home search January 01, 2017
When you have many machines to take care of it is imperative all machines have the correct time. This is important for your users and for security. People today expect if they see the time displayed on the computer that it is correct. We have heard excuses from people who are late to meetings because "the clock on my computer must be off." Time is also important when comparing logs between machines and servers. You need to know that logs on a user system correspond to the time on the firewall and to the mail server. It just makes sense and if you need to do a forensic report it will make your life a lot easier.
The Network Time Protocol (NTP) is a protocol for synchronizing the clocks of computer systems over packet-switched, variable-latency data networks. NTP uses UDP port 123 as its transport layer. It is designed particularly to resist the effects of variable latency (jitter).
NTP is one of the oldest Internet protocols still in use (since before 1985). NTP was originally designed by Dave Mills of the University of Delaware, who still maintains it, along with a team of volunteers. Wikipedia, Ntp
But there were problems with ntpd...
The development of OpenNTPD was motivated by a combination of issues with current NTP daemons: difficult configuration, complicated and difficult to audit code, and unsuitable licensing. OpenNTPD was designed to solve these problems and make time synchronization accessible to a wider userbase. After a period of development, OpenNTPD first appeared in OpenBSD 3.6. Its first release was announced on November 2, 2004.
The OpenBSD group have made a more secure version called OpenNTPD. OpenNTPD is an attempt by the OpenBSD team to produce an NTP daemon implementation which is secure, simple to security audit, trivial to set up and administer, and has small memory requirement that synchronizes local clock on the computer with remote NTP server with reasonable accuracy.
OpenNTPD is a Unix system daemon implementing the Network Time Protocol to synchronize the local clock of a computer system with remote NTP servers. It is also able to act as an NTP server to NTP-compatible clients.
OpenNTPD is primarily developed by the OpenBSD project. Its design goals include being secure (non-exploitable), easy to configure, accurate enough for most purposes and with source code that can be distributed under a BSD license. Its portable version, like that of OpenSSH, is developed as a child project which adds the portability code to the OpenBSD version and releases it separately. The portable version is developed by Darren Tucker. Wikipedia, OpenNTPD
We are going to setup a time daemon to get its time from at least four(4) external time servers for accuracy, but no more then seven(7) ntp servers. Once our server has synced with the time server it will then allow clients on the internal lan to sync their time with our OpenNTPD server. You can expect an accuracy of +- 0.05 seconds, but probibly closer to +- 0.01 seconds.
When choosing a list of NTP servers, we suggest using NTP.org Public NTP Pool Time Servers and selecting five(5) to seven(7) geographically close servers. Since we are on the US east coast the most accurate servers we found are in the ntpd.conf configuration file. For accuracy, please choose individual ntp servers instead of using a multi server hostname pointing to a pool of ntp servers.
The setup of OpenNTPD on OpenBSD and FreeBSD is as easy as putting the ntpd.conf file in place and starting the daemon. In the following text window you will find the ntpd.conf file. When you place it in /etc/ntpd.conf it will do the following:
# ## Calomel.org -- ntpd.conf ## https://calomel.org/ntpd.html # # Addresses to listen on (ntpd does not listen by default) listen on 127.0.0.1 ## To browse Public NTP servers ## http://support.ntp.org/bin/view/Servers/WebHome#Finding_A_Time_Server ## preferred and accurate from US East Coast server clock.sjc.he.net server gps.layer42.net server hydrogen.constant.com server t1.timegps.net server time-b.nist.gov ## mostly accurate fallback servers server ntp1.conectiv.com server rackety.udel.edu server time.keneli.org ## public #servers time-a.timefreq.bldrdoc.gov
Single Server time sync means the hostname queried runs one time server. Every hostname listed is one more time server OpenNTPD will have access to.
Multi server time sync means the single hostname listed actually points to multiple ip address and each of those ip address run a ntpd time server. If you do a hostname look up on time-a.timefreq.bldrdoc.gov it will resolve to at lease three(3) time servers.
user@machine: host time-a.timefreq.bldrdoc.gov time-a.timefreq.bldrdoc.gov has address 220.127.116.11 time-a.timefreq.bldrdoc.gov has address 18.104.22.168 time-a.timefreq.bldrdoc.gov has address 22.214.171.124
You can execute the daemon manually by typing "ntpd -s". This will start the OpenNTPD daemon and the "-s" argument tells the daemon to "set the time immediately at start up if the local clock is off by more than 180 seconds. This allows for large time corrections, eliminating the need to run rdate(8) before starting ntpd."
FreeBSD: To start OpenNTPD at boot On FreeBSD use the following lines in your /etc/rc.conf.
OpenBSD: To start OpenNTPD at boot on OpenBSD use the following line in your /etc/rc.conf.local if you made one or just put it in /etc/rc.conf.
You want to use no less then four(4) time servers, but no more then nine(9) to sync to. The reason is similar to a voting system. If you only have two(2) time servers and one is wrong, how do you know which one it is? With at least three ntp time servers if one server is sending the wrong time then the other two will be able to show that server is wrong. GPS time servers are supposed to be accurate all the time, but this is not always the case like when the US Naval Observatory set their GPS time back to the year 2000.
To be safe we highly recommend using a few extra time servers. We like to use at least five(5) or even up to eight(8) unrelated ntp servers. Choose servers that do not set time to each other. For example, we know Microsoft uses the US Navy time sever because when the US Navy time server set itself to the year 2000, so too did Microsoft. Not good. So, choose different time servers from governments, universities and companies. That way when one, two, or even three send out the wrong time you have plenty of other time servers which can set the record straight and keep your time in sync.
Use the "ntpctl" tool. ntpctl will print out each ntp peer including their next polling time as well as the offset, delay and jitter in milliseconds. The following is the output of the ntpctl tool while using the ntp servers listed in the example configuration file above. When the system clock is synced to a peer, an asterisk is displayed to the left of the weight column for that peer. The host, "126.96.36.199 hydrogen.constant.com" is the ntp server our system is currently in sync with.
# ntpctl -sa 8/8 peers valid, clock synced, stratum 3 peer wt tl st next poll offset delay jitter 188.8.131.52 clock.sjc.he.net 1 10 1 1017s 1580s -15.355ms 99.528ms 33.901ms 184.108.40.206 gps.layer42.net 1 10 1 1227s 1558s 3.128ms 84.416ms 7.101ms 220.127.116.11 hydrogen.constant.com * 1 10 2 990s 1646s -13.804ms 41.652ms 35.821ms 18.104.22.168 t1.timegps.net 1 10 1 1142s 1644s -7.397ms 115.897ms 27.964ms 22.214.171.124 time-b.nist.gov 1 10 1 1008s 1526s -10.416ms 37.927ms 34.679ms 126.96.36.199 ntp1.conectiv.com 1 10 1 746s 1526s -13.763ms 44.702ms 34.343ms 188.8.131.52 rackety.udel.edu 1 10 1 1430s 1584s -1.996ms 11.344ms 0.907ms 184.108.40.206 time.keneli.org 1 10 1 939s 1545s -16.197ms 58.774ms 34.135ms