Setup NTP server Using NTPd on Debian 10 Buster

Follow through this guide to learn how to setup NTP server using NTPd on Debian 10 Buster.

Configure NTP server Using NTPd on Debian 10 Buster

Run System Update

Before you can proceed, run the command below to update your system packages.

apt update -y

Install NTP on Debian 10 Buster

The ntp package provides the NTPd deamon that is responsible for setting and maintaining the system time of day in synchronism with Internet standard time servers. The ntp package is available on the default Debian 10 Buster repositories. Hence, you can install be executing the command below;

apt install ntp -y

Running NTP Service

NTP is started and enabled to run on system boot after the installation. To check the status;

systemctl status ntp

● ntp.service - Network Time Service
   Loaded: loaded (/lib/systemd/system/ntp.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2019-07-31 15:36:19 EDT; 4min 17s ago
     Docs: man:ntpd(8)
 Main PID: 6163 (ntpd)
    Tasks: 2 (limit: 4701)
   Memory: 1.4M
   CGroup: /system.slice/ntp.service
           └─6163 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 107:115

To check if it is enabled to run on system reboot;

systemctl is-enabled ntp

enabled

Configure NTP Pool

NTP is configured to use time servers from the Debian pool by default for time synchronization. You can configure your NTP server to use time servers close to your timezone.

The obtain a list of the servers on your timezone (or your Continent) from NTP Public Pool Time Servers. Next, open NTP configuration file and comment the Debian pool servers and add your timezone NTP pool time servers. For example, to use NTP time pool servers from Europe, you would add the lines below to NTP configuration.

server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org

vim /etc/ntp.conf

...
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst
server 0.europe.pool.ntp.org
server 1.europe.pool.ntp.org
server 2.europe.pool.ntp.org
server 3.europe.pool.ntp.org
...

Configure NTP Server Access Control

To allow only specific NTP clients to query time services from your NTP server for time synchronization, you need to set the access control to define which clients to allow. This can be done using the NTP restrict parameter which takes the syntax;

restrict address [mask mask] [other options]

For example, to allow hosts on 192.168.1.0/24 network to query the just time and statistics from your NTP server;

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer

...
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Allow hosts from 192.168.1.0/24 network to query time and statistics
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap nopeer
...

Where:

• nomodify options prevents any changes to the configuration
• notrap option prevents ntpdc control message protocol traps.
• nopeer option prevents a peer association being formed

For a basic NTP server setup, that is just about the configuration. Save the configuration and restart the NTP service.

systemctl restart ntp

Check NTP server connection to NTP peers and the summary of their state by running the command;

ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+dbn-ntp.mweb.co 194.58.204.148   2 u    8   64  377   91.919   14.732  36.071
*ntp4.inx.net.za 0.60.139.194     2 u    5   64  377  108.066   -0.762  30.303
+ns2.botsnet.bw  209.51.161.238   2 u   11   64  377   79.363   14.837  44.564
+ns1.botsnet.bw  209.51.161.238   2 u    4   64  377  123.420  -12.651  10.062

As you can see, our NTP server is now peered to ntp4.inx.net.za. The asterisk (*) shows preferred time source.

Open NTP on Firewall

If UFW is running, you can simply allow NTP incoming queries from the specific network.

ufw allow from 192.168.1.0/24 to any port 123 proto udp

Configure NTP Client

To verify that the configured server is actually working, you need to setup an NTP client to query time from our NTP server. This guide similarly uses Debian 10 Buster as an NTP client.

Well, if you need to just run time synchronization once, you can simply use the ntpdate command. To install ntpdate;

apt install ntpdate

Once the installation is done, you can query time services from the server using ntpdate by running the command;

ntpdate 192.168.1.107

 3 Aug 09:02:15 ntpdate[1261]: adjust time server 192.168.1.107 offset 0.006268 sec

If you need to automatically set your client to query time from the NTP server all the time, you can use NTP daemon itself. Hence, install NTP package and configure it to query time services from your NTP server.

apt install ntp

Once the installation is done, configure your NTP client to query the NTP server. This can be done by using the server command which takes the form;

server address

For example;

server 192.168.1.107 iburst

vim /etc/ntp.conf

...
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
server 192.168.1.107 iburst

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
#pool 0.debian.pool.ntp.org iburst
#pool 1.debian.pool.ntp.org iburst
#pool 2.debian.pool.ntp.org iburst
#pool 3.debian.pool.ntp.org iburst

timedatectl set-ntp off

systemctl restart ntp

ntpq -p

     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 192.168.1.107   196.10.52.58     3 u    2   64    1    0.080  1102276   0.000