Use NTP to Sync Time

You can easily keep your system's date and time accurate by using network
time protocol (NTP).

Having an accurate clock on your server ensures that timestamps in
emails sent from your machine are correct. An accurate clock is
especially helpful when you need to look at the logs from a particular
time of day.

If you don't occasionally set the system clock yourself, the time will
slowly drift away from a perfectly accurate setting. That's when
NTP is useful.

What is NTP?

NTP lets you automatically sync your system time with a remote server.
The NTP can be used to update the clock on a machine with a remote
server. This keeps your machine's time accurate by syncing with servers
that are known to have accurate times. NTP also keeps the clocks on
several machines in sync, thus making it easier to match log entries for
an event across multiple servers.

It's easy to set up an NTP server to adjust your machine's clock
regularly. It's also possible to make it a bit more complicated if you need
your clock accurate down to the millisecond instead of just to the
second.

Install

The first thing to do is to install the NTP server. Grab the package by
running:

Ubuntu operating systems / Debian:

sudo aptitude update
sudo aptitude install ntp

CentOS:

sudo yum install ntp

Ater you install NTP, you can ensure the service runs at boot time by
running the following command:

sudo /sbin/chkconfig ntpd on

Fedora / RHEL:

sudo yum install ntp

Ater you install NTP, you can ensure the service runs at boot time by
running the following command:

sudo chkconfig ntpd on

Start the service

To make sure the NTP service starts after installing it, run the following command:

Ubuntu operating systems / Debian / CentOS / RHEL:

sudo /etc/init.d/ntp start

Fedora:

sudo /etc/init.d/ntpd start

As is usual for Linux® services, you can stop or restart the NTP service
by running the preceding command with stop or restart as the argument
instead of start.

Quickstart

Most people just want to get NTP running and don't need to sync their
clock to pinpoint, millisecond-level accuracy. In this case, you don't
need to do anything else. When you installed NTP, it set you up with
default servers with which to sync, so NTP syncs your clock
automatically. Congratulations on a job well done!

The .ntpconf file

If you want to use NTP to sync several of your own machines, or if you
want to choose NTP servers other than the defaults, you can find the NTP
configuration file at /etc/ntp.conf.

A few settings can be changed, but the only settings of
interest to most users include server entries. Use the default
settings for your specific Linux distribution.

With more than one server entry, your NTP server queries all servers
and select a time on which most of the polled servers agree. Because NTP
uses three or more servers, your clock is more accurate than if it
uses only one.

Adding the iBurst option after the server address speeds up the NTP
time sync slightly. While this is helpful, it isn't essential.

The dynamic option tells NTP that it can try a configured server again
later if it's unavailable at some point. The dynamic option is useful
when NTP runs on a machine that doesn't always have access to the
Internet. It is not necessary on a machine with a dedicated connection.

NTP security

Protect yourself against NTP server attacks by adding disable monitor to
your /etc/ntp.conf file. Disabling monitoring prevents unwanted remote
queries that use commands from older versions of NTP, such as monlist.

Syncing multiple servers

If you have more than one machine to sync, it is best to designate one
as the master NTP server. Set up the master server to connect to an
outside NTP server, then have the other machines sync to the master.
This setup reduces the number of outgoing connections and guarantees
that all of your machines have their time set to the same value. This
configuration requires changes to the server settings in the ntp.conf
files on each machine.

Set up any external servers you want to use on the master machine. For
example, if you want to use the NTP pool servers, you can set the server values
in the master ntp.conf file to:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

Point the ntp.conf to your master server on every other machine that needs
to sync the time. For example, if your master server is
main.example.com, you would alter the ntp.conf files on the secondary
machines so that the server entries are as follows:

server main.example.com iburst

After setting the server parameters and ensuring that the iptables entries don't
block connections to your main NTP server, restart the NTP services on
each machine to get them syncing.

Adjusting iptables

NTP uses UDP port 123 to conduct its business, either connecting to
another NTP server or accepting incoming connections. If you have
iptables filtering incoming traffic on the main NTP server in your
cluster, you need to open port 123 to UDP traffic to allow the
other servers to connect to it. You can open port 123 for UDP traffic
with the following iptables arguments:

-I INPUT -p udp --dport 123 -j ACCEPT
-I OUTPUT -p udp --sport 123 -j ACCEPT

Choosing an NTP server

When syncing one or more machines via NTP, you want at least one of
them to set their time from a reliable external server. Many
public servers out there are either synced directly from an atomic
clock (guaranteeing an absolutely accurate time) or synced from
another server that syncs to an atomic clock.

Public NTP server lists

The best source for lists of public NTP servers is the NTP Servers
WebHome
at the main
NTP site. The site has a description of the servers available, and
the sidebar has links to three levels of NTP servers: Primary,
secondary, and pool.

Deciding what type of server to sync from depends on how accurate
you need your servers to be.

NTP pool servers

For most users, the pool servers are the best choice. Pool servers are
machines that have volunteered to make their NTP server available to the
public. They typically sync from a secondary NTP server, so their time is
accurate, but not necessarily accurate to the nearest millisecond.

Most users don't need their machine time accurate to the nearest
millisecond; they just want to know what time it is. Use the pool
servers unless you need pinpoint accuracy.

Using the NTP pool servers is as easy as setting the server entries in
your ntp.conf file to:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

To ensure that you only connect to pool servers in your own country or
region, visit the pool servers
page
for more
specific addresses. For most people, the above entries are more than
sufficient. Those addresses rotate among a huge list of volunteer NTP
servers worldwide, so the load on any one machine never gets too great.

If you want to contribute to the NTP pool after you've set up your NTP
server, get details on how to do so from the pool
website
.

Primary and secondary servers

The other two tiers of NTP servers are primary and secondary servers. A
primary server gets its time directly from an atomic clock
(or from GPS satellites, which use atomic clocks). Atomic clocks are
expensive, so there aren't many primary servers. You don't have to use a
primary server unless you're looking for extreme scientific accuracy.

A secondary server usually gets its time from a primary server. If you
want accuracy down to the millisecond level, having three secondary
servers in your ntp.conf works well.

You can see what public servers are available in either tier by
selecting either list from the NTP Servers
WebHome
. Before
selecting and using a server, check the details for that server as
follows:

  • ISO: The ISO column lists the country of origin of that
    particular server.
  • AccessPolicy: The AccessPolicy field tells you what the access
    policy is for that server. Open Access means the server can be
    used by the public, subject to any notification requirements the
    server has.
  • Notify: The Notify field for secondary servers lists the
    that server administrator's preferences regarding whether they
    should be notified before you sync with their NTP server. Admins who
    want to be notified are usually trying to manage the traffic to
    their server, so be sure and respect their wishes
    regarding notification. Note that primary servers are always
    considered as requesting notification before use.
  • Service Area: If you've selected a primary or secondary server
    you want to use, click its hostname in the list to view further
    details for that server. Among the details listed is the
    ServiceArea field that describes the geographic or demographic
    group they intend to serve. If that field is Public, you do
    not have to be in a particular region to use the server. If they
    list a more specific service area, be sure to respect the server
    administrator's wishes in that regard.

Testing with ntpdate

Before using an external NTP server to sync your time, you should make
sure you can actually connect to the server from your machine.
Fortunately, there's a tool for that included with the NTP server called
ntpdate.

The ntpdate command syncs your clock with an NTP server. It's
similar to what the NTP server does on a regular basis. The ntpd program
is a separate package on Ubuntu® operating systems and Debian®. The other
distributions install ntpdate at the time of ntpd installation. To
use ntpdate, Ubuntu operating system and Debian users must first install it.

sudo aptitude install ntpdate

Set your clock to sync at times you specify by using cron to run
ntpdate. Otherwise, run the NTP server because it uses less bandwidth and
keeps time more accurately by tracking your clock's drift over time and
adjusting accordingly. Use ntpdate for testing purposes only.

The ntpdate command does not run when the NTP server is running. If you
run ntpdate and get a response like "the NTP socket is in use," this
means your NTP server is running. Stop it with the appropriate command
for your distribution:

Ubuntu operating systems / Debian

sudo /etc/init.d/ntp stop

CentOS / Fedora / RHEL

sudo /etc/init.d/ntpd stop

You can now run ntpdate with the server you want to sync against as an
argument. For example, to tell ntpdate to try and sync with
"pool.ntp.org", run the following command:

sudo ntpdate pool.ntp.org

When you're finished testing, remember to restart NTP:

Ubuntu operating systems / Debian

sudo /etc/init.d/ntp start

CentOS / Fedora / RHEL

sudo /etc/init.d/ntpd start

Summary

Fortunately, NTP time syncing is pretty easy to do. After you set the
time servers and start the NTP service, it does its work quietly in
the background.

If NTP has any problems, it logs them to the system log, which you
should be checking regularly anyway.

For more details on setting up an NTP server and what options are
available, visit the NTP documentation
site
. If you want to
know more about how NTP works, go to the main NTP web
site
, and all will be revealed.