Time synchronization is one of the important aspect in any security setup which is very often overlooked.
NTP ( Network Time Protocol ) is a protocol used for same purpose that is synchronization of time, where we can use a highly accurate reference time source and synchronize it with other clients.One point to note though is NTP provides time in UTC and doesn't have any provision for Time Zone or Day Light Time Saving, these settings must be done on the Client Machines separately.
Stratum
Stratum is another important terminology in context of NTP implementation. The highest level of Time source is at Stratum 0 the next level at Stratum 1 and so on.
Stratum 0 are atomic clocks, radio clocks and other high precision time source. These devices are connected directly with stratum 1 source.
Stratum 1 are time sources directly connected with Stratum 0 devices and act as a server for Stratum 2 clients.
Stratum 2 Computers reference time source from multiple stratum 1 servers and other peer stratum 2 servers and uses algorithm to reject time source from inaccurate stratum 1 servers.
Stratum 3 Computers uses same technique of stratum 1 and also act as a reference clock for many lower stratum computers and devices.
NTP Implementation Hierarchy:You can have one of your devices or computer act as a server for all your devices. The other option is you can have hierarchical implementation in your network. The device at the topmost level of hierarchy will refer time sample from a Stratum 1 or 2 server on the Internet and then act as a server for lower hierarchy devices. The implementation depend upon your particular need. But the most important factor to consider in any NTP implementation is Time Source, it should be highly accurate or else you will end up synchronizing all of your network to wrong time.
Linux NTP Server Configuration:
Now lets see how we can configure our Linux boxes to act as a Time Server for our network. You an use any distro of Linux like Redhat, Fedora, SUSE or any other you like. Most of the Linux distributions will have ntp package installed on it by default. If not then you can search and download a rpm package for NTP.
Remember most of the NTP package rpm will start with ntp and version no. for example
ntp-4.1.2xxx.rpm.
Before we can proceed ahead we need will be to zero in on few accurate reference time sources. You will need to evaluate time source based on your geographical location and accuracy of time required by you. Geographically closer time source means lesser no of hops and thus most probably more accurate time. You can also check with your ISP if they provide any accurate time servers.
Ports required to be opened on the Firewall or Gateway Device:
UDP 123 (NTP)
NTP Server Configuration on Linux Machine:
The configuration of NTP is located in /etc/ntp.conf file.
Now login with a administrative privilege account or do a su.
1. Open the ntp.conf for editing.
root@linux# vi /etc/ntp.conf
2. Enter the time Servers you want to use as your reference Clock. For this example we will take the below given servers, but again the choice of time servers will depend upon the degree of accuracy required in your individual scenario.
server pool.ntp.org
server ntp.research.gov
3. Now you need to restrict the type of access these servers will have on your linux box. You don't want to allow the remote time servers to modify the configuration or query your Linux NTP server.
restrict pool.ntp.org mask 255.255.255.255 nomodify notrap noquery
restrict ntp.research.gov mask 255.255.255.255 nomodify notrap noquery
4. Now you will need to allow which networks are allowed to query time from your Linux Time server.To allow Time query you will remove "noquery" from the end of restrict statement. as shown below.
restrict 172.16.00 mask 255.255.0.0 nomodify notrap
5. Now we will need to ensure that the local loop back address 127.0.0.1 has full access, so will remove all "nomodify", "notrap" and "noquery" from the end of restrict statement as shown below.
restrict 127.0.0.1
6. Save ntp.conf file.
7. Now we will need to make sure that the ntpd service will start when the system is rebooted or started. For this enter the following command.
root@linux# chkconfig ntpd on
8. Stop the NTP service if already running this action is required for updating the time on the time server with the reference clock, if the ntpd daemon is running it will return error.
root@linux# ntpd stop
root@linux# ntpdate -u pool.ntp.org
9. Now start the NTPD daemon for by following command
root@linux# service ntpd start.
Check the status of ntpd service by following command, it should return some process id as shown below.
root@linux# service ntpd status.
ntpd (pid xxxxx) is running...
10 . To check if your synchronization is proper or not enter the below commands. It will show the status of all the remote time sources you are synced with. In the below example we have only one remote time source.
root@linux# ntpq -p
remote refid st t when poll reach delay offset jitter
====================================================================
*120-88-47-10.in ntp1.nl.uu.net 2 u 552 1024 377 8.940 -1.223 0.178
If you are properly synchronized with the reference time source the delay and offset of the Internet time server will not be zero and the jitter will be under 100.
Configuring Clients to Synchronize with our NTP Server.
Linux Client (Redhat or any other Flavor) :
For Linux client you will need to open /etc/ntp.conf file and set server as a IP of your Linux Time server and the save the file. for example:
server 172.x.x.xrestrict 172.x.x.x mask 255.255.255.255 nomodify notrap noquery
For first time for proper synchronization stop the ntpd daemon if running and do
ntpdate -u
Start the ntpd daemon and check the ntp Status by ntpq -p as we discussed above.
Windows XP / Server 2003:
To Synchronize with Time Server Double Click on the time in the lower right hand side corner.
If the time is not visible in task bar then do the following:
Open Date/Time in Control Panel Click on the "Start" button Move the pointer to "Settings"
Move the pointer to "Control Panel"Click on "Control Panel"
Double-click on "Date/Time"Date and Time Properties
Go to Internet time Tab in this window.
Tick the Check Box "Automatically Synchronize with an Internet time server"
Enter in Server IP address of your NTP sever, for example 172.x.x.x as shown below.
Click on Apply and then on Update now button.
The Time should now synchronize with the NTP server 172.x.x.x and the message that time has been successfully synchronized should be displayed as shown in the above screen-shot below.
NTP Synchronization Setting on Windows 2000 Server:
NTP Synchronization of Windows 2000 may be tricky for some as there is no Internet Time Tab in Time properties. We will have to do this by command prompt.
a. Open Command Prompt
b. Enter the following command
net time /setsntp:172.x.x.x
c. Then stop the windows time service with the following command
net stop W32Time.
d. Start the windows time service with the following command
net start W32Time
This should look like as shown below:
Synchronize Cisco Switches and Routers:
To Synchronize Cisco Switches and Routers perform the following steps as shown below:
cisco# config t
cisco(config)#clock timezone GMT 0 00
cisco(config)# ntp update-
(config)# ntp server 172.x.x.x
cisco(config)# exit
cisco# wr mem
To check if Switch or Router is synchronized correctly:show ntp status: Should show that clock is synchronized. along with the time reference time source in our case 172.x.x.x.
If you face any problem while implementing NTP Server or Client, let me know and I would be glad to help you.
nice write up, resourcefull information, will help us to clear the concepts
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteSimply Superb...good work
ReplyDeletenice
ReplyDelete