Networking
cancel
Showing results for 
Search instead for 
Did you mean: 

Ntp server and clients sync assurance

SOLVED
Go to solution
chindi
Respected Contributor

Ntp server and clients sync assurance

Hi ,

 

I have configured linux centos NTP server and syncng with 4 internet timeservers situated at Head office directly connected to internet .

I have many hp,aix ntp clients in DATACENTER wherein i would be making above ntp servers entry in /etc/ntp.conf file .

 

Now question is , how do i ensure that if all above 4 timeservers fail , my all clients are sill in sync with LINUX CENTOS NTP SERVER .

 

what entry is to be made in /etc/ntp.conf file of a ntp servr & client ??

 

 

4 REPLIES
Matti_Kurkela
Honored Contributor

Re: Ntp server and clients sync assurance

On the NTP clients, you don't have to do anything: the clients will be getting their time from the Linux NTP server in all situations, so the status of the connection between the internet timeservers and the Linux NTP server is not relevant to them.

 

If your NTP server configuration is the same as in your other post here, then you don't have to do anything at the Linux NTP server, either:

http://h30499.www3.hp.com/t5/Networking/Ntp-client-not-getting-updated-with-server/m-p/6184609

 

The NTP server will always offer the "best quality" time information it has available. The "quality" is identified with the stratum value. By definition, a device that is a source of accurate time information (e.g. an atomic clock, a GPS receiver or similar) has NTP stratum 0. A NTP timeserver with a direct connection to such a device will have NTP stratum 1. A system running ntpd and connected to such a timeserver will have stratum 2. For each "hop", the stratum value will increase by one. The stratum value is indicated in the "st" column in "ntpq -pn" output.

 

These two lines in your NTP configuration allow ntpd to use the time of the local system clock as time source with a stratum value of 10:

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

 

If any of your 4 internet timeservers have stratum values better (lower) than 10, your Linux NTP server will automatically use their time information (after some basic sanity checks). If the "best" reachable internet timeserver has stratum N, your Linux NTP server will have stratum N+1 when using time information from that time server. If all 4 NTP timeservers are unreachable or have stratum 10 or worse, your Linux NTP server will automatically serve its local system clock time to your NTP clients instead.

 

You should make sure that the stratum values of your 4 internet timeservers are normally better (lower) than 10.

If the "ntpq -pn" output in your another post still matches your current situation, the stratum values of the 4 timeservers are between 1..3, so they're good:

http://h30499.www3.hp.com/t5/Networking/Ntp-client-not-getting-updated-with-server/m-p/6184609

 

So... it looks like you don't have to do anything at all! Your NTP server is already configured to do exactly what you want.

MK
chindi
Respected Contributor

Re: Ntp server and clients sync assurance

Hi Matti ,

 

thanks for the wonderful explaination.

Yes as you rightly pointed out in the links , its our NTP configuration :)

 

One more concern was of security , is it prone to attacks ?

how can we secure it ? 

Matti_Kurkela
Honored Contributor
Solution

Re: Ntp server and clients sync assurance

In general, the ntpd daemon is stable and quite well tested piece of software, but if you want another layer of security, you should edit your iptables rules to allow incoming NTP traffic from your local IP network segment(s) only - not from the entire Internet.

 

Your ntp.conf file seems to include this line: "restrict 10.1.1.0 mask 255.255.255.0 nomodify notrap".

I guess your local network uses the 10.1.1.* addresses then?

 

For example:

-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp -s 10.1.1.0/24 --dport 123 -j ACCEPT

 This is a version of the iptables rule to allow incoming NTP traffic, modified to allow incoming traffic from 10.1.1.* addresses only.

 

You might also want to read this NTP support webpage for more ways to further secure your NTP configuration:

http://support.ntp.org/bin/view/Support/AccessRestrictions

MK
chindi
Respected Contributor

Re: Ntp server and clients sync assurance

Thanks Matti