/ debian

Run a NTP server for the pool.ntp.org project with Debian

Update 2:

I've changed the 5 source servers to 3 other's that are on the same continent as our NTP Server so the offset and jitter are much better. This helped this server to be more "stable". The server now uses clock.isc.org, clock.uregina.ca and subitaneous.cpsc.ucalgary.ca. All are Stratum 1 servers.

Update:

It took the server nearly 3 days to get a score above 10 and it's now part of the global NTP Pool and is actively used. You can see it's statistics here

Last year i bought a VPS from CloudAtCost - specifically the "Developer 1" VPS - for a one-time fee of just $35. Since then i ran a SSH honeypot for some days but that didn't made me any happier. Because i have other powerful root servers in my hands i don't necessarily need that small VPS for daily work.

I thought about how i could "sponsor" the machines power for the good. One option was running a TOR relay but the 500GB monthly limited traffic doesn't help that much and the bandwith to one of my Hetzner's Root is just 3.5Mbit/s so i decided to run my own NTP server and give them to the NTP pool project which only requires some 512kbit/s of continuous traffic at most.

Basic server setup

I always was (and being) a fan of Debian and since i want to run this NTP server for years i decided to go with Debian for this one as well - it's just a no-brainer for long-running servers.

I started off with a Debian 7.1 machine and first upgraded it to the latest release - to date this is Debian Jessie - by first updating it to the latest Wheezy release and then doing the all-known upgrade by modifying the apt sources.

If you're interested in upgrading Debian releases, just google for it. This topic is well covered in the web. For your convenience here is one

After the upgrade i've installed UFW and configured it so only SSH on a custom port and NTP are accessible at all times.

apt-get install ufw
ufw default deny
ufw allow 22/tcp #Allow SSH (not my custom port!)
ufw allow 123/udp #Allow NTP

I've also added another SSH user that is the only allowed one which can login with an SSH Key and some strict SSH configuration (There will be a post about securing SSH sometime soon too).

Now our Server is basically made safe to start configuring NTP for the pool work. If you want you can also configure cron-apt to automatically install security updates.

Installing and configuring NTP

At first we need the ntp and ntpdate packages (the latter is for setting the time manually). Install them with apt-get before proceeding.

In the next step we need to give the server some static (non-pool) ntp sources. This can be servers picked out of the NTP pool, since the NTP pool is basically made for load-sharing but we can also use third-parties like the PTB Timeservers which are being used for 80% of the UTC Time - so they're pretty accurate - or the timeservers from the University of Regensburg.

Let us configure static servers for our NTP Daemon. So open up /etc/ntp.conf and look for the 4 default server lines which should have 4 times the ntp pool in them and change them to our 5 static servers from PTB and the Regensburg University:

...
server ptbtime1.ptb.de
server ptbtime2.ptb.de
server ptbtime3.ptb.de
server ntp.uni-regensburg.de
server ntp.ur.de
# server 0.debian.pool.ntp.org iburst
# server 1.debian.pool.ntp.org iburst
# server 2.debian.pool.ntp.org iburst
# server 3.debian.pool.ntp.org iburst
...

It's recommended to use no less than 4 but no more than 7 servers so we use 5 which is a good number from different time sources. There is a configuration recommendation page for joining the NTP Pool which you can read through yourself for more configuration options.

I'll only guide you through the necessary configuration for a Debian-based NTP timeservers. Since some of the recommended config is also Debian's default it can be skipped safely.

Restarting the NTP Daemon and checking the time

After we have configured our NTP Daemon we can restart it with service ntp restart and check it's timeservers afterwards using ntpq -p. It shows the used timeservers and their stratum (st) like below:

remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*ptbtime1.ptb.de .PTB.            1 u    8   64  377  102.644   -4.904   0.541
+ptbtime2.ptb.de .PTB.            1 u    2   64  377  107.333   -1.450   0.869
+ptbtime3.ptb.de .PTB.            1 u    5   64  377  107.413   -2.478   0.516
-rrzlx26.uni-reg 132.199.7.201    2 u    7   64  377  102.662   -3.840   0.556

You can see here that *ptbtime1.ptb.de has a star in front which means it's the first timeserver used for time synchronization. In the st column you can see the 1 for all three ptb timeservers which means that they're stratum 1 servers.

A stratum 1 server has it's own external time source like a GPS-Receiver or in PTB's case a Caesium-Atom-clock. Since our NTP Server now uses a stratum 1 server as a reference our server itself has become a good stratum 2 server, a server without an own external time source but a stratum 1 source. A stratum 3 has only a stratum 2 source at best and so on.

Our time server is now ready to serve for external NTP requests and so we will check it from another server and put it into the NTP Pool Project so the world can benefit from it.

Checking our NTP Server

We just have to login to another server and stop the ntp daemon there if there is one running and run the ntpdate command using our new server:

ntpdate ntp1.sysorchestra.com

which will output something like this:

7 Dec 13:49:20 ntpdate[24179]: adjust time server 168.235.155.228 offset 0.005612 sec

It worked! We can now also use this new stratum 2 timeserver for our other servers. We have to add it to their ntp.conf like we did above for our ntp server and restart the ntp daemon, check it with ntpq -p that it's being used and we're done.

Now you can go to the NTP Pool Page and request the NTP Project to add your server to the pool.

After you've registered for and logged in to the Manage Server's Page you can go and add your server like this:

and when pressing Submit your server is being checked and added. It should now be listed like below.

Here you might want to set the correct speed your server is connected to the internet and you're done. The current score of -5 is a start and will increase the longer the server is available. As soon as it has reached a score of 10 or more - 20 is max. - it will be included in the cluster automatically.

NTP is a long term commitment, so don't try to add servers which you will remove in a couple of weeks or even months.

After a very short time of maybe 15 minutes my server has been checked again and acknowledged that it's a stratum-2 server and the availability score has increased like you can see below:

Conclusion

I used (and using) NTP Pool Servers all the time for private and business and really rely on the pool being there and serving "good time". It's very essential for computing and since i don't use this canadian-based virtual server for anything else i thought it would be a good idea to give it's paid power for something good.

If you found some problems in my configuration or have questions, please use the comment section below which i check regularly.