pavement

NTP, configuring

From FreeBSDwiki
(Difference between revisions)
Jump to: navigation, search
m (NTP Servers)
m (Added small section on forcing synchronisation on extended drift)
 
(7 intermediate revisions by 3 users not shown)
Line 27: Line 27:
 
The ''restrict'' keyword is basically an allow statement that restricts how your NTP service on your server may be used (and by who); modifier options after restrict help with this:
 
The ''restrict'' keyword is basically an allow statement that restricts how your NTP service on your server may be used (and by who); modifier options after restrict help with this:
  
restrict Address [ mask Number | default ] [ Parameter ... ]  
+
restrict Address [ mask Number | default ] [ Parameter ... ]  
  
 
Allowed parameters are:
 
Allowed parameters are:
 
  ignore  
 
  ignore  
   Specifies to ignore all packets from hosts which match this entry. Does not respond to queries nor time server polls.  
+
   Specifies to ignore all packets from hosts which match this entry.  
 
+
  Does not respond to queries nor time server polls.  
 +
 
  limited  
 
  limited  
   Specifies that these hosts are subject to limitation of number of clients from the same net. Net in this context refers to the IP notion of net (class A, class B, class C, and so on). Only accepts the first client_limit hosts that have shown up at the server and that have been active during the last client_limit_period seconds. Rejects requests from other clients from the same net. Only takes into account time request packets. Private, control, and broadcast packets are not subject to client limitation and therefore do not contribute to client count. The monitoring capability of the xntpd daemon keeps a history of clients. When you use this option, monitoring remains active. The default value for client_limit is 3. The default value for client_limit_period is 3600 seconds.  
+
   Specifies that these hosts are subject to limitation of number of  
 
+
  clients from the same net. Net in this context refers to the IP notion  
 +
  of net (class A, class B, class C, and so on). Only accepts the first  
 +
  client_limit hosts that have shown up at the server and that have been
 +
  active during the last client_limit_period seconds. Rejects requests  
 +
  from other clients from the same net. Only takes into account time  
 +
  request packets. Private, control, and broadcast packets are not subject
 +
  to client limitation and therefore do not contribute to client count.  
 +
  The monitoring capability of the xntpd daemon keeps a history of clients.
 +
  When you use this option, monitoring remains active. The default value for
 +
  client_limit is 3. The default value for client_limit_period is 3600 seconds.  
 +
 
  nomodify  
 
  nomodify  
   Specifies to ignore all NTP mode 6 and 7 packets which attempt to modify the state of the server (run time reconfiguration). Permits queries which return information.  
+
   Specifies to ignore all NTP mode 6 and 7 packets which attempt to modify the
 
+
  state of the server (run time reconfiguration). Permits queries which return
 +
  information.  
 +
 
  nopeer  
 
  nopeer  
   Specifies to provide stateless time service to polling hosts, but not to allocate peer memory resources to these hosts.  
+
   Specifies to provide stateless time service to polling hosts, but not to  
 
+
  allocate peer memory resources to these hosts.  
 +
 
  noquery  
 
  noquery  
   Specifies to ignore all NTP mode 6 and 7 packets (information queries and configuration requests) from the source. Does not affect time service.  
+
   Specifies to ignore all NTP mode 6 and 7 packets (information queries and
 
+
  configuration requests) from the source. Does not affect time service.  
 +
 
  noserve  
 
  noserve  
   Specifies to ignore NTP packets whose mode is not 6 or 7. This denies time service, but permits queries.  
+
   Specifies to ignore NTP packets whose mode is not 6 or 7. This denies time
 
+
  service, but permits queries.  
 +
 
  notrap  
 
  notrap  
   Specifies to decline to provide mode 6 control message trap service to matching hosts. The trap service is a subsystem of the mode 6 control message protocol intended for use by remote event-logging programs.
+
   Specifies to decline to provide mode 6 control message trap service to
 
+
  matching hosts. The trap service is a subsystem of the mode 6 control message
notrust
+
  protocol intended for use by remote event-logging programs.  
  Specifies to treat these hosts normally in other respects, but never use them as synchronization sources.  
+
 
   
 
   
 +
notrust
 +
  Specifies to treat these hosts normally in other respects, but never use
 +
  them as synchronization sources.
 +
 
 
  ntpport  
 
  ntpport  
   Specifies to match the restriction entry only if the source port in the packet is the standard NTP UDP port (123).  
+
   Specifies to match the restriction entry only if the source port in the
 +
  packet is the standard NTP UDP port (123).  
  
 
Note that using no parameters means "open access" for your server.
 
Note that using no parameters means "open access" for your server.
Line 63: Line 83:
  
 
===NTP pool servers===
 
===NTP pool servers===
Please consider using the [http://ntp.isc.org/bin/view/Servers/NTPPoolServers NTP Pool servers].  These are public time servers selected by round-robin.  The DNS reference changes each hour. These time servers have ''volunteered'' to offer their services through the pool.  To [http://www.pool.ntp.org/use.html use the pool], for example, users in the U.S. would add these lines to their /etc/ntpd.conf  
+
Please consider using the [http://ntp.isc.org/bin/view/Servers/NTPPoolServers NTP Pool servers].  These are public time servers selected by round-robin.  The DNS reference changes each hour. These time servers have ''volunteered'' to offer their services through the pool.  As the server pool grows, the service regions will become increasingly more specific, and the results will be even more reliable.  To [http://www.pool.ntp.org/use.html use the pool], for example, users in the U.S. would add these lines to their /etc/ntp.conf  
  server 0.us.pool.ntp.org
+
  server 0.us.pool.ntp.org
  server 1.us.pool.ntp.org
+
  server 1.us.pool.ntp.org
  server 2.us.pool.ntp.org
+
  server 2.us.pool.ntp.org
  
As the server pool grows, the regions will become increasingly more specific, and the results will be even more reliable.  You do not need, and should not use, more than three server lines in your /etc/ntpd.conf.   
+
Some say that you do not need, and should not use, more than three server lines in your /etc/ntp.conf.  [http://ntp.isc.org/bin/view/Support/ConfiguringNTP Others disagree].
  
 
Similarly, if you need to quickly set your system clock, to use the pool (if your ISP does not offer a time service) you would say (e.g. in the U.S.):
 
Similarly, if you need to quickly set your system clock, to use the pool (if your ISP does not offer a time service) you would say (e.g. in the U.S.):
   /usr/sbin/ntpdate 0.us.pool.ntp.org
+
   # /usr/sbin/ntpdate 0.us.pool.ntp.org
  
It is usually considered poor manners to hit even a server pool more than a few times in a 24 hour period.  If you're one of those many who are in the habit of synching every clock on your LAN against a single public server, every few seconds, your IP may end up on the clock-master's list of Folks We Don't Like, and your network's time of reckoning will eventually arrive - or worse, you will contribute to stopping these vital services.
+
It is usually considered poor manners to regularly hit even a server pool more than a few times in a 24 hour period.  If you're one of those many who are in the habit of synching every clock on your LAN against a single public server, every few seconds, your IP may end up on the clock-master's list of Folks We Don't Like, and your network's time of reckoning will eventually arrive - or worse, you will contribute to stopping these vital services.
  
 
==Auto-starting ntpd==
 
==Auto-starting ntpd==
Line 107: Line 127:
  
 
http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/
 
http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/
 +
 +
== Synchronisation Tip ==
 +
 +
Sometimes the time on your FreeBSD server can drift beyond the maximum limit that the NTP daemon allows for bringing it back into line.  Perhaps the workstation isn't on very often or the server was off at the last daylight savings time shift (such as BST in the United Kingdom).  If you have a log file enabled for NTP it will highlight this issue.
 +
 +
A tip from the [http://www.pool.ntp.org/en/use.html NTP organisation website] offers the following to force synchronisation:
 +
 +
  server# /etc/rc.d/ntpd stop
 +
  Stopping ntpd.
 +
  server# ntpdate pool.ntp.org
 +
  29 May 19:09:50 ntpdate[40071]: step time server 213.9.73.106 offset 3474.968729 sec
 +
  server# /etc/rc.d/ntpd start
 +
 +
This may affect time-critical servers such as firewalls where event logging is date and time stamped for possible investigative / audit purposes.
 +
 +
[[Category: Common Tasks]] [[Category: FreeBSD for Servers]]

Latest revision as of 14:24, 29 May 2009

After installing Ntp, you'll want to configure it properly. Remember to allow TCP and UDP ports 123 if you're firewalling the client/server.

Contents

[edit] NTP Clients

If you're a client, you'll need to listen locally if you've got an NTP server locally to get the time. To start, edit /etc/ntp.conf and make sure it has something like this in it:

# Because the computer clocks drift, keep the drift info somewhere:
driftfile /etc/ntp.drift 

# if we are a client that listens to NTP broadcasts on the LAN, uncomment this line:
#broadcastclient

# Let's setup a log file for NTP:
logfile /var/log/ntp.log

[edit] NTP Servers

First, synchronize to a known good time server -- there are many listed at ntp.isc.org, and due to common sense and politeness, I won't list one particular server here, but the US Navy has some servers available -- be sure to read their policies for allowed use. Once you've got a server that you can use, run

ntpdate time.someserver.somewhere.com 

and your system will update to that time. You may want to verify that the time is correct, if you've got a Java-capable browser handy, time.gov will give you the correct time for the timezone you're in.

Once you've got that done, find a server that you can update from regularly -- be sure you've read through the documentation and obtained permission to use the server (seriously, this is important, folks have no sense of humor about this, see links below for why) -- it's time to set up your /etc/ntpd.conf which will at a minimum need to have three lines:

server time.someserver.somewhere.com prefer
driftfile /var/db/ntpd.drift
restrict default notrust nomodify nopeer

The server line may be repeated (you'll want more than one and less than 5 -- although it's recommended you don't go over 3), and if you leave out the "prefer" keyword and have multiple server lines, then you'll round-robin through the list. If you have multiple server lines and leave the "prefer" keyword in, you'll only go to the other servers (without the "prefer") if your "preferred" server can't be reached.

The restrict keyword is basically an allow statement that restricts how your NTP service on your server may be used (and by who); modifier options after restrict help with this:

restrict Address [ mask Number | default ] [ Parameter ... ] 

Allowed parameters are:

ignore 
  Specifies to ignore all packets from hosts which match this entry. 
  Does not respond to queries nor time server polls. 

limited 
  Specifies that these hosts are subject to limitation of number of 
  clients from the same net. Net in this context refers to the IP notion 
  of net (class A, class B, class C, and so on). Only accepts the first 
  client_limit hosts that have shown up at the server and that have been
  active during the last client_limit_period seconds. Rejects requests 
  from other clients from the same net. Only takes into account time 
  request packets. Private, control, and broadcast packets are not subject
  to client limitation and therefore do not contribute to client count. 
  The monitoring capability of the xntpd daemon keeps a history of clients.
  When you use this option, monitoring remains active. The default value for
  client_limit is 3. The default value for client_limit_period is 3600 seconds. 

nomodify 
  Specifies to ignore all NTP mode 6 and 7 packets which attempt to modify the
  state of the server (run time reconfiguration). Permits queries which return
  information. 

nopeer 
  Specifies to provide stateless time service to polling hosts, but not to 
  allocate peer memory resources to these hosts. 

noquery 
  Specifies to ignore all NTP mode 6 and 7 packets (information queries and
  configuration requests) from the source. Does not affect time service. 

noserve 
  Specifies to ignore NTP packets whose mode is not 6 or 7. This denies time
  service, but permits queries. 

notrap 
  Specifies to decline to provide mode 6 control message trap service to
  matching hosts. The trap service is a subsystem of the mode 6 control message
  protocol intended for use by remote event-logging programs. 

notrust 
  Specifies to treat these hosts normally in other respects, but never use
  them as synchronization sources. 
 
ntpport 
  Specifies to match the restriction entry only if the source port in the
  packet is the standard NTP UDP port (123). 

Note that using no parameters means "open access" for your server.

Now that you've configured your ntp.conf file and want to use your server, start up the program manually:

# ntpd -p /var/run/ntpd.pid

[edit] NTP pool servers

Please consider using the NTP Pool servers. These are public time servers selected by round-robin. The DNS reference changes each hour. These time servers have volunteered to offer their services through the pool. As the server pool grows, the service regions will become increasingly more specific, and the results will be even more reliable. To use the pool, for example, users in the U.S. would add these lines to their /etc/ntp.conf

 server 0.us.pool.ntp.org
 server 1.us.pool.ntp.org
 server 2.us.pool.ntp.org

Some say that you do not need, and should not use, more than three server lines in your /etc/ntp.conf. Others disagree.

Similarly, if you need to quickly set your system clock, to use the pool (if your ISP does not offer a time service) you would say (e.g. in the U.S.):

 # /usr/sbin/ntpdate 0.us.pool.ntp.org

It is usually considered poor manners to regularly hit even a server pool more than a few times in a 24 hour period. If you're one of those many who are in the habit of synching every clock on your LAN against a single public server, every few seconds, your IP may end up on the clock-master's list of Folks We Don't Like, and your network's time of reckoning will eventually arrive - or worse, you will contribute to stopping these vital services.

[edit] Auto-starting ntpd

Edit your /etc/rc.conf and add this to the end;

# ntpd sets the time in small increments, ntpdate sets the time
# no matter how large the discrepancy is. If you're running ntpd
# you'll want to weigh the risks of getting a wildly different time
# given to your system from whatever system _you_ are getting the
# time from. If you're polling time data from absolutely known-good
# servers, it might not be a bad idea to get the time from them on boot-up.
# If you want to do that, uncomment this line;
# ntpdate_enable="NO"
# turn on the ntp daemon:
ntpd_enable="YES"
# The NTP program is located here:
ntpd_program="/usr/local/bin/ntpd"
# and we want to use it with these options; see man page for details
ntpd_flags="-A -g -N -c /etc/ntp.conf -p /var/run/ntpd.pid -l /var/log/ntpd.log"


Note: ntpd_enable was xntpd_enable in older FreeBSD releases (before FreeBSD-5). If you're running FreeBSD-4, replace every instance of ntpd with xntpd (xntpd_enable="YES", for example).

[edit] NTP etiquette

The N stands for Network, but if you've got your own network, it behooves you -- and you're expected to -- either keep an ntp server for it or use one that you're allowed to; your ISP's or one you setup yourself. NTP stratum 1 servers are neither ubiquitous nor fair use for everyone. If you have a GPS or atomic-clock enabled server, then you can run your own stratum 1 server. More than likely you'll want to run a stratum 3 (or higher) server for your network, and you'll want to pull time from stratum 2 or 1 servers that are more accurate for you.

Horror stories on why you want to only use servers you're allowed to:

http://www.cs.wisc.edu/~plonka/netgear-sntp/

http://people.freebsd.org/~phk/dlink/

http://www.lightbluetouchpaper.org/2006/04/07/when-firmware-attacks-ddos-by-d-link/

[edit] Synchronisation Tip

Sometimes the time on your FreeBSD server can drift beyond the maximum limit that the NTP daemon allows for bringing it back into line. Perhaps the workstation isn't on very often or the server was off at the last daylight savings time shift (such as BST in the United Kingdom). If you have a log file enabled for NTP it will highlight this issue.

A tip from the NTP organisation website offers the following to force synchronisation:

 server# /etc/rc.d/ntpd stop
 Stopping ntpd.
 server# ntpdate pool.ntp.org
 29 May 19:09:50 ntpdate[40071]: step time server 213.9.73.106 offset 3474.968729 sec
 server# /etc/rc.d/ntpd start

This may affect time-critical servers such as firewalls where event logging is date and time stamped for possible investigative / audit purposes.

Personal tools