NTP
The NTP daemon is the Network Time Protocol daemon that synchronizes local time, but also provides a time sync service to clients.
NTPsec is a secure, hardened, and improved implementation derived from the original NTP project.
Debian packages
Debian package required to run the NTP daemon:
ntpsec
Debian package required to simply synchronize local time:
ntpsec-ntpdate
References
- /usr/share/doc/ntpsec-doc (available only if the
ntpsec-docpackage is installed) - A list of public time servers : http://www.eecis.udel.edu/~mills/ntp/servers.html
Glossary
- Stratum 1 = Primary Server
- Stratum 2 = Secondary Server
- [...]
ntpd or ntpdate?
Quoting from http://www.tldp.org/LDP/sag/html/basic-ntp-config.html:
Many people get the idea that instead of running the NTP daemon, they should just setup a cron job job to periodically run the ntpdate command. There are 2 main disadvantages of using using this method.
The first is that ntpdate does a "brute force" method of changing the time. So if your computer's time is off my 5 minutes, it immediately corrects it. In some environments, this can cause problems if time drastically changes. For example, if you are using time sensitive security software, you can inadvertently kill someones access. The NTP daemon slowly changes the time to avoid causing this kind of disruption.
The other reason is that the NTP daemon can be configured to try to learn your systems time drift and then automatically adjust for it.
So the answer clearly is: ntpd.
System time vs. hardware clock
Edit
/etc/init.d/hwclock.sh
- Comment (= disable) the line where hwclock is run with the parameter --adjust, in order to prevent conflicts between hwclock and NTP
- Uncomment (= enable) the line where hwclock is run with the parameter --systohc, in order to write the system time to the hardware clock on reboot
Note: I have not enabled this option.
NTP daemon
Local time sync
The default configuration in /etc/ntpsec/ntp.conf works out of the box. The servers configured there are:
0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org 3.debian.pool.ntp.org
Notes:
- Any changes to the configuration file require the NTP server to be restarted.
- The NTP server performs time synchronization in many little steps instead of in one huge fell swoop, so if the system time is substantially out-of-sync it may take a while until full synchronization has occurred.
- It is important that the system time is not out-of-sync more than 1000 seconds, otherwise the NTP server refuses to automatically correct the system time ("time correction exceeds sanity limit").
Provide time to clients
The information in this section refers to the time when I still ran a Debian server on a MacMini at home. This is no longer the case.
The configuration file /etc/ntpsec/ntp.conf mentions that, in order to provide time to clients a "broadcast" line needs to be enabled. For instance
broadcast 192.168.1.255 broadcast 192.168.2.255
However, I did not enable these commands because so far my Mac OS X clients were perfectly able to synchronize, once I told them where they were supposed to connect to (System Preferences > Date & Time).
Note: I added a "time-servers" option to my DHCP configuration (e.g. "time-servers 192.168.1.11" on the 192.168.1.0 subnet), but at the time of writing Mac OS X did not honor this option (Mac OS X 10.6). I have not yet tested how Windows behaves.
Prevent the NTP daemon from opening a network port
TL;DR: You can't. The NTP daemon must open a network port, or it won't synchronize time.
And now the long version. If you care about network security, then one principle should be obvious and clear: Every open TCP and UDP port is a potential risk, so if you don't need it, shut it down! Now for the NTP daemon: As long as ntpd is only "fetching" the time and is not acting itself as time server to other clients, there should be no need for ntpd to open any network ports. Right?
Apparently not. According to one of the answers to this ServerFault question
[ntpd] must bind to a routable ip address to work.
This seems pretty stupid, but I was indeed able to confirm the problem. After adding "interface ignore" statements to ntp.conf and restarting the service, ntpd seemed to be stuck in an eternal initialization loop:
root@pelargir:~# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
ds1789963.dedic .INIT. 16 - - 1024 0 0.000 0.000 0.000
ntp1.as34288.ne .INIT. 16 - - 1024 0 0.000 0.000 0.000
ch-ntp01.10g.ch .INIT. 16 - - 1024 0 0.000 0.000 0.000
lx.ujf.cas.cz .INIT. 16 - - 1024 0 0.000 0.000 0.000
So in the end I had to give up and remove all "interface ignore" statements from ntp.conf. Now the output of ntpq looks like this:
root@pelargir:/var/log# ntpq -p
remote refid st t when poll reach delay offset jitter
==============================================================================
*time.sunrise.ne 10.19.10.20 2 u 2 64 1 4.364 1.524 0.105
one.ntp1.pw 128.105.39.11 3 u 1 64 1 96.679 -6.272 0.013
ms21.snowflakeh 162.23.41.55 2 u 1 64 1 0.888 -3.032 0.054
ntp0.as34288.ne 85.158.25.74 2 u 2 64 1 1.098 -2.860 0.032
For posterity's sake, here is what I tried. The main thing to know is that you can add one or more "interface ignore" statements to ntp.conf to tell the NTP daemon to not listen on a given network interface.
- Without any such statements, ntpd listens on the following UDP ports
(result obtained from netstat -lnptu) udp 0 0 82.195.228.21:123 0.0.0.0:* 58099/ntpd udp 0 0 127.0.0.1:123 0.0.0.0:* 58099/ntpd udp 0 0 0.0.0.0:123 0.0.0.0:* 58099/ntpd udp6 0 0 ::1:123 :::* 58099/ntpd udp6 0 0 fe80::42a8:f0ff:fe7:123 :::* 58099/ntpd udp6 0 0 :::123 :::* 58099/ntpd
- interface ignore all
- With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
- interface ignore wildcard
- With only this, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
- interface ignore 127.0.0.1
- With only this, ntpd still opens the ports 127.0.0.1:123, 0.0.0.0:123, ::1:123 and :::123
- It is very strange that this prevents listening on 82.195.228.21:123 and the IPv6 port.
- interface ignore wildcard
interface ignore all- The "ignore all" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- interface ignore wildcard
interface ignore 127.0.0.1- The "ignore 127.0.0.1" line has no effect, ntpd still opens the ports 127.0.0.1:123 and ::1:123.
- interface ignore wildcard
interface ignore ::1- ntpd still opens the ports 127.0.0.1:123.
- This is the most I was able to achieve. It seems to be absolutely impossible to prevent ntpd from listening on 127.0.0.1. It is also weird (to say the least) how ntpd interprets "interface ignore" statements. But since I am forced to let ntpd listend on a public interface anyway, I am not going to pursue this any further.
ntpdate
The Debian package ntpsec-ntpdate provides the utility ntpdate which can be used to immediately adjust the system date at the time when the utility is run - no matter how much off the system time currently is. For instance:
ntpdate time.euro.apple.com
For continuous time sync, you can add the following crontab entry:
pelargir:~# ls -l /etc/cron.hourly/pelargir-ntpdate -rwxr-xr-x 1 root root 56 2011-02-09 19:15 /etc/cron.hourly/pelargir-ntpdate pelargir:~# cat /etc/cron.hourly/pelargir-ntpdate #!/bin/sh /usr/sbin/ntpdate -u -s time.euro.apple.com
There is also the utility ntpdate-debian which uses the configuration in the following file
/etc/default/ntpdate
ntpq
ntpq is the standard NTP query program. For instance, it can be used to check the current time source
ntpq -pn
(the source is the line with the asterisk)
For example:
root@pelargir:~# ntpq -pn
remote refid st t when poll reach delay offset jitter
==============================================================================
+217.147.208.1 194.242.34.149 2 u 61 64 3 9.450 -10.368 10.087
+192.33.214.57 129.194.216.1 3 u 55 64 7 13.198 -10.532 8.899
+94.23.99.155 94.23.99.153 3 u 31 64 7 27.351 -5.038 7.588
*192.33.96.102 .PPS. 1 u 24 64 17 9.889 -12.321 11.285