Last updated on: 2020-09-01
Authored by: Jered Heeschen
You can easily keep your system’s date and time accurate by using network time protocol (NTP).
Having an accurate clock on your server ensures that timestamps in emails sent from your machine are correct. An accurate clock is especially helpful when you need to look at the logs from a particular time of day.
If you don’t occasionally set the system clock yourself, the time will slowly drift away from a perfectly accurate setting. That’s when NTP is useful.
NTP lets you automatically sync your system time with a remote server. The NTP can be used to update the clock on a machine with a remote server. This keeps your machine’s time accurate by syncing with servers that are known to have accurate times. NTP also keeps the clocks on several machines in sync, thus making it easier to match log entries for an event across multiple servers.
It’s easy to set up an NTP server to adjust your machine’s clock regularly. It’s also possible to make it a bit more complicated if you need your clock accurate down to the millisecond instead of just to the second.
The first thing to do is to install the NTP server. Grab the package by running:
sudo aptitude update
sudo aptitude install ntp
sudo yum install ntp
Ater you install NTP, you can ensure the service runs at boot time by running the following command:
sudo /sbin/chkconfig ntpd on
sudo yum install ntp
Ater you install NTP, you can ensure the service runs at boot time by running the following command:
sudo chkconfig ntpd on
To make sure the NTP service starts after installing it, run the following command:
Ubuntu operating systems / Debian / CentOS / RHEL:
sudo /etc/init.d/ntp start
Fedora:
sudo /etc/init.d/ntpd start
As is usual for Linux® services, you can stop or restart the NTP service
by running the preceding command with stop
or restart
as the argument
instead of start
.
Most people just want to get NTP running and don’t need to sync their clock to pinpoint, millisecond-level accuracy. In this case, you don’t need to do anything else. When you installed NTP, it set you up with default servers with which to sync, so NTP syncs your clock automatically. Congratulations on a job well done!
If you want to use NTP to sync several of your own machines, or if you want to choose NTP servers other than the defaults, you can find the NTP configuration file at /etc/ntp.conf.
A few settings can be changed, but the only settings of interest to most users include server entries. Use the default settings for your specific Linux distribution.
With more than one server entry, your NTP server queries all servers and select a time on which most of the polled servers agree. Because NTP uses three or more servers, your clock is more accurate than if it uses only one.
Adding the iBurst option after the server address speeds up the NTP time sync slightly. While this is helpful, it isn’t essential.
The dynamic option tells NTP that it can try a configured server again later if it’s unavailable at some point. The dynamic option is useful when NTP runs on a machine that doesn’t always have access to the Internet. It is not necessary on a machine with a dedicated connection.
Protect yourself against NTP server attacks by adding disable monitor
to
your /etc/ntp.conf file. Disabling monitoring prevents unwanted remote
queries that use commands from older versions of NTP, such as monlist.
If you have more than one machine to sync, it is best to designate one as the master NTP server. Set up the master server to connect to an outside NTP server, then have the other machines sync to the master. This setup reduces the number of outgoing connections and guarantees that all of your machines have their time set to the same value. This configuration requires changes to the server settings in the ntp.conf files on each machine.
Set up any external servers you want to use on the master machine. For example, if you want to use the NTP pool servers, you can set the server values in the master ntp.conf file to:
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
Point the ntp.conf to your master server on every other machine that needs to sync the time. For example, if your master server is main.example.com, you would alter the ntp.conf files on the secondary machines so that the server entries are as follows:
server main.example.com iburst
After setting the server parameters and ensuring that the iptables entries don’t block connections to your main NTP server, restart the NTP services on each machine to get them syncing.
NTP uses UDP port 123 to conduct its business, either connecting to
another NTP server or accepting incoming connections. If you have
iptables filtering incoming traffic on the main NTP server in your
cluster, you need to open port 123
to UDP traffic to allow the
other servers to connect to it. You can open port 123
for UDP traffic
with the following iptables arguments:
-I INPUT -p udp --dport 123 -j ACCEPT
-I OUTPUT -p udp --sport 123 -j ACCEPT
When syncing one or more machines via NTP, you want at least one of them to set their time from a reliable external server. Many public servers out there are either synced directly from an atomic clock (guaranteeing an absolutely accurate time) or synced from another server that syncs to an atomic clock.
The best source for lists of public NTP servers is the NTP Servers WebHome at the main NTP site. The site has a description of the servers available, and the sidebar has links to three levels of NTP servers: Primary, secondary, and pool.
Deciding what type of server to sync from depends on how accurate you need your servers to be.
For most users, the pool servers are the best choice. Pool servers are machines that have volunteered to make their NTP server available to the public. They typically sync from a secondary NTP server, so their time is accurate, but not necessarily accurate to the nearest millisecond.
Most users don’t need their machine time accurate to the nearest millisecond; they just want to know what time it is. Use the pool servers unless you need pinpoint accuracy.
Using the NTP pool servers is as easy as setting the server entries in your ntp.conf file to:
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst
To ensure that you only connect to pool servers in your own country or region, visit the pool servers page for more specific addresses. For most people, the above entries are more than sufficient. Those addresses rotate among a huge list of volunteer NTP servers worldwide, so the load on any one machine never gets too great.
If you want to contribute to the NTP pool after you’ve set up your NTP server, get details on how to do so from the pool website.
The other two tiers of NTP servers are primary and secondary servers. A primary server gets its time directly from an atomic clock (or from GPS satellites, which use atomic clocks). Atomic clocks are expensive, so there aren’t many primary servers. You don’t have to use a primary server unless you’re looking for extreme scientific accuracy.
A secondary server usually gets its time from a primary server. If you want accuracy down to the millisecond level, having three secondary servers in your ntp.conf works well.
You can see what public servers are available in either tier by selecting either list from the NTP Servers WebHome. Before selecting and using a server, check the details for that server as follows:
Before using an external NTP server to sync your time, you should make
sure you can actually connect to the server from your machine.
Fortunately, there’s a tool for that included with the NTP server called
ntpdate
.
The ntpdate
command syncs your clock with an NTP server. It’s
similar to what the NTP server does on a regular basis. The ntpd
program
is a separate package on Ubuntu® operating systems and Debian®. The other
distributions install ntpdate
at the time of ntpd installation. To
use ntpdate
, Ubuntu operating system and Debian users must first install it.
sudo aptitude install ntpdate
Set your clock to sync at times you specify by using cron
to run
ntpdate
. Otherwise, run the NTP server because it uses less bandwidth and
keeps time more accurately by tracking your clock’s drift over time and
adjusting accordingly. Use ntpdate
for testing purposes only.
The ntpdate
command does not run when the NTP server is running. If you
run ntpdate
and get a response like “the NTP socket is in use,” this
means your NTP server is running. Stop it with the appropriate command
for your distribution:
Ubuntu operating systems / Debian
sudo /etc/init.d/ntp stop
CentOS / Fedora / RHEL
sudo /etc/init.d/ntpd stop
You can now run ntpdate
with the server you want to sync against as an
argument. For example, to tell ntpdate
to try and sync with
“pool.ntp.org”, run the following command:
sudo ntpdate pool.ntp.org
When you’re finished testing, remember to restart NTP:
Ubuntu operating systems / Debian
sudo /etc/init.d/ntp start
CentOS / Fedora / RHEL
sudo /etc/init.d/ntpd start
Fortunately, NTP time syncing is pretty easy to do. After you set the time servers and start the NTP service, it does its work quietly in the background.
If NTP has any problems, it logs them to the system log, which you should be checking regularly anyway.
For more details on setting up an NTP server and what options are available, visit the NTP documentation site. If you want to know more about how NTP works, go to the main NTP web site, and all will be revealed.
©2020 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License