Introduction
NTP (Network Time Protocol) is a protocol for synchronising the clock/time on a server with a central time server. In the Hetzner standard images the service has already been pre-configured to work with the Hetzner NTP servers.
Step 1 - Install the NTP daemon
In order to configure NTP on a custom installation you will first need to install the NTP daemon. NTP is already present in each linux distribution as a package and can be easily installed.
Debian:
debian root # apt-get install ntp
Gentoo:
emerge ntp
OpenSuSE:
zypper install ntp
Step 2 - Configuring the NTP daemon
Since January 2010 Hetzner runs three time servers using the NTP protocol. These are housed in three different locations and have the following addresses:
- ntp1.hetzner.de
- ntp2.hetzner.com
- ntp3.hetzner.net
To use these time servers under Linux, the ntpd must be configured accordingly. In Debian for example, the following three lines can be inserted (or they can replace the existing lines) in the /etc/ntp.conf file:
server ntp1.hetzner.de iburst
server ntp2.hetzner.com iburst
server ntp3.hetzner.net iburstNote that some older versions of ntpd may require the additional parameter dynamic to be appended on each line above. This parameter, obsolete (in 4.x ntpd) allows a server to be configured even if the server is not reachable during configuration time.
Optionally a few public servers can be added as well:
server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.orgHere your server selects any German NTP server from a pool. This ensures that the request load is distributed across multiple servers while also increasing the reliability.
After changing the NTP settings the NTP daemon has to be restarted, to let the changes take effect.
Step 3 - Security
As ntp is primarily a UDP-based protocol, it is vulnerable to being misused as part of distributed amplification / reflection denial-of-service attacks known as DRDoS.
If possible you should upgrade to 4.2.7p26 or later. As an alternative all status requests can be blocked using the noquery statement.
A possible configuration which uses only Hetzner NTP servers follows:
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1
server ntp1.hetzner.de iburst
server ntp2.hetzner.de iburst
server ntp3.hetzner.de iburstIn this setup status and configuration requests are limited to localhost, while time information can be and is exchanged with any server.
Another option is to ignore all request except time information from explicitly configured servers. Configuration and status requests remain localhost only.
restrict default ignore
restrict -6 default ignore
restrict 127.0.0.1
restrict -6 ::1
server ntp1.hetzner.de iburst
restrict 213.239.239.164 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a0a1::2:1 nomodify notrap nopeer noquery
server ntp2.hetzner.de iburst
restrict 213.239.239.165 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a101::2:3 nomodify notrap nopeer noquery
server ntp3.hetzner.de iburst
restrict 213.239.239.166 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a112::2:2 nomodify notrap nopeer noqueryStep 4 - Manual time synchronization with NTP
It might be necessary to synchronize the time manually after you have installed the NTP daemon for the first time. You can do this with either ntpd or ntpdate (may need to be additionally installed):
ntpd -q -g
The option -g means that ntpd will also synchronize if the time difference is more than 1000 seconds. The option -q means that ntpd will only run once.
ntpdate NTP-Server
ntpdate ptbtime1.ptb.deStep 5 - Save the new time in the hardware clock
Last but not least you should save the current time into the hardware clock of the server:
hwclock --systohc
Otherwise a completely wrong time can show up after a reboot.
Conclusion
By now you should have configured your server with a secure connection to synchronize the time with an external server.