- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Ntp server and clients sync assurance
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2013 10:57 PM
08-27-2013 10:57 PM
Hi ,
I have configured linux centos NTP server and syncng with 4 internet timeservers situated at Head office directly connected to internet .
I have many hp,aix ntp clients in DATACENTER wherein i would be making above ntp servers entry in /etc/ntp.conf file .
Now question is , how do i ensure that if all above 4 timeservers fail , my all clients are sill in sync with LINUX CENTOS NTP SERVER .
what entry is to be made in /etc/ntp.conf file of a ntp servr & client ??
Solved! Go to Solution.
- Tags:
- NTP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2013 04:45 AM
08-29-2013 04:45 AM
Re: Ntp server and clients sync assurance
On the NTP clients, you don't have to do anything: the clients will be getting their time from the Linux NTP server in all situations, so the status of the connection between the internet timeservers and the Linux NTP server is not relevant to them.
If your NTP server configuration is the same as in your other post here, then you don't have to do anything at the Linux NTP server, either:
http://h30499.www3.hp.com/t5/Networking/Ntp-client-not-getting-updated-with-server/m-p/6184609
The NTP server will always offer the "best quality" time information it has available. The "quality" is identified with the stratum value. By definition, a device that is a source of accurate time information (e.g. an atomic clock, a GPS receiver or similar) has NTP stratum 0. A NTP timeserver with a direct connection to such a device will have NTP stratum 1. A system running ntpd and connected to such a timeserver will have stratum 2. For each "hop", the stratum value will increase by one. The stratum value is indicated in the "st" column in "ntpq -pn" output.
These two lines in your NTP configuration allow ntpd to use the time of the local system clock as time source with a stratum value of 10:
# Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10
If any of your 4 internet timeservers have stratum values better (lower) than 10, your Linux NTP server will automatically use their time information (after some basic sanity checks). If the "best" reachable internet timeserver has stratum N, your Linux NTP server will have stratum N+1 when using time information from that time server. If all 4 NTP timeservers are unreachable or have stratum 10 or worse, your Linux NTP server will automatically serve its local system clock time to your NTP clients instead.
You should make sure that the stratum values of your 4 internet timeservers are normally better (lower) than 10.
If the "ntpq -pn" output in your another post still matches your current situation, the stratum values of the 4 timeservers are between 1..3, so they're good:
http://h30499.www3.hp.com/t5/Networking/Ntp-client-not-getting-updated-with-server/m-p/6184609
So... it looks like you don't have to do anything at all! Your NTP server is already configured to do exactly what you want.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2013 06:01 AM
08-29-2013 06:01 AM
Re: Ntp server and clients sync assurance
Hi Matti ,
thanks for the wonderful explaination.
Yes as you rightly pointed out in the links , its our NTP configuration :)
One more concern was of security , is it prone to attacks ?
how can we secure it ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-29-2013 04:07 PM
08-29-2013 04:07 PM
SolutionIn general, the ntpd daemon is stable and quite well tested piece of software, but if you want another layer of security, you should edit your iptables rules to allow incoming NTP traffic from your local IP network segment(s) only - not from the entire Internet.
Your ntp.conf file seems to include this line: "restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap".
I guess your local network uses the 10.1.1.* addresses then?
For example:
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.1.1.0/24 --dport 123 -j ACCEPT
This is a version of the iptables rule to allow incoming NTP traffic, modified to allow incoming traffic from 10.1.1.* addresses only.
You might also want to read this NTP support webpage for more ways to further secure your NTP configuration:
http://support.ntp.org/bin/view/Support/AccessRestrictions
- Tags:
- iptables
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2013 08:30 AM
08-31-2013 08:30 AM