HomeRamblings  ⁄  GeneralSystemsServers

Configuring ntpd to hand out time to local servers

Published: August 11, 2008 (over 9 years ago)
Updated: over 2 years ago

Syncing your servers to public time servers is one of the most common ways of keeping server times in sync. Apparently the less common approach of configuring one server to sync with public servers and it in turn becomes the authoritative time keeper for the rest of your servers is less well-known. Digging through the copious ntp documentation, I have to say, its some very, very dense documentation mainly because the jargon isn’t well translated to a layperson’s “How do I?” inquiry. I combed the documentation for days trying to figure out exactly how to set up a server to hand out time to all my other servers. Normally, my Google-fu can pierce just about any need, but “time” “server” “local” and so on are all too common terms in both client-and-server and client-only configurations and by far and away, the bulk of the documentation guides you through the latter. The documentation that guides you through the former is dense with references to peers, stratum, broadcasting, multi-casting, and so on. So, here’s how to set up an NTP service as both client and local time server on CentOS 4:

yum install ntp

Then edit the /etc/ntp.conf file and set up the public ntp server pools and uncomment the broadcast line and change IP mask to match your network’s:

server 0.rhel.pool.ntp.org
server 1.rhel.pool.ntp.org
server 2.rhel.pool.ntp.org

Modify your /etc/sysconfig/iptables to allow other servers to connect:

-A RH-Firewall-1-INPUT -p udp -m udp --dport 123 -j ACCEPT

Finally, go to the “client server” and install ntp on it just as you did with the ntp server, except, this time, you edit your /etc/ntp.conf file to point to your new local time server. In my case, I set up two servers to give out times and I added ntp.1 and ntp.2 to my local DNS servers, so my config file for the “client servers” uses:

server ntp.1.example.com
server ntp.2.example.com

Its really that simple! Its probably not the most secure way to do the job as there’s plenty of information overload in the ntp documentation on configuring securely. However, with all of my servers sitting in a trusted VLAN and the DNS entries are only served to these servers and NTP port is blocked between this VLAN and others, I reckon it would be fairly hard to hijack the local ntp services. In other words, the simple approach is good enough, for now.

comments powered by Disqus