NTP server configuration in linux

Source: Internet
Author: User
Tags net time
NetworkTimeProtocol (NTP, Network Time Protocol) is used to synchronize all of its client clock services. The NTP server uses the local system Network Time Protocol (NTP, Network Time Protocol) to synchronize all of its client clock services. The NTP server synchronizes the clock of the local system with a public NTP server and then serves as a time host so that all clients on the local network can synchronize the clock.

The biggest benefit of clock synchronization is the data in the log files on the relevant system. if you use the central log host to centrally manage logs in the network, the log results will better reflect the real situation. In a network that synchronizes the clock, the centralized performance monitoring and service monitoring systems can reflect system information in real time, and the system administrator can quickly detect and solve system errors.

Install and configure the NTP service

The following describes the simple configuration of the NTP server:

Step 1: install the NTP service

Generally, the Linux release will contain the ntp software package. if your system is not installed, run the rpm command to install the package. the following uses the centos system as an example to configure a time server:

Check whether ntp is installed on the current system.

[Root @ localhost ~] # Rpm-qa | grep ntp

Chkfontpath-1.10.1-1.1

Ntp-4.2.2p1-8.el5.centos.1 (this is the RPM package that has been installed)

If not, run the following command:

[Root @ localhost ~] # Rpm-ivh ntp-4.2.2p1-8.el5.centos.1.rpm

Step 2: configure the NTP server

The NTP server configuration is as follows:

Edit the configuration file/etc/ntp. conf

Restrict default kod nomodify notrap nopeer noquery

Restrict-6 default kod nomodify notrap nopeer noquery

Restrict 127.0.0.1

Restrict-6: 1

Restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Server 192.168.146.225

Server 0.centos.pool.ntp.org

Server 1.centos.pool.ntp.org

Server 2.centos.pool.ntp.org

Server 127.127.1.0 # local clock

Fudge 127.127.1.0 stratum 10

The configuration file is described as follows:

The first line of restrict and default defines the default access rules. nomodify prohibits remote hosts from modifying local server configurations, and notrap rejects special ntpdq to capture messages, noquery rejects btodq/ntpdc queries (the query here is the server's own status query ).

Restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

This is manually added, meaning that all servers from 192.168.1.1-192.168.1.254 can use our NTP server to synchronize time.

Server 192.168.146.225

This statement is also manually added, indicating the IP address of the NTP server in the Lan;

The last two lines of the configuration file are used to provide the time service for the client at the local time when the server is out of contact with the public time server.

Port

Ntp uses udp. remember to open port 123.

Start NTPD

To enable the NTP service to automatically start during system boot, run:

# Chkconfig ntpd on

Start ntpd:

Service ntpd start

NTP client configuration:

Manually execute "ntpdate server IP address" on the client to synchronize the time;

You can also use crond to timing the synchronization time:

Run periodic tasks as root:

[Root @ supersun root] # crontab-e

Add the following content and update the time every 15 minutes:

15 * ntpdate server IP address

The ntpdate command is included in the ntp package. check whether the system is installed.

Step 3: Check whether the time server is correctly synchronized

Run the following command to check the synchronization status of the time server:

# Ntpq-p

One evidence that synchronization is faulty is that the jitter value of all remote servers is 4000 and the value of delay and reach is 0.

Possible causes include:

A firewall blocks communication with the server, that is, whether Port 123 is open normally;

In addition, it takes about 3-5 minutes to restart the NTP server before the client can establish a normal communication connection with the server. otherwise, when the client executes "ntpdate server ip address", it will return:

27 Jun 10:20:17 ntpdate [1, 21920]: no server suitable for synchronization found

Network Time Protocol (NTP, Network Time Protocol) is used to synchronize all of its client clock services. The NTP server synchronizes the clock of the local system with a public NTP server and then serves as a time host so that all clients on the local network can synchronize the clock.

The biggest benefit of clock synchronization is the data in the log files on the relevant system. if you use the central log host to centrally manage logs in the network, the log results will better reflect the real situation. In a network that synchronizes the clock, the centralized performance monitoring and service monitoring systems can reflect system information in real time, and the system administrator can quickly detect and solve system errors.




1. configure the Linux ntp time server

1. download and install the software

Generally, the installation package of the ntp service is included in the linux installation package. install the package. If not, you can download it.

#/Tmp/wget ntp.buptnet.edu.cn/ntp_chinese/down/server/ntp-4.2.0.tar.gz

# Tar-zxvf ntp-4.2.0.tar.gz-C/usr/local/src; cd/usr/local/src/ntp-4.2.0

2. start to set parameters, compile and install:

#./Configure -- prefix =/usr/local/ntp -- enable-all-clocks -- enable-parse-clocks

Make clean; make

Make check

Make install

Installation is complete.

2. understand the NTP service configuration file

1. NTP package structure and related commands

The NTP service configuration file consists of four files, such as table 1.

Table 1 NTP service configuration file

The execution files related to NTP and system time include several files, such as table 2.

Table 2 execution files related to NTP and system time

Note: The Linux clock type is very different from that in Windows in terms of classification and settings. Different from Windows, Linux divides the Clock into two types: System Clock and hardware (RTC) Clock. System time refers to the clock in the current Linux Kernel, while the hardware clock is the motherboard hardware clock powered by a battery on the motherboard, this clock can be set in the BIOS "Standard BIOS Feture" item. When Linux is started, the hardware clock reads the system clock settings, and then the system clock runs independently of the hardware.

2. understand the setting file/etc/NTP. conf on the ntp server.

About permission settings

The permission setting is mainly based on the restrict parameter. the format is as follows:

Restrict IP Address mask subnet mask parameter

The IP address can be an IP address or a default IP address.

The following parameters are provided:

Ignore: disable all NTP online services.

Nomodify: the client cannot change the time parameter of the server, but the client can perform network calibration on the server.

Notrust: the client source is considered as a untrusted subnet unless it passes authentication.

Noquery: no client time query is provided.

Note: If the parameter is not set, it indicates that the IP address (or subnet) has no restrictions.

Set the upper-level time server with the server parameter in the following format:

Server IP address or domain name [prefer]

The IP address or domain name is the designated upper-level time Server. if prefer is added to the Server parameter, the NTP Server is calibrated based on the host time.

The driftfile format is as follows:

Driftfile file name

The time spent in contacting the upper-level time server is recorded in the file after the driftfile parameter.

Note: driftfile must be followed by a complete path file name, not a link file, and the file permission must be set to ntpd daemon for writing.

3. ntp. conf configuration file instance

1) use the time server of the Internet as the clock of the time server

Set requirements: use time.nist.gov as the time server and add the following content to ntp. conf:

Restrict default ignore # Disable all NTP required packets

Restrict 192.168.1.0 mask 255.255.255.0 notrap nomodify

Server time.nist.gov # set the time server

Server 127.127.1.1 # enable the internal recursive network interface lo

Fudge 127.127.1.1 stratum 10 refid NIST # LCL not synchronized

Driftfile/etc/ntp. drift

Logfile/var/log/ntp. log

Broadcastdelay 0.008 # broadcast delay time #

2) internal ntp servers use the data server clock

Setting requirements: the system does not provide services on the Internet. it only provides services on the internal subnet 192.168.0.0/24. clients on the internal subnet cannot modify the time parameters of the NTP server.

Add the following content to ntp. conf:

Restrict default ignore # Disable all NTP required packets

Restrict 127.0.0.1 # enable the internal recursive network interface lo

Restrict 192.168.0.0 mask 255.255.255.0 nomodify # When clients in the internal subnet can perform network calibration, but the time parameter of the NTP server cannot be modified.

Server 198.123.30.132 #198.123.30.132 as a reference for the upper-level time server

Restrict 198.123.30.132 # enable the server to access our ntp service

Driftfile/var/lib/ntp/drift

Broadcastdelay 0.008 # broadcast delay time #




4. other settings:

Save and exit.

Start NTP service ntpd start

To enable the NTP service automatically every time the system starts, enter the following command:

Chkconfig-level 35 ntpd on

Open port 123 of iptables firewall

The NTP service port is 123 and udp protocol is used. Therefore, the firewall of the NTP server must open the udp 123 port. Use the following rules as follows:

#/Sbin/iptables-a input-p UDP-I eth0-s 192.168.0.0/24/

> -- Dport 123-j ACCEPT

Note: it usually takes some time to synchronize time when Ntpd is started. Therefore, the clock service cannot be provided normally when ntpd is just started. The maximum time is 5 minutes, if this time is exceeded, check your configuration file.

5. check the ntp server's working conditions

Generally, we run the command to check port 123 and the ntp system process to determine whether the ntp server is working normally.

The command is as follows:

Netstat-unl | grep 123 # View Port 123

Ps-ef | grep ntp # check whether the ntp process is started

6. monitor ntp servers

Ntpq is used to monitor ntpd operations. standard NTP mode 6 is used to control message mode and communicate with the NTP server.

Ntpq-p queries the NTP server in the network and displays the relationship between the client and each server,

For example, after running the command ntpq-p, the output result is:

Ntpq-p

Remote refid st t when poll reach delay offset jitter

======================================

* Time-A.timefreq. ACTS. 1 u 152 1024 377 43.527-11.093 3.982

+ Clock.isc.org 204.123.2.5 2 u 230 1024 377-67.958 7.729

Time-a.nist.gov. ACTS. 1 u 323 1024 377 58.705 994.866

"*": The NTP server and the most accurate server. "+": The NTP server that responds to this query request. "Blank (space)": NTP server with no response. "Remote": the name of the NTP server that responds to this request. "Refid": name of the higher-level server used by the NTP server. "St": the level of the NTP server that is responding to the request. "When": the number of seconds since the last successful request. "Poll": the number of seconds between the current request clock. Offset: the time offset between the host and the synchronized time source through the NTP clock, in milliseconds (MS ).

III. use of the Linux NTP client

1. use command line configuration in Linux:

It is very easy to perform network School in Linux. just execute ntpdate:

Ntpdate 192.168.0.1 #192.168.0.1 is the IP address of the NTP server

Do not forget to use the hwclock command to write the time into the bios

Hwclock-w

You can use the crond service for scheduled time calibration.

Edit the/etc/crontab file

Add the following line:

30 8 * root/usr/sbin/ntpdate 192.168.0.1;/sbin/hwclock-w #192.168.0.1 is the IP address of the NTP server

Restart the crond service.

Service crond restart

In this way, the network time is automatically calibrated on the Linux system at every day.

2. configuration methods in the desktop environment

You can use a graphical clock setting tool, such as the date and time setting tool in RHEL 4.0, or type the "redhat-config-time" command on the virtual terminal, alternatively, select "K menu/System Settings/date and time" to start the date and time setting tool. To use this tool, you do not need to consider the system time and hardware time. you only need to set the date time in this dialog box, and you can set and modify the system clock and hardware clock at the same time.

IV. time calibration using NTP in Windows XP, 2003, and 2000 systems

Use the on-campus service provided by the operating system (applicable to Windows XP and Windows 2003 ):

1. double-click "time" in the lower right corner of the taskbar to open the [time and date attributes] setting dialog box.

2. select the [Internet time] tab, select the [synchronize automatically with Internet time server] option, and enter the IP address or domain name of the time server in [server. Click [apply] and click [Update now] to directly synchronize data.

Use the on-campus service provided by the operating system (applicable to Windows 2000 ):

1. open [administrative tools] in [control panel], then open [service], and find [Windows Time] in the service.

2. double-click the service name, set "start type" to "automatic" in "Windows Time attribute", and then press the start button.

3. switch to the command line and use the time Server for Windows under the doscommand line:

Net time/setsntp: xxx. xxx (time server domain name or IP address)

To synchronize with the time server immediately, restart the time service by using the following command:

Net stop w32time

Net start w32time

In the future, your machine will have an accurate time. Note: W32tm.exe is a similar command used to synchronize the time between a local computer and a remote computer or a domain. W32tm.exe is the preferred method for time synchronization. By default, Windows 2000's time service w32time is disabled. Windows contains W32Time, which is a time service tool required by the Kerberos authentication protocol. The Windows Time Service aims to ensure that all computers running Microsoft Windows 2000 or later in the organization use the same time.

V. use the tool software Automachron to synchronize time on windows 98/me/NT client

Windows 98/nt can use Automachron software:

1. download achron5,

2. install software;

3. run: Program --> Automachron;

4. right-click the upper right corner of the taskbar and select the Automachron icon --> Properties --> Host --> Network Host;

Enter ntp.sjtu.edu.cn, check the check box before Sync at startup, and check the check box before Run at startup.

The system automatically synchronizes time every time it starts. if you need to manually synchronize time, click Sync.

VI. Summary

As the network scale and online applications expand, the number of network devices and servers increases. When viewing logs of many network devices, network administrators often find time differences. even if you manually set the time, time errors may occur due to time zone or timeout. after some L2 switches restart, the clock is restored to the initial value and the time needs to be reset. For core network devices and important application servers, they sometimes need to work together, so accurate time reliability is particularly important.

The configuration and use of the NTP service are very simple, and the network information used is very small. NTP time servers are widely used in network security, online teaching, database backup, and other fields. It is important for an enterprise to take measures to synchronize the time of the network and devices, but it should be noted that the logs generated by security devices can provide accurate time. This article describes how to create an NTP time server and configure an instance using the NTP time server in a Linux operating system.

Appendix 1:

Ntpdate command

Purpose: use the network timing Protocol (NTP) to set the date and time. This command is only applicable to AIX 4.2 or later versions.

Syntax:

Ntpdate [-B] [-d] [-s] [-u] [-a Keyid] [-e AuthenticationDelay] [-k KeyFile] [-o Version] [-p samples] [-t TimeOut] Server...

Description: sets the local date and time by polling the specified NTP server that determines the correct time. It obtains some samples from each specified server, and applies the standard NTP clock filter and selection algorithm to select the best sample.

The ntpdate command uses the following method to adjust the time:

If it determines that the clock deviation exceeds 0.5 seconds, it sets the clock time by calling the settimeofday subroutine. This is the preferred method at the boot time.

If it determines that the clock deviation is less than 0.5 seconds, it adjusts the clock time by calling the adjtime subroutine and offset. This method tends to sacrifice some stability to keep the drift clock more accurate. When you run the ntpdate command with rules from the cron command rather than by running a daemon, the execution every hour or two hours can ensure sufficient time accuracy to avoid clock adjustment.

Note:

Using many servers can greatly improve the reliability and accuracy of the ntpdate command. Although you can use a single server, you can achieve better performance by providing at least three or four servers.

If an NTP server daemon similar to the xntpd daemon is running on the same host, the command rejects ntpdate setting.

You must have the root permission to run this command on the host.

Flag

-A Keyid uses Keyid to authenticate all data packets.




-B calls the settimeofday subroutine to increase the clock time.

-D specifies the debugging method. Determine what results the ntpdate command will produce (no actual results will be generated ). The result is displayed on the screen. This flag uses a non-privileged port.

-E AuthenticationDelay specifies the number of seconds for delayed authentication.

-K KeyFile: if the default value/etc/ntp. keys file is not used, specify a different name for the file containing the key. See the description of KeyFile.

-O Version: specifies the NTP Version used when round-robin is performed on the sent data packets. The value of Version can be 1, 2, 3. The default value is 3.

-P Samples specifies the number of Samples obtained from each server. The value of Samples is between 1 and 8 and includes 1 and 8. The default value is 4.

-S specifies the use of the syslog facility for log operations, rather than using standard output. It is useful when running the ntpdate and cron commands.

-T TimeOut specifies the waiting time for response. The value of the given TimeOut is rounded to a multiple of 0.2 seconds. The default value is 1 second.

-U specifies to use a non-privileged port to send data packets. It is helpful when a firewall blocks the incoming traffic of a privileged port and wants to synchronize it with the host outside the firewall. A firewall is a system or computer that controls access to a private network from the Internet.

Parameters

Server.

Exit status

This command returns the following export values: 0 successfully completed;> 0 error.

Security

RAM: you must have the root permission to run this command.

Audit event: N/

Example

Set the local date and time by polling the NTP server at address 9.3.149.107 and enter:/usr/sbin/ntpdate 9.3.149.107

The output is similar to the following: 28 Feb 12:09:13 ntpdate [18450]: acceleration time server 9.3.149.107

Offset: 38.417792 seconds

The/usr/sbin/ntpdate file contains the ntpdate command.

/Etc/ntp. keys contains the default key file

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.