cancel
Showing results for 
Search instead for 
Did you mean: 

NTP configuration

SOLVED
Go to solution

NTP configuration

Hi,

Just want to confirm on the following for ntp setup:

1) can we confirm that when we config for ntp to do our time syncing (I am configuring a ntp client here), the ntp client server is initiating through a ntp fix port (123)? Or it will initiate via a ramdom high port say > 1023?

From my tcpdump ... It show my ntp client is always trying to initiate a ntp connection via port 123 with the ntp server at port 123.. Is this the correct behaviour for redhat linux?

2) is it possible to do the ntp client connection via other ports? Is it advisable to do so?

3) I have a production server already in production mode (but with no ntpd configured)... And it is 10 min slower than the ntp server.
I wish to have it configure with ntp to sync the time... With the great time difference, how can I do this?
Or is there a way to slowly increase the time such that it is very close to the time in ntp server without affecting time-dependant application in this server? And once it is close enough, I can just configure the ntp.

O/S Version : Red Hat Enterprise Linux ES release 4

thanks in advance

Subra
The sole advantage of power is that you can do more good
3 REPLIES
Matti_Kurkela
Honored Contributor
Solution

Re: NTP configuration

1.) Ntpd can simultaneously be a client of some NTP servers, a peer to some other NTP servers and a server to a group of NTP clients. To make this possible, ntpd always uses port 123. This is the behaviour defined by RFC 1305 (standard definition of NTP).

2.) Apparently there is no way to change the port number without editing the source code of the NTP software.

The NTP software needs root access for its primary purpose: adjusting the system clock. Just changing the port number would not allow you to run the NTP client as a non-root user.

If you control the NTP server you're intending to use for synchronization, you technically could deploy a custom ntpd to the server and run your entire NTP structure in a non-standard port... but why? What's the point in that?

Furthermore, some managed switches, routers and other network components may have a NTP client built into their firmware, and they don't generally have a facility to change the port number. You'd lose the possibility to use NTP with these devices if you used a non-standard port.

3) Being slow is not as much a problem as being fast, but it's advisable to make any adjustments to active production systems slowly.

To correct the initial 10 min error, you could use the "ntpdate" command with "-B" option: in this case, it will contact the NTP server, calculate the time difference, instruct the OS kernel to make the system clock faster until the clock has gained the necessary number of seconds, then resume normal speed.

After this, the time should be well within ntpd's +/- 30 seconds limit, so ntpd can be started.
MK
Steven E. Protter
Exalted Contributor

Re: NTP configuration

Shalom,

NTP is reliable but relatively primative, can't work on any port other than 123. You can program a firewall to play with the traffic.

ntp will and should be used to sync that server to real time before it goes prod.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Bruno Facca
Advisor

Re: NTP configuration

1- already answered

2 - In my opinion, you shouldn't mess with the ntp client source code to change the port it uses but you can use iptables to redirect your server's ntp requests with a source port of 123 to a high port, then redirect the reply you receive from the ntp server in that high port back to port 125. The question is, why would you want to do that? If your concerned about security, create a rule in your firewall that allows traffic on port 125 only from/to your trusted ntp server.

3 - As far as I know, the only way to do that would be manually, then when it's close enough (so it won't affect your application) to the time in the ntp server, use "ntpdate " to sync.

Bruno Facca