home rss search January 01, 2017

OpenNTPD Tutorial


Open Network Time Protocol ( ntpd.conf )

When you have many machines to take care of it is imperative all machines have the correct time. This is important for your users and for security. People today expect if they see the time displayed on the computer that it is correct. We have heard excuses from people who are late to meetings because "the clock on my computer must be off." Time is also important when comparing logs between machines and servers. You need to know that logs on a user system correspond to the time on the firewall and to the mail server. It just makes sense and if you need to do a forensic report it will make your life a lot easier.

The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (jitter).

NTP is one of the oldest Internet protocols still in use (since before 1985). NTP was originally designed by Dave Mills of the University of Delaware, who still maintains it, along with a team of volunteers. Wikipedia, Ntp

But there were problems with ntpd...

The development of OpenNTPD was motivated by a combination of issues with current NTP daemons: difficult configuration, complicated and difficult to audit code, and unsuitable licensing. OpenNTPD was designed to solve these problems and make time synchronization accessible to a wider userbase. After a period of development, OpenNTPD first appeared in OpenBSD 3.6. Its first release was announced on November 2, 2004.

OpenNTPD is born

The OpenBSD group have made a more secure version called OpenNTPD. OpenNTPD is an attempt by the OpenBSD team to produce an NTP daemon implementation which is secure, simple to security audit, trivial to set up and administer, and has small memory requirement that synchronizes local clock on the computer with remote NTP server with reasonable accuracy.

OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers. It is also able to act as an NTP server to NTP-compatible clients.

OpenNTPD is primarily developed by the OpenBSD project. Its design goals include being secure (non-exploitable), easy to configure, accurate enough for most purposes and with source code that can be distributed under a BSD license. Its portable version, like that of OpenSSH, is developed as a child project which adds the portability code to the OpenBSD version and releases it separately. The portable version is developed by Darren Tucker. Wikipedia, OpenNTPD

Getting Started

We are going to setup a time daemon to get its time from at least four(4) external time servers for accuracy, but no more then seven(7) ntp servers. Once our server has synced with the time server it will then allow clients on the internal lan to sync their time with our OpenNTPD server. You can expect an accuracy of +- 0.05 seconds, but probibly closer to +- 0.01 seconds.

When choosing a list of NTP servers, we suggest using NTP.org Public NTP Pool Time Servers and selecting five(5) to seven(7) geographically close servers. Since we are on the US east coast the most accurate servers we found are in the ntpd.conf configuration file. For accuracy, please choose individual ntp servers instead of using a multi server hostname pointing to a pool of ntp servers.

The setup of OpenNTPD on OpenBSD and FreeBSD is as easy as putting the ntpd.conf file in place and starting the daemon. In the following text window you will find the ntpd.conf file. When you place it in /etc/ntpd.conf it will do the following:

#
## Calomel.org  -- ntpd.conf
## https://calomel.org/ntpd.html
#
# Addresses to listen on (ntpd does not listen by default)
listen on 127.0.0.1

## To browse Public NTP servers
## http://support.ntp.org/bin/view/Servers/WebHome#Finding_A_Time_Server

## preferred and accurate from US East Coast
server clock.sjc.he.net
server gps.layer42.net
server hydrogen.constant.com
server t1.timegps.net 
server time-b.nist.gov

## mostly accurate fallback servers
server ntp1.conectiv.com
server rackety.udel.edu
server time.keneli.org

## public 
#servers time-a.timefreq.bldrdoc.gov

What is single and multi server time sync ?

Single Server time sync means the hostname queried runs one time server. Every hostname listed is one more time server OpenNTPD will have access to.

Multi server time sync means the single hostname listed actually points to multiple ip address and each of those ip address run a ntpd time server. If you do a hostname look up on time-a.timefreq.bldrdoc.gov it will resolve to at lease three(3) time servers.

user@machine: host time-a.timefreq.bldrdoc.gov
time-a.timefreq.bldrdoc.gov has address 132.163.4.101
time-a.timefreq.bldrdoc.gov has address 132.163.4.102
time-a.timefreq.bldrdoc.gov has address 132.163.4.103

Running the daemon

You can execute the daemon manually by typing "ntpd -s". This will start the OpenNTPD daemon and the "-s" argument tells the daemon to "set the time immediately at start up if the local clock is off by more than 180 seconds. This allows for large time corrections, eliminating the need to run rdate(8) before starting ntpd."

FreeBSD: To start OpenNTPD at boot On FreeBSD use the following lines in your /etc/rc.conf.

openntpd_enable="YES"
openntpd_flags="-sv"

OpenBSD: To start OpenNTPD at boot on OpenBSD use the following line in your /etc/rc.conf.local if you made one or just put it in /etc/rc.conf.

ntpd_flags="-s"
You can reduce the power consumption of your firewall and keep track of system temperatures by using Power Management with apmd and Sensorsd hardware monitor (sensorsd.conf).

Questions?

How many time servers should I sync to ?

You want to use no less then four(4) time servers, but no more then nine(9) to sync to. The reason is similar to a voting system. If you only have two(2) time servers and one is wrong, how do you know which one it is? With at least three ntp time servers if one server is sending the wrong time then the other two will be able to show that server is wrong. GPS time servers are supposed to be accurate all the time, but this is not always the case like when the US Naval Observatory set their GPS time back to the year 2000.

To be safe we highly recommend using a few extra time servers. We like to use at least five(5) or even up to eight(8) unrelated ntp servers. Choose servers that do not set time to each other. For example, we know Microsoft uses the US Navy time sever because when the US Navy time server set itself to the year 2000, so too did Microsoft. Not good. So, choose different time servers from governments, universities and companies. That way when one, two, or even three send out the wrong time you have plenty of other time servers which can set the record straight and keep your time in sync.

How can I check if OpenNTPd is in sync ?

Use the "ntpctl" tool. ntpctl will print out each ntp peer including their next polling time as well as the offset, delay and jitter in milliseconds. The following is the output of the ntpctl tool while using the ntp servers listed in the example configuration file above. When the system clock is synced to a peer, an asterisk is displayed to the left of the weight column for that peer. The host, "108.61.73.243 hydrogen.constant.com" is the ntp server our system is currently in sync with.

# ntpctl -sa
8/8 peers valid, clock synced, stratum 3

peer
   wt tl st  next  poll          offset       delay      jitter
216.218.254.202 clock.sjc.he.net 
    1 10  1 1017s 1580s       -15.355ms    99.528ms    33.901ms
69.36.224.15 gps.layer42.net 
    1 10  1 1227s 1558s         3.128ms    84.416ms     7.101ms
108.61.73.243 hydrogen.constant.com 
 *  1 10  2  990s 1646s       -13.804ms    41.652ms    35.821ms
108.71.253.18 t1.timegps.net 
    1 10  1 1142s 1644s        -7.397ms   115.897ms    27.964ms
129.6.15.29 time-b.nist.gov 
    1 10  1 1008s 1526s       -10.416ms    37.927ms    34.679ms
138.39.23.13 ntp1.conectiv.com 
    1 10  1  746s 1526s       -13.763ms    44.702ms    34.343ms
128.4.1.1 rackety.udel.edu 
    1 10  1 1430s 1584s        -1.996ms    11.344ms     0.907ms
173.162.192.156 time.keneli.org 
    1 10  1  939s 1545s       -16.197ms    58.774ms    34.135ms


Contact Us RSS Feed Google Site Search