r26 - 2007-12-21 - 16:07:02 - SteveKosteckeYou are here: NTP >  Support Web > GettingStarted
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to use in a distributed denial-of-service (DDoS) attack. Please also take this opportunity to defeat denial-of-service attacks by implementing ingress and Egress filtering through BCP38.

A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have restrict default noquery in your ntp.conf file, the best and most complete way to avoid these vulnerabilities is to install and deploy ntp-4.2.8 which was released on 18 December 2014.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
REFACTOR See GettingStartedDev for discussion of this topic.

3.1. Getting Started With NTP

Note: If you are really impatient, the NTP Quick Start Page (or http://www.eecis.udel.edu/~mills/ntp/html/quick.html) is an even shorter quick start.

3.1.1. What NTP is and what it does

The internal clocks of most computers are rather inaccurate. You can correct the clock by hand on occasion, or you can use NTP to regulate your clock to be much more accurate.

NTP stands for "Network Time Protocol". It is a way for computers to exchange information about the exact time, so that they can regulate their clocks.

NTP also stands for a particular daemon (continuously running program) that uses the Network Time Protocol to determine the correct time and regulate your computer's clock to show the correct time. The NTP daemon software can be obtained from http://www.ntp.org. It runs on Unix and Windows/NT systems. (There are other programs that use the Network Time Protocol for setting your computer's clock as well -- see 3.1.10. Further resources for information.)

NTP can regulate your clock using a "reference clock", a device that obtains accurate time information from an outside source and delivers it to your computer. More commonly, NTP can regulate your clock by obtaining time information from another NTP daemon. NTP can also provide time information to other NTP daemons.

Once you install the NTP software and start it running, you must provide it with a source of time information, either a reference clock, or with the addresses of other NTP daemons. This document describes the critical steps of installing the software and configuring NTP to obtain time from other NTP daemons. Information about using a reference clock with NTP is at http://www.eecis.udel.edu/~mills/ntp/html/refclock.html.

3.1.2. The names of the programs: Is it ntpd or xntpd?

Some operating systems supply the NTP programs (ntpd, ntpdate, ntpdc, ntpdq, etc.) with filenames starting with "x" (xntpd, xntpdate, etc.). Others use filenames without the "x". This document uses the names without the "x". Try to run the program using the name without the "x" first. If you receive a "command not found" error, try the name with an "x".

The "x" versions of the programs are from version 3 of NTP. They are old, but some OS vendors still distribute these versions of NTP. The versions without the "x" are from version 4. The commands and options used in this document should work for either version.

3.1.3. Pick your servers

Find some public servers that you can sync with. Use either just one, or at least four. The logic is complex, but if you want to read more about it, see https://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5.3.3.. Here is a list of public NTP servers.

These sites are kind enough to perform this service for you, you should follow any guidelines they request (asking permission first, donations, thank-you notes, whatever.)

Let's suppose you've picked clock.example.org, timekeeper.sample.com, ntp1.example.co.uk, and tick.anotherexample.net. Those aren't real sites, but I'll use them as examples in the rest of this document.

3.1.4. "Manually" set the clock correctly just once

HMS: This section is best for xntp (V3). ntpdate is deprecated in ntp4, see StartingNTP for more information.

Let's "manually" set the clock to the correct time just to start things off. When ntpd is running and finds your clock is wrong, it makes tiny little changes until the clock is right. This way applications don't get confused. However, on reboot, the clock may have lost a lot of time and since no applications are running yet, we can make a big timeleap to correct the clock without risk of confusing them. To do this, we use a different utility called ntpdate. It can't run at the same time as ntpd. We even give it the "-b" option so that it knows to leap forward or backwards in time to set the clock correctly.

Here's the command that does this:

   ntpdate -b clock.example.org timekeeper.sample.com ntp1.example.co.uk tick.anotherexample.net
(NOTE: Substitute the four NTP servers that you'd like to sync with. Those aren't real.)

Try this once from the command line (as "root") to make sure you're got it right.

   # ntpdate -b clock.example.org timekeeper.sample.com ntp1.example.co.uk tick.anotherexample.net
    5 Jun 08:50:18 ntpdate[23777]: step time server offset -111.106949 sec

This means that your clock was off by -111.106949 seconds, but now it's been brought up to date. The good news is that for an instant you were in sync. The bad news is that by the time you read this, your clock has drifted. Darn computers!

3.1.5. Set the clock correctly on every boot up

On reboot, you want to tell the system to sync up quickly. While your machine was down the CPU gets bored and plays with the clock. Haven't you ever been in a clock store waiting for your mother to make her purchase and started setting the clocks to funny times? It's like that, only your mother has nothing to do with this (I'm sure she's a very nice person, you just don't appreciate her enough).

Let's configure your system to run this command on boot up. Here's how to do this on various operating systems:

This is done automatically if the ntpdate package has been installed and configured.

Simply add this line to the end of /etc/rc.conf (if not running ntpd):

(If you are running ntpd, -g option specified below means we don't need to run ntpdate, and do NOT add the line above.)

Red Hat
(Release 8.0) This is done automatically if the ntp package has been installed and configured.

Solaris 9
This is done automatically if a properly configured /etc/inet/ntp.conf exists.

End of OS-specific items

(people can volunteer the easiest way to do this on their favorite OS)

3.1.6. Keep the clock in sync permanently and continuously.

Having your clock set properly every time you boot is nice, if you reboot constantly. Of course, you could put that command in cron but we have a solution that is so much better you'll thank me in the morning. We'll run ntpd which will constantly keep your clock correct by making micro-adjustments all day long. Heck, ntpd is so smart that if you lose contact with all your NTP servers it will remember how bad your clock was and keep making adjustments based on past bad performance. Pretty cool, eh?

The NTP documentation has volumes about the various features and entire books can be written about the theory of operation of NTP. It's really quite amazing how the system works so precisely, so accurately, does the right thing through outages, detects and avoids misconfigured servers, conserves bandwidth, and as Jim Trocki once said, "fixes problems that you don't yet realize you have". However, you don't care about that, you just want a simple configuration that works. Here's one.

ntpd 's configuration file is different on different systems.

Debian*, FreeBSD 4.x, *Red Hat

Solaris 9

End of OS-specific items

Put these 3 lines in your configuration file:

   driftfile /etc/ntp.drift
   server clock.example.org iburst
   server timekeeper.sample.com iburst
   server ntp1.example.co.uk iburst
   server tick.anotherexample.net iburst

Now start ntpd:

ntpd is automatically started after package installation or reconfiguration.
ntpd may be started manually with /etc/init.d/ntp start

FreeBSD 4.x
ntpd is started automatically by adding the xntpd_enable and xntpd_flags described below.

Red Hat
(Release 8.0) /sbin/service ntpd start

Solaris 9
/etc/rc2.d/S74xntpd start

End of OS-specific items

It will now sync with the 'servers' in /etc/ntp.conf. Once an hour it will record a little information in /etc/ntp.drift. (/etc/ntp.drift contains what it needs to know if it loses contact with all your servers and needs to "go it alone").

Of course, you'll want to make sure that this command is run on bootup, after ntpdate is run (they can't run at the same time). Here's how to do that on various operating systems:

This is done automatically if one of the ntp packages has been installed and configured.

FreeBSD 4.x
Simply add these lines to the end of /etc/rc.conf:
   xntpd_flags="-p /var/run/ntpd.pid -g -N high"

Red Hat
(Release 8.0) This is done automatically if the ntp package has been installed and configured.

Solaris 9
This is done automatically if a properly configured /etc/inet/ntp.conf exists.

End of OS-specific items

3.1.7. What about stratum 1, 2, 3 and all that?

You don't need to specify that in the configuration file. If you list a mixture of stratum 1s, 2s, and 3s ntpd will do the right thing. Your stratum is determined dynamically based on what you've synced to. You don't need to worry about this. However, if you want to know more, there is info in the documentation.

3.1.8. Check your work.

ntpdc is a command that lets you talk to your ntpd (just like lp has lpc, ntpd has ntpdc). It has a zillion features, but the one you really need to know is:

   ntpdc -c peers

Here's a sample run:

   > ntpdc -c peers
        remote           local      st poll reach  delay   offset    disp

   =clock.example.o         16   64    0 0.00000  0.000000 0.00000
   =timekeeper.samp         16   64    0 0.00000  0.000000 0.00000
   =ntp1.example.co         16   64    0 0.00000  0.000000 0.00000
   =tick.anotherexa         16   64    0 0.00000  0.000000 0.00000

Output like that (all zeros) means that we haven't synced with those two servers yet.

When things get synced, the numbers will fill out like this:

   > ntpdc -c peers
        remote           local     st poll reach  delay   offset    disp
   *clock.example.o    3   64  377 0.00018  0.000329 0.00255
   =timekeeper.samp    3   64  377 0.00017  0.002122 0.00342
   =ntp1.example.co     2 1024  377 0.03294 -0.023926 0.12181
   =tick.anotherexa     2 1024  377 0.04395  0.001855 0.12372

st -- the stratum of that server (calculated automatically)
poll -- how often you poll that site (backs off dynamically)

ntpdc can sh ow the status of other machines if you have the proper access set up. Just list the hostname on the command line:

Let's see how the server at ntp-2.cso.uiuc.edu is doing:

   > ntpdc -c peers ntp-2.cso.uiuc.edu
        remote           local      st poll reach  delay   offset    disp
   +ntp-1.gw.uiuc.e          2 1024  172 0.00627 -0.000044 0.00761
   +tick.usno.navy.          1 1024  373 0.09023 -0.023207 0.15714
   *truechimer.cso.          1 1024  377 0.00401 -0.000054 0.00006
   +ntp-0.gw.uiuc.e          2  512  332 0.01059  0.001216 0.00497

3.1.9. Running NTP on many machines in a network.

If you have a lot of machines that need to be kept in sync, it is rude to point them all at public NTP servers. It's also a waste of your internet bandwidth. A much better solution is to set up either one or at least four NTP servers on your network that point to public NTP servers, then point all your other machines at these NTP servers. This greatly reduces the amount of load you put on the public NTP servers.

At my company, we have four NTP servers: ntp1.mycompany.com, ntp2.mycompany.com, ntp3.mycompany.com, and ntp4.mycompany.com. Those are actually aliases ("CNAME" in DNS) that point to the four machines that I want everyone to use for NTP service. We do another trick that makes the aliases point to different hosts outside our firewall. That way the same configuration file works if a machine is connected inside or outside our firewall.

These four NTP servers need to have a custom configuration, that includes each other:

   driftfile /etc/ntp.drift
   # public NTP servers we sync to:  (use these 2 lines ONLY on ntp1 and ntp2!)
   driftfile /etc/ntp.drift
   server clock.example.org iburst
   server timekeeper.sample.com iburst
   server ntp1.example.co.uk iburst
   server tick.anotherexample.net iburst
   # Use these lines on all machines in mycompany.com:
   peer ntp1.mycompany.com
   peer ntp2.mycompany.com
   peer ntp3.mycompany.com
   peer ntp4.mycompany.com

I find that it is easier to have the exact same file on both of these servers. That means that each of them will try to sync with themselves. Luckily, this is ok. NTP will realize that its talking to itself and do the right thing (ignore itself).

All the other hosts have this ntp.conf:

   driftfile /etc/ntp.drift
   # Use these lines on all machines in mycompany.com:
   server ntp1.mycompany.com iburst
   server ntp2.mycompany.com iburst
   server ntp3.mycompany.com iburst
   server ntp4.mycompany.com iburst

3.1.10. Further resources

-- TomLimoncelli - 05 Jun 2003
-- BradKnowles - 28 Aug 2003
-- HarlanStenn - 04 Sep 2003
-- DaleWorley - 09 Oct 2003
-- BradKnowles - 30 Sep 2005

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r26 < r25 < r24 < r23 < r22 | More topic actions
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2015 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback