenticate no
# Don't ask why I have a keyfile:-)
keys            /etc/ntp/keys
# Ent of ntp.conf

As you can see, 'm using two nice and close (to me) stratum 2 server, where the second (ntp.lth.se) uses version 3 of the protocol. You might need that for your ISPs ntp too.

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Oh, and it goes without saying (I guess) that the directory /var/log/ntp need exist in your case.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Hi Glenn

If I look in my syslog file, it seems to synchronize okay.

root@telesto:/var/log# tail syslog | grep ntpd
Aug  3 13:14:18 telesto ntpd[28372]: synchronized to 194.168.4.76, stratum 3

I've tried to telnet localhost 123, but I get connection refused - is this normal?

Gareth
ps.. I have got /var/log/ntp :-)
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Yes, it's normal. Ntp usually use UDP, not TCP port 123 so... no telnet.

Good that it syncs OK... Do try the ntpdate again, it might just have been a timing (!:-) issue.

If that doesn't help, try adding the
authenticate no
line to /etc/ntp.conf and restart ntpd.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Tried that... still nothing.

I've just tried (from a host) ntpdate'ing to my ISP server...

earth:/etc/init.d # ntpdate ntp.demon.co.uk
 3 Aug 14:43:51 ntpdate[13596]: adjust time server 158.152.1.76 offset 0.000032 sec

This works - so atleast it proves a firewall isn't the problem!

earth:/etc/init.d # ntpdate time.galaxy.tbs
 3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found


Gareth
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
> This works - so atleast it proves a firewall isn't the problem!
Eh, I was thinking more like an iptables (netfilter) or ipchains FW local to your ntp-server.
iptables -L
might show something.

Do you get anything in the logs when you do the (failed) ntpdate? Including auth and/or syslog?

> earth:/etc/init.d # ntpdate time.galaxy.tbs
>  3 Aug 14:43:56 ntpdate[13597]: no server suitable for synchronization found
Might indicate a stratum problem... "suitable" being the key word. Try adding the "fudge" line, exactly as above.

Ok, I'm going to test a bit on my dusty ol' woody, and see what shakes.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
iptables -L shows accept for all chains, and no other rules - this is the same on both my (broken) time server and my hosts.

Don't get anything in the logs when a client tries to connect... I did get a message in syslog...

Aug  3 14:39:21 telesto ntpd[28881]: configure: keyword "authenticate" unknown

... so took that back out.

I'll try adding the fudge line :-)


Gareth
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ok, I've some preliminary findings as of yet... As most things with woody, it's a somwhat "dusty" version of ntp. You might have a lot of "synchronization lost" entries in /var/lgg/deamon.log or /var/log/syslog ... which would explain why it can't act as a server.

... Looking further....

-- Glenn
0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Ok, setting the fudge line like
fudge 127.127.1.0 stratum 10
restarting ntp, then letting it be for the interval between my last message and this one fixed it for my old woody...
It _might_ have worked with earlier configs too, if I'd been patient enough:-).

-- Glenn
0
 
LVL 6

Expert Comment

by:de2Zotjes
Comment Utility
I had this same problem (no server suitable for syn..), turned out that in ntp.conf I used the setting multicastclient.
Comment that one out, worked for me
0
 

Author Comment

by:localgareth
Comment Utility
Glenn...

I've not made any config changes for a couple of hours, and just decided to check back and test the ntpdate command from a client on my network... and it worked!!! But when I restarted ntp-server, the client can no longer synchronise... and gets the same error message.

I guess I need to see how long before it magically starts working.


Gareth
0
 

Author Comment

by:localgareth
Comment Utility
Glenn

Again, this morning it's all working fine... restart the service and it doesn't work.

Could this just be usual behaviour?


Gareth
0
 
LVL 6

Expert Comment

by:de2Zotjes
Comment Utility
Since Glenn seems to be out for the moment:

Yes this is usual behaviour. It might take a couple of minutes to get accurate readings from the up-stream timeserver. During that time you will not be able to synchronize to the current server.
0
 

Author Comment

by:localgareth
Comment Utility
de2... How long is usual, is this documentated anywhere?


Gareth
0
 
LVL 20

Accepted Solution

by:
Gns earned 350 total points
Comment Utility
(Well, 'scuse me for being home sleeping:-):-)
Yes, one should be able to determine this (from the very voluminous and explicit docs, if nowhere else:-), but... One really don't need to!
You'll probably have "good enough" time to survive being without a true timesource for at least a couple of hours, expecially once all clocks have been brought ... "close". If time is supercritical (perhaps due to some scientific calcs/equipment, or some distributed RT requirements ... or similar) you could probably not live with it, but for good synchronized "office" time... you'll be fine.
And the good part is that they will start syncing ASAP as the readings are good.

To me, ntp is one of those "setup-and-almost-forget" type of services, since the protocols and tools have been intelligently designed;). It's been rocksolid for years for me, and a host of others around the globe... A good reason to keep a couple of linux servers on the LAN, that are so lightly loaded ('cause NTP really don't stress any normal smi-modern machine at all) that you can use them for any _other_ task you like... File/printservers perhaps?

Let us know if you have any more problems, setting up the rest of the servers.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Hi Glenn

I didn't know techie's needed sleep!?! hehe.

Well... I think I can live with the delay :-) It's seems to be between 6 and 8 minutes, so its nothing major.

I've now setup my other clients to get their time from my main time server... however, I don't want these clients to also act as severs - it just seems unnecessary.

How would I set a client only mode in ntp.conf?


Gareth
... points for this question increased to 500 :-)


0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Um, again... Does it really matter? ntp is rather safe as it is...
But if you'd like to be supersure, just set your local firewall ('cause if you deem NTP to be a security risk, you _really_ should have a local FW on every machine) to block "incoming" ntp requests.
If you have a moderately safe LAN (protected from everything but the users;-), I wouldn't bother:-)

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Guess it doesn't *really* matter... just thought it was better not to have services accessable to other hosts hat aren't needed.

I don't want to start installing and configuring iptables for this, I had hoped there would be a configuration entry that could be used in ntp.conf.


Gareth
0
 
LVL 6

Assisted Solution

by:de2Zotjes
de2Zotjes earned 150 total points
Comment Utility
To block incoming requests you can also state (in the ntp.conf that is):

restrict default ignore
restrict <server> mask 255.255.255.255 nomodify notrap noquery

additional restrict lines can be used to open the service to more remote machines.

0
 
LVL 20

Expert Comment

by:Gns
Comment Utility
Yes de2Zotjes, thanks for jogging my memory(:-), still... if one deems this necessary, a firewall is never wrong.

-- Glenn
0
 

Author Comment

by:localgareth
Comment Utility
Guys... thanks for all your help.


Gareth
 
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Daily system administration tasks often require administrators to connect remote systems. But allowing these remote systems to accept passwords makes these systems vulnerable to the risk of brute-force password guessing attacks. Furthermore there ar…
Introduction We as admins face situation where we need to redirect websites to another. This may be required as a part of an upgrade keeping the old URL but website should be served from new URL. This document would brief you on different ways ca…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now