Saucepan

User Tools

Site Tools

Trace:
ntp:ntp

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ntp:ntp [2024/01/24 10:12] – [NTP] bstaffordntp:ntp [2026/03/07 03:59] (current) bstafford
Line 1: Line 1:
 ====== NTP ====== ====== NTP ======
   * There is a dedicated page for [[ntp:ntp_pools|public NTP servers]].   * There is a dedicated page for [[ntp:ntp_pools|public NTP servers]].
-  * There is a dedicated page to [[infoblox_nios:ntp_on_infoblox|Infoblox NTP]].+  * There is a dedicated page to [[infoblox:ntp_on_infoblox|Infoblox NTP]].
   * A good overview of NTP is [[https://www.meinbergglobal.com/english/info/ntp.htm|here on the meinbergglobal page]].   * A good overview of NTP is [[https://www.meinbergglobal.com/english/info/ntp.htm|here on the meinbergglobal page]].
  
Line 8: Line 8:
 **DO NOT** configure your system to use leap-smearing NTP servers as well as non-leap-smearing NTP servers at the same time. e.g. do not combine Google NTP with Cloudflare NTP. See [[ntp_pools#leap_smearing|here]]. **DO NOT** configure your system to use leap-smearing NTP servers as well as non-leap-smearing NTP servers at the same time. e.g. do not combine Google NTP with Cloudflare NTP. See [[ntp_pools#leap_smearing|here]].
  
 +**DO NOT** configure your NTP servers in an NTP anycast scenario. This means avoid Google NTP as that is on anycast. There are some use cases (e.g. large network, time is important but not critical, endpoint device can only be configured with a single NTP IP address).
  
 Try to use sources with a low poll time. Try to use sources with a low poll time.
Line 34: Line 35:
 ===== NTPQ Commands ===== ===== NTPQ Commands =====
 [[https://www.cyberithub.com/ntpq-command-examples-in-linux-rhel-centos-7-8/|Commands here]]. [[https://www.cyberithub.com/ntpq-command-examples-in-linux-rhel-centos-7-8/|Commands here]].
 +
 +===== Linux NTP Test =====
 +
 +<code>ntpdate -q 192.168.1.1</code>
 +
 +<code>watch -n 2 "ntpdate -q 192.168.1.1"</code>
 ===== AWS NTP ===== ===== AWS NTP =====
 You can query NTP in AWS at this IP You can query NTP in AWS at this IP
 <code>169.254.169.123</code> <code>169.254.169.123</code>
 The 169.254.169.123 clock smooths out leap seconds over a period of time (commonly called leap smearing) which makes it easy for your applications to deal with leap seconds. The 169.254.169.123 clock smooths out leap seconds over a period of time (commonly called leap smearing) which makes it easy for your applications to deal with leap seconds.
 +
 +[[https://aws.amazon.com/blogs/aws/keeping-time-with-amazon-time-sync-service/|AWS provides]] a highly accurate, time synchronization service (Amazon Time Sync Service - ATSS - 169.254.169.123) inside every EC2 instance. It uses a fleet of redundant satellite-connected and atomic clocks in each region to deliver a highly accurate reference clock.
 +
 ===== Windows NTP ===== ===== Windows NTP =====
 **REMEMBER** It is important to note that W32Time will only actively synchronize with one time source at a time, even though you are able to list more than one time source. ([[https://docs.microsoft.com/en-gb/archive/blogs/w32time/configuring-the-time-service-ntpserver-and-specialpollinterval|source]]) **REMEMBER** It is important to note that W32Time will only actively synchronize with one time source at a time, even though you are able to list more than one time source. ([[https://docs.microsoft.com/en-gb/archive/blogs/w32time/configuring-the-time-service-ntpserver-and-specialpollinterval|source]])
Line 45: Line 55:
 ==== Test Windows NTP ==== ==== Test Windows NTP ====
 You can test NTP manually using Windows using the following command (where 192.168.1.1 is the IP of the NTP server). You can test NTP manually using Windows using the following command (where 192.168.1.1 is the IP of the NTP server).
-<code>w32tm /stripchart /dataonly /computer:192.168.1.1</code>+<code>w32tm /stripchart /dataonly /period:/computer:192.168.1.1</code>
  
 ==== Resync Windows NTP ==== ==== Resync Windows NTP ====
Line 160: Line 170:
  
 ===== Burst and iBurst ===== ===== Burst and iBurst =====
 +[[https://www.eecis.udel.edu/~mills/ntp/html/assoc.html#poll|Documentation]]
 +
 Using the burst option against a public server is considered abuse. Do not use this option with public NTP servers. Use it only for applications within your own organization. Using the burst option against a public server is considered abuse. Do not use this option with public NTP servers. Use it only for applications within your own organization.
  
Line 175: Line 187:
 <code>$stringAsStream = [System.IO.MemoryStream]::new() $writer = [System.IO.StreamWriter]::new($stringAsStream) $writer.write("ThisIsMyKeyString") $writer.Flush() $stringAsStream.Position = 0 Get-FileHash -InputStream $stringAsStream - Algorithm xxx| Select-Object Hash</code> <code>$stringAsStream = [System.IO.MemoryStream]::new() $writer = [System.IO.StreamWriter]::new($stringAsStream) $writer.write("ThisIsMyKeyString") $writer.Flush() $stringAsStream.Position = 0 Get-FileHash -InputStream $stringAsStream - Algorithm xxx| Select-Object Hash</code>
  
 +===== NTP Configuration =====
 +[[https://www.ntp.org/documentation/4.2.8-series/accopt/|Official NTP Docs]] on configuration.
 +
 +[[https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/6/html/deployment_guide/s2_configure_rate_limiting_access_to_an_ntp_service|Red Hat Docs on NTP Config]]
 +
 +[[https://docs.ntpsec.org/latest/ntpq.html#mrulist|Docs on mrulist]].
 +
 +Example code snipped from NTP configuration file
 +<code>< 
 +driftfile /var/lib/ntp/ntp.drift
 +logfile /var/log/ntpd.log
 +discard average 3 minimum 1 monitor 10.
 +restrict -4 default kod limited nomodify noquery nopeer
 +restrict 127.0.0.1
 +restrict ::1
 +server 127.127.1.1 burst iburst prefer.
 +fudge 127.127.1.1 stratum 1
 +~
 +</code>
 +  * **discard**
 +    * **average** - specifies the minimum average packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 3 (23 equates to 8 seconds). 
 +    * **minimum** - specifies the minimum packet spacing to be permitted, it accepts an argument in log2 seconds. The default value is 1 (21 equates to 2 seconds). 
 +    * **monitor** - specifies the discard probability for packets once the permitted rate limits have been exceeded. The default value is 3000 seconds. This option is intended for servers that receive 1000 or more requests per second.
 +  * **restrict** 
 +    * **-4** - Apply this rule to IPv4 only (there is usually a matching restrict -6 ... for IPv6).
 +    * **default** - This is the catch-all rule for all IPv4 addresses (0.0.0.0/0) that don’t match a more specific restrict line. 
 +    * **kod** - Flag: When a client exceeds the rate limits set by the discard command (and limited is present), send a Kiss-of-Death (KoD) packet back to tell it to slow down, instead of just silently dropping packets. 
 +    * **limited** - Flag: Enforce rate limiting using the thresholds from discard .... If a client sends requests too fast (violates those limits), time service is denied for that client (and, with kod, KoDs can be sent). 
 +    * **nomodify** - Flag: Block configuration‑-changing control packets (e.g., ntpq/ntpdc commands that try to modify state). Info-only queries would be allowed by this flag alone, but see noquery next.
 +    * **noquery**  - Flag: Block all ntpq/ntpdc queries (status, variables, etc.). Time service (normal client requests for time) is still allowed. 
 +    * **nopeer** - Flag: Prevent others from forming NTP peer associations with this server unless specially allowed/authenticated. This blocks unsolicited symmetric/broadcast/manycast/pool-based peering that would otherwise turn your server into a peer for them.
 +  * **restrict 127.0.0.1** - Don't restrict anything from this IP because we haven't added any flags.
 +  * **restrict :11** - Don't restrict anything from this IP because we haven't added any flags.
 +  * **server**
 +    * **127.127.1.1** - the “local clock” / undisciplined local clock driver (unit 1). (i.e. hypervisor source or bare metal). In practice, this tells ntpd: “treat the machine’s own hardware clock as an NTP time source.” It’s usually used only as a last‑resort fallback when no real upstream servers are available, together with a ''fudge 127.127.1.1 stratum N'' line.
 +    * **burst ** - When the server is already reachable, send a burst of packets (typically 8) each poll interval instead of just one, for better accuracy at the cost of more traffic. It has effect during normal operation, not only on startup
 +    * **iburst ** - On initial sync or after a timeout, send a quick burst of packets to get into sync faster. Once synchronized, it behaves like a normal ''server'' line again.
 +    * **prefer.** - Tell NTP to use hypervisor/bare metal clock as time source
 +  * **fudge 127.127.1.1 stratum 1** - you’re advertising your local clock as stratum‑1, i.e., as if it were as good as a GPS or atomic clock. That’s generally unsafe unless you truly mean to act as a primary reference; most deployments set this to a high stratum (e.g., 10) so it’s only used when all real sources are gone.
ntp/ntp.1706091151.txt.gz · Last modified: by bstafford