17.17. Configure NTP

To change the default configuration of the NTP service, use a text editor running as root user to edit the /etc/ntp.conf file. This file is installed together with ntpd and is configured to use time servers from the Red Hat pool by default. The man page ntp.conf(5) describes the command options that can be used in the configuration file apart from the access and rate limiting commands which are explained in the ntp_acc(5) man page.

17.17.1. Configure Access Control to an NTP Service

To restrict or control access to the NTP service running on a system, make use of the restrict command in the ntp.conf file. See the commented out example:
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
The restrict command takes the following form:
restrict option
where option is one or more of:
  • ignore — All packets will be ignored, including ntpq and ntpdc queries.
  • kod — a Kiss-o'-death packet is to be sent to reduce unwanted queries.
  • limited — do not respond to time service requests if the packet violates the rate limit default values or those specified by the discard command. ntpq and ntpdc queries are not affected. For more information on the discard command and the default values, see Section 17.17.2, “Configure Rate Limiting Access to an NTP Service”.
  • lowpriotrap — traps set by matching hosts to be low priority.
  • nomodify — prevents any changes to the configuration.
  • noquery — prevents ntpq and ntpdc queries, but not time queries, from being answered.
  • nopeer — prevents a peer association being formed.
  • noserve — deny all packets except ntpq and ntpdc queries.
  • notrap — prevents ntpdc control message protocol traps.
  • notrust — deny packets that are not cryptographically authenticated.
  • ntpport — modify the match algorithm to only apply the restriction if the source port is the standard NTP UDP port 123.
  • version — deny packets that do not match the current NTP version.
To configure rate limit access to not respond at all to a query, the respective restrict command has to have the limited option. If ntpd should reply with a KoD packet, the restrict command needs to have both limited and kod options.
The ntpq and ntpdc queries can be used in amplification attacks (see CVE-2013-5211 for more details), do not remove the noquery option from the restrict default command on publicly accessible systems.

17.17.2. Configure Rate Limiting Access to an NTP Service

To enable rate limiting access to the NTP service running on a system, add the limited option to the restrict command as explained in Section 17.17.1, “Configure Access Control to an NTP Service”. If you do not want to use the default discard parameters, then also use the discard command as explained here.
The discard command takes the following form:
discard [average value] [minimum value] [monitor value]
  • average — specifies the minimum average packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 3 (23 equates to 8 seconds).
  • minimum — specifies the minimum packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 1 (21 equates to 2 seconds).
  • monitor — specifies the discard probability for packets once the permitted rate limits have been exceeded. The default value is 3000 seconds. This option is intended for servers that receive 1000 or more requests per second.
Examples of the discard command are as follows:
discard average 4
discard average 4 minimum 2

17.17.3. Adding a Peer Address

To add the address of a peer, that is to say, the address of a server running an NTP service of the same stratum, make use of the peer command in the ntp.conf file.
The peer command takes the following form:
peer address
where address is an IP unicast address or a DNS resolvable name. The address must only be that of a system known to be a member of the same stratum. Peers should have at least one time source that is different to each other. Peers are normally systems under the same administrative control.

17.17.4. Adding a Server Address

To add the address of a server, that is to say, the address of a server running an NTP service of a higher stratum, make use of the server command in the ntp.conf file.
The server command takes the following form:
server address
where address is an IP unicast address or a DNS resolvable name. The address of a remote reference server or local reference clock from which packets are to be received.

17.17.5. Adding a Broadcast or Multicast Server Address

To add a broadcast or multicast address for sending, that is to say, the address to broadcast or multicast NTP packets to, make use of the broadcast command in the ntp.conf file.
The broadcast and multicast modes require authentication by default. See Section 17.6, “Authentication Options for NTP”.
The broadcast command takes the following form:
broadcast address
where address is an IP broadcast or multicast address to which packets are sent.
This command configures a system to act as an NTP broadcast server. The address used must be a broadcast or a multicast address. Broadcast address implies the IPv4 address 255.255.255.255. By default, routers do not pass broadcast messages. The multicast address can be an IPv4 Class D address, or an IPv6 address. The IANA has assigned IPv4 multicast address 224.0.1.1 and IPv6 address FF05::101 (site local) to NTP. Administratively scoped IPv4 multicast addresses can also be used, as described in RFC 2365 Administratively Scoped IP Multicast.

17.17.6. Adding a Manycast Client Address

To add a manycast client address, that is to say, to configure a multicast address to be used for NTP server discovery, make use of the manycastclient command in the ntp.conf file.
The manycastclient command takes the following form:
manycastclient address
where address is an IP multicast address from which packets are to be received. The client will send a request to the address and select the best servers from the responses and ignore other servers. NTP communication then uses unicast associations, as if the discovered NTP servers were listed in ntp.conf.
This command configures a system to act as an NTP client. Systems can be both client and server at the same time.

17.17.7. Adding a Broadcast Client Address

To add a broadcast client address, that is to say, to configure a broadcast address to be monitored for broadcast NTP packets, make use of the broadcastclient command in the ntp.conf file.
The broadcastclient command takes the following form:
broadcastclient
Enables the receiving of broadcast messages. Requires authentication by default. See Section 17.6, “Authentication Options for NTP”.
This command configures a system to act as an NTP client. Systems can be both client and server at the same time.

17.17.8. Adding a Manycast Server Address

To add a manycast server address, that is to say, to configure an address to allow the clients to discover the server by multicasting NTP packets, make use of the manycastserver command in the ntp.conf file.
The manycastserver command takes the following form:
manycastserver address
Enables the sending of multicast messages. Where address is the address to multicast to. This should be used together with authentication to prevent service disruption.
This command configures a system to act as an NTP server. Systems can be both client and server at the same time.

17.17.9. Adding a Multicast Client Address

To add a multicast client address, that is to say, to configure a multicast address to be monitored for multicast NTP packets, make use of the multicastclient command in the ntp.conf file.
The multicastclient command takes the following form:
multicastclient address
Enables the receiving of multicast messages. Where address is the address to subscribe to. This should be used together with authentication to prevent service disruption.
This command configures a system to act as an NTP client. Systems can be both client and server at the same time.

17.17.10. Configuring the Burst Option

Using the burst option against a public server is considered abuse. Do not use this option with public NTP servers. Use it only for applications within your own organization.
To increase the average quality of time offset statistics, add the following option to the end of a server command:
burst
At every poll interval, when the server responds, the system will send a burst of up to eight packets instead of the usual one packet. For use with the server command to improve the average quality of the time-offset calculations.

17.17.11. Configuring the iburst Option

To improve the time taken for initial synchronization, add the following option to the end of a server command:
iburst
When the server is unreachable, send a burst of eight packets instead of the usual one packet. The packet spacing is normally 2 s; however, the spacing between the first and second packets can be changed with the calldelay command to allow additional time for a modem or ISDN call to complete. For use with the server command to reduce the time taken for initial synchronization. This is now a default option in the configuration file.

17.17.12. Configuring Symmetric Authentication Using a Key

To configure symmetric authentication using a key, add the following option to the end of a server or peer command:
key number
where number is in the range 1 to 65534 inclusive. This option enables the use of a message authentication code (MAC) in packets. This option is for use with the peer, server, broadcast, and manycastclient commands.
The option can be used in the /etc/ntp.conf file as follows:
server 192.168.1.1 key 10
broadcast 192.168.1.255 key 20
manycastclient 239.255.254.254 key 30

17.17.13. Configuring the Poll Interval

To change the default poll interval, add the following options to the end of a server or peer command:
minpoll value and maxpoll value
Options to change the default poll interval, where the interval in seconds will be calculated by raising 2 to the power of value, in other words, the interval is expressed in log2 seconds. The default minpoll value is 6, 26 equates to 64 s. The default value for maxpoll is 10, which equates to 1024 s. Allowed values are in the range 3 to 17 inclusive, which equates to 8 s to 36.4 h respectively. These options are for use with the peer or server. Setting a shorter maxpoll may improve clock accuracy.

17.17.14. Configuring Server Preference

To specify that a particular server should be preferred above others of similar statistical quality, add the following option to the end of a server or peer command:
prefer
Use this server for synchronization in preference to other servers of similar statistical quality. This option is for use with the peer or server commands.

17.17.15. Configuring the Time-to-Live for NTP Packets

To specify that a particular time-to-live (TTL) value should be used in place of the default, add the following option to the end of a server or peer command:
ttl value
Specify the time-to-live value to be used in packets sent by broadcast servers and multicast NTP servers. Specify the maximum time-to-live value to use for the expanding ring search by a manycast client. The default value is 127.

17.17.16. Configuring the NTP Version to Use

To specify that a particular version of NTP should be used in place of the default, add the following option to the end of a server or peer command:
version value
Specify the version of NTP set in created NTP packets. The value can be in the range 1 to 4. The default is 4.