Network Time Protocol (NTP) Quick ad Dirty for AfNOG 2017 (Ayitey Bulley)
About NTP Network Time Protocol project http://tp.org NTP is a protocol desiged to sychroize the clocks of computers over a etwork.
About NTP NTP versio 4, a sigificat revisio of the previous NTP stadard, is the curret developmet versio. It is formalized by RFCs released by the IETF. RFC 5905: Network Time Protocol Versio 4: Protocol ad Algorithms Specificatio RFC 5906: Network Time Protocol Versio 4: Autokey Specificatio RFC 5907: Defiitios of Maaged Objects for Network Time Protocol Versio 4 (NTPv4) RFC 5908: Network Time Protocol (NTP) Server Optio for DHCPv6
NTP ad Time Sychroizatio Network Time Protocol (NTP) is used by orgaizatios to sychroize the clocks of all its systems. Time sychroizatio is importat for may reasos: Applicatio time stamps Time stamps for log etries ad audit trails. NTP provides a easy way to esure that all systems will maitai the same time. This ca sigificatly simplify the burde o system admiistrators ad tech support. Whe a orgaizatio s systems all maitai differet clock times, it becomes very difficult from a troubleshootig stadpoit to determie whe ad uder what coditios a particular evet might be occurrig.
How NTP Works NTP works o the premise of sychroizatio with referece clocks, also kow as stratum 0 servers. All other NTP servers the become a lower level strata server based upo how far they are from a referece server. The start of the NTP chai is a stratum 1 server which is always directly coected to a stratum 0 referece clock. From here, lower level strata servers are coected via a etwork coectio to a higher strata level server.
How NTP Works Stratum 0 GPS/CDMA Stratum 1 Stratum 2 Stratum 3
Iteral NTP Architecture Iteret Strata 0/1 Servers NTP 1 NTP 2 NTP 3 Stratum 2 Servers Hosts ad devices o Iteral etwork
Step 1: Istallatio of NTP Server The first step to settig up a iteral NTP structure is to istall the NTP server software. $ sudo apt-get istall tp tpdate Check if the software is istalled. $ sudo dpkg --get-selectios tp $ sudo dpkg -s tp Update your system clock $ sudo tpdate 0.pool.tp.org
Step 2: NTP Server Cofiguratio Oce NTP is istalled, we ca ow cofigure our NTP server to sychroize with higher stratum servers. The cofiguratio file for NTP is stored at /etc/tp.cof ad ca be modified with ay text editor. To start the cofiguratio process, the higher level servers eed to be cofigured. You ca use the: Debia default NTP pool servers i the cofiguratio file. tp.org pool servers List of NTP servers from NIST to specify certai servers. NIST s servers i a roud robi fashio (suggested method by NIST).
Step 2: NTP Server Cofiguratio Debia default NTP pool servers i the cofiguratio file. server 0.debia.pool.tp.org iburst server 1.debia.pool.tp.org iburst server 2.debia.pool.tp.org iburst server 3.debia.pool.tp.org iburst tp.org pool servers server 0.pool.tp.org iburst server 1.pool.tp.org iburst server 2.pool.tp.org iburst server 3.pool.tp.org iburst List of NTP servers from NIST to pick specific servers. http://tf.ist.gov/tf-cgi/servers.cgi
Step 3: Cofigure NTP Restrictios NTP restrictios are used to allow or dis-allow hosts to iteract with the NTP server. The default for NTP is serve time to ayoe but do ot allow cofiguratio o both IPv4 ad IPv6 coectios. # By default, exchage time with everybody, but do't # allow cofiguratio. restrict -4 default kod otrap omodify opeer oquery restrict -6 default kod otrap omodify opeer oquer
Step 3: Cofigure NTP Restrictios Now restrict who is allowed to query the server for time ad what else they are allowed to do with the NTP server. restrict 196.200.219.0 mask 255.255.255.0 limited kod otrap omodify opeer oquery restrict 2001:43f8:0220:219:: mask ffff:ffff:ffff:ffff:: limited kod otrap omodify opeer oquery We ca also restrict the server from aswerig tp queries # By default do t aswer aythig restrict default igore restrict -6 default igore
Step 3: Cofigure NTP Restrictios Cofigure the server to urestricted access to local users restrict 196.200.219.0 mask 255.255.255.0 limited kod otrap omodify opeer oquery restrict 2001:43f8:0220:219:: mask ffff:ffff:ffff:ffff:: limited kod otrap omodify opeer oquery We ca also restrict the server from aswerig tp queries # By default do t aswer aythig restrict default igore restrict -6 default igore
Step 3: Cofigure NTP Restrictios limited: Idicates that if a cliet should abuse the umber of packets rate cotrol, the packets will be discarded by the sever. If the Kiss of Death packet is eabled, it will be set back to the abusive host. The rates are cofigurable by a admi but the defaults are assumed here. kod: Kiss of Death. If a host violates the limit of packets to the server, the server will respod with s KoD packet to the violatig host. otrap: Declie mode 6 cotrol messages. These cotrol messages are used for remote loggig programs. omodify: Prevets tpq ad tpdc queries that would modify the server s cofiguratio but iformatioal queries are still permitted. oquery: This optio prevets hosts from queryig the server for iformatio. For example without this optio hosts ca use tpdc or tpq to determie where a particular time server is gettig it s time from or other peer time servers that it may be commuicatig with.
Step 4: Startig NTP Startup scripts are located at /etc/iit.d/ Take a look i startup script /etc/iit.d/tp Add tp to startup i.e. tp to start up o boot $ sudo update-rc.d tp eable To Ru tp $ sudo service tp start To Restart tp $ sudo service tp restart
Step 5: Start NTP! $ sudo /etc/iit.d/tp start Or $ sudo service tp start Check that your server is sychroized with the tp servers listed i /etc/tp.cof $ sudo tpq -p $ sudo tpq -p remote refid st t whe poll reach delay offset jitter ============================================================================== *riditt.de 131.188.3.221 2 u 27 64 1 183.792 0.439 0.079 lof.facube.co.init. 16 u - 64 0 0.000 0.000 0.000 service1-eth3.d 228.143.95.23 2 u 28 64 1 200.457-1.965 0.035 makaki.miuku.e 218.186.3.36 2 u 28 64 1 377.207-7.893 0.169 oc.mtg.afog.o 45.222.43.250 3 u 27 64 1 0.284 1.810 0.040
NTP Exercises