How to Run Your Own Public Time Server on Linux
One of the most important public services is timekeeping, but it doesn’t get a lot of attention. Most public time servers are run by volunteers to help meet always-increasing demands. Learn how to run your own public time server and contribute to an essential public good. (See Keep Accurate Time on Linux with NTP to learn how to set up a LAN time server.)
Famous Time Server Abusers
Like everything in life, even something as beneficial as time servers are subject to abuse fueled by either incompetence or malice.
Vendors of consumer network appliances are notorious for creating big messes. The first one I recall happened in 2003, when Netgear hard-coded the address of the University of Wisconsin-Madison’s NTP server into their routers. All of a sudden the server was getting hammered with requests, and as Netgear sold more routers, the worse it got. Adding to the fun, the routers were programmed to send requests every second, which is way too many. Netgear issued a firmware upgrade, but few users ever upgrade their devices, and a number of them are pummeling the University of Wisconsin-Madison’s NTP server to this day. Netgear gave them a pile of money, which hopefully will cover their costs until the last defective router dies. Similar ineptitudes were perpetrated by D-Link, Snapchat, TP-Link, and others.
The NTP protocol has become a choice vector for distributed denial-of-service attacks, using both reflection and amplification. It is called reflection when an attacker uses a forged source address to target a victim; the attacker sends requests to multiple servers, which then reply and bombard the forged address. Amplification is a large reply to a small request. For example, on Linux the ntpq command is a useful tool to query your NTP servers to verify that they are operating correctly. Some replies, such as lists of peers, are large. Combine reflection with amplification, and an attacker can get a return of 10x or more on the bandwidth they spend on the attack.
How do you protect your nice beneficial public NTP server? Start by using NTP 4.2.7p26 or newer, which hopefully is not an issue with your Linux distribution because that version was released in 2010. That release shipped with the most significant abuse vectors disabled as the default. The current release is 4.2.8p10, released in 2017.
Another step you can take, which you should be doing anyway, is use ingress and egress filtering on your network. Block packets from entering your network that claim to be from your network, and block outgoing packets with forged return addresses. Ingress filtering helps you, and egress filtering helps you and everyone else. Read BCP38.info for much more information.
Stratum 0, 1, 2 Time Servers
NTP is more than 30 years old, one of the oldest Internet protocols that is still widely used. Its purpose is keep computers synchronized to Coordinated Universal Time (UTC). The NTP network is both hierarchical, organized into strata, and peer. Stratum 0 contains master timekeeping devices such as atomic clocks. Stratum 1 time servers synchronize with Stratum 0 devices. Stratum 2 time servers synchronize with Stratum 1 time servers, and Stratum 3 with Stratum 2. The NTP protocol supports 16 strata, though in real life there not that many. Servers in each stratum also peer with each other.
In the olden days, we selected individual NTP servers for our client configurations. Those days are long gone, and now the better way is to use the NTP pool addresses, which use round-robin DNS to share the load. Pool addresses are only for clients, such as individual PCs and your local LAN NTP server. When you run your own public server you won’t use the pool addresses.
Public NTP Server Configuration
There are two steps to running a public NTP server: set up your server, and then apply to join the NTP server pool. Running a public NTP server is a noble deed, but make sure you know what you’re getting into. Joining the NTP pool is a long-term commitment, because even if you run it for a short time and then quit, you’ll be receiving requests for years.
You need a static public IP address, a permanent reliable Internet connection with at least 512Kb/s bandwidth, and know how to configure your firewall correctly. NTP uses UDP port 123. The machine itself doesn’t have to be any great thing, and a lot of admins piggyback NTP on other public-facing servers such as Web servers.
Configuring a public NTP server is just like configuring a LAN NTP server, with a few more configurations. Start by reading the Rules of Engagement. Follow the rules and mind your manners; almost everyone maintaining a time server is a volunteer just like you. Then select 4-7 Stratum 2 upstream time servers from StratumTwoTimeServers. Select some that are geographically close to your upstream Internet service provider (mine is 300 miles away), read their access policies, and then use ping and mtr to find the servers with the lowest latency and least number of hops.
This example /etc/ntp.conf includes both IPv4 and IPv6 and basic safeguards:
# stratum 2 server list server servername_1 iburst server servername_2 iburst server servername_3 iburst server servername_4 iburst server servername_5 iburst # access restrictions restrict -4 default kod noquery nomodify notrap nopeer limited restrict -6 default kod noquery nomodify notrap nopeer limited # Allow ntpq and ntpdc queries only from localhost restrict 127.0.0.1 restrict ::1
Start your NTP server, let it run for a few minutes, and then test that it is querying the remote servers:
$ ntpq -p remote refid st t when poll reach delay offset jitter ================================================================= +tock.no-such-ag 200.98.196.212 2 u 36 64 7 98.654 88.439 65.123 +PBX.cytranet.ne 45.33.84.208 3 u 37 64 7 72.419 113.535 129.313 *eterna.binary.n 199.102.46.70 2 u 39 64 7 92.933 98.475 56.778 +time.mclarkdev. 132.236.56.250 3 u 37 64 5 111.059 88.029 74.919
Good so far. Now test from another PC, using your NTP server name. The following example shows correct output. If something is not correct you’ll see an error message.
$ ntpdate -q yourservername server 66.96.99.10, stratum 2, offset 0.017690, delay 0.12794 server 98.191.213.2, stratum 1, offset 0.014798, delay 0.22887 server 173.49.198.27, stratum 2, offset 0.020665, delay 0.15012 server 129.6.15.28, stratum 1, offset -0.018846, delay 0.20966 26 Jan 11:13:54 ntpdate[17293]: adjust time server 98.191.213.2 offset 0.014798 sec
Once your server is running satisfactorily apply at manage.ntppool.org to join the pool.
See the official handbook, The Network Time Protocol (NTP) Distribution to learn about all the command and configuration options, and advanced features such as management, querying, and authentication. Visit the following sites to learn pretty much everything you need about running a time server.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
About time synchronisation
Network Time Protocol (NTP) is a networking protocol for synchronising time over a network. Basically, a client requests the current time from a server, and uses it to set its own clock.
Behind this simple description, there is a lot of complexity. There are three tiers of NTP servers; tier one NTP servers are connected to atomic clocks, while tier two and tier three three servers spread the load of actually handling requests across the Internet.
The client software is also a lot more complex than you might expect. It must factor in communication delays and adjust the time in a way that does not upset all the other processes that run on the server. Luckily, all that complexity is hidden from you!
By default, Ubuntu uses timedatectl / timesyncd to synchronise time, and they are available by default. See our guide If you would like to know how to configure timedatectl and timesyncd .
Users can also optionally use chrony to serve NTP.
How time synchronisation works
Since Ubuntu 16.04, timedatectl / timesyncd (which are part of systemd ) replace most of ntpdate / ntp .
About timesyncd
timesyncd replaces not only ntpdate , but also the client portion of chrony (formerly ntpd ). So, on top of the one-shot action that ntpdate provided on boot and network activation, timesyncd now regularly checks and keeps your local time in sync. It also stores time updates locally, so that after reboots the time monotonically advances (if applicable).
About timedatectl
If chrony is installed, timedatectl steps back to let chrony handle timekeeping. This ensures that no two time-syncing services can conflict with each other.
ntpdate is now considered deprecated in favor of timedatectl (or chrony ) and is no longer installed by default. timesyncd will generally keep your time in sync, and chrony will help with more complex cases. But if you had one of a few known special ntpdate use cases, consider the following:
- If you require a one-shot sync, use: chronyd -q
- If you require a one-shot time check (without setting the time), use: chronyd -Q
While use of ntpd is no longer recommended, this also still applies to ntpd being installed to retain any previous behaviour/config that you had through an upgrade. However, it also implies that on an upgrade from a former release, ntp / ntpdate might still be installed and therefore renders the new systemd -based services disabled.
Further reading
- ntp.org: home of the Network Time Protocol project
- pool.ntp.org: project of virtual cluster of timeservers
- Freedesktop.org info on timedatectl
- Freedesktop.org info on systemd-timesyncd service
- Chrony FAQ
- Feeding chrony from GPSD
- Also see the Ubuntu Time wiki page for more information.