In our previous article, we learnt how to setup NTP server using Chronyd on Fedora28/Fedora29. Well, this is yet another guide on how to install and configure NTP server using NTPd on Fedora 29/Fedora 28. Step through this guide in order to setup your NTP server for automatic time adjustments.
The ntpd deamon is provided by the ntp package. Therefore, run the command below to install ntpd.
dnf install ntp -y
In order to use ntpd the default user space daemon, chronyd, must be stopped and disabled, if at all it is installed on the same system. Run the commands below to stop and disable chronyd from restarting at system start.
systemctl stop chronyd systemctl disable chronyd
To start and enable ntpd at system start, run the following command;
systemctl start ntpd systemctl enable ntpd
The main configuration file for NTP is
/etc/ntp.conf. This file is installed together with ntpd and is configured to use time servers from the Fedora pool by default.
Configure Acces control to NTP service
Access to the NTP service can be controlled or restricted by making the use of the
restrictcommand in the ntp.conf file. The command syntax is;
restrict option where option can be;
ignore— All packets will be ignored, including ntpq and ntpdc queries.
kod— a “Kiss-o’-death” packet is to be sent to reduce unwanted queries.
limited— do not respond to time service requests if the packet violates the rate limit default values or those specified by the discard command. ntpq and ntpdc queries are not affected.
lowpriotrap— traps set by matching hosts to be low priority.
nomodify— prevents any changes to the configuration.
noquery— prevents ntpq and ntpdc queries, but not time queries, from being answered. This can help prevent NTP amplification attacks.
nopeer— prevents a peer association being formed.
noserver— deny all packets except ntpq and ntpdc queries.
notrap— prevents ntpdc control message protocol traps.
notrust— deny packets that are not cryptographically authenticated.
notpport— modify the match algorithm to only apply the restriction if the source port is the standard NTP UDP port 123.
version— deny packets that do not match the current NTP version.
To restrict local access to the server, edit the
/etc/ntp.conf and add the network range the server is allowed to receive requests from.
... # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap restrict 192.168.43.0 mask 255.255.255.0 nomodify notrap ...
Configure time servers
NTP is configured to use time servers from the Fedora pool by default. Therefore, change this by replacing the time servers with the servers close to your timezone area.
... # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #pool 2.fedora.pool.ntp.org iburst server 0.africa.pool.ntp.org iburst server 1.africa.pool.ntp.org iburst server 2.africa.pool.ntp.org iburst server 3.africa.pool.ntp.org iburst ...
Configure Firewall to Allow Incoming NTP connections
NTP listens on UDP port 123 and therefore, traffic to this port has to be e permitted through network and host-based firewalls in order for NTP to function. Run the command below to allow packets to port 123/UDP.
firewall-cmd --add-port=123/udp --permanent firewall-cmd --reload
Restart NTPd daemon
systemctl restart ntpd
To verify if NTP server is working normally, run the command below.
# ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== *lon1.kakte.com 22.214.171.124 3 u 56 64 377 232.746 115.195 181.208 +ntp3.inx.net.za 0.60.139.194 2 u 13 64 377 289.535 15.691 202.211 +ntp.blueline.mg 126.96.36.199 2 u 55 64 377 501.236 131.465 54.479
Now that all is well, proceed to configure NTP client.
Configure NTP client
In order to receive time synchronization from our NTP server, proceed to configure the client. In this case, you can either use the NTP service daemon (
ntpdate command as follows;