How to Configure NTP for Use in the NTP Pool

How to Configure NTP for Use in the NTP Pool
Photo by Jens Kreuter / Unsplash

Introduction 

Accurate timekeeping is essential for a wide range of services and software. Applications like email systems, loggers, event schedulers, user authentication mechanisms, and distributed platforms all rely on precise timestamps to ensure events are recorded in proper chronological order. These systems typically use the Network Time Protocol (NTP) to synchronize their system clocks with a trusted external time source, such as an atomic clock, a GPS receiver, or another NTP-enabled time server. 

This is where the NTP Pool Project plays a crucial role. The project is a vast, global network of time servers that provide reliable time synchronization to tens of millions of clients worldwide. It serves as the default time server for Ubuntu and many other major Linux distributions, as well as numerous networked appliances and software applications. 

In this guide, you will learn how to configure NTP on your server and integrate it into the NTP Pool Project. By doing so, your server will contribute to providing accurate time to other NTP Pool users. Sharing your server's unused bandwidth and spare CPU cycles is a simple yet impactful way to support the community. 

The bandwidth requirements for participating in the NTP Pool Project are relatively modest and can be adjusted based on your server’s capacity and location. On average, each client sends a few UDP packets every 20 minutes, resulting in most servers receiving about a dozen NTP packets per second. Traffic may occasionally spike to around 100 packets per second, but typical bandwidth usage ranges from 10-15 Kb/sec, with spikes of 50-120 Kb/sec. 

Requirements for Joining the NTP Pool Project 

To join the NTP Pool Project, your server must meet three fundamental criteria: 

  1. Static IP Address: Your server must have a static IP address to ensure consistent availability. 
  2. Stable Internet Connection: A permanent and reliable internet connection is required to maintain uninterrupted service. 
  3. Minimal IP Address Changes: Your server’s IP address must remain stable, with changes occurring infrequently (ideally no more than once a year). 

For most cloud-based servers, the first two requirements are typically met by default. However, the third requirement underscores that joining the NTP Pool Project is a long-term commitment. While you can remove your server from the pool if circumstances change, traffic to your server may persist for an extended period—often weeks, and sometimes months or years—before tapering off completely. 


Step 1 — Installing NTP

To install the NTP package and configure it on your server, follow these steps:

Update Your Package List: Run the following command to ensure your package list is up to date:

sudo apt-get update

Install NTP: Install the NTP package using the package manager:

sudo apt-get install ntp

Start and Enable the NTP Service: After installation, start the NTP service and configure it to start automatically at boot:

sudo systemctl start ntpd
sudo systemctl enable ntpd

Adjust Firewall Settings: To allow your server to serve NTP traffic, configure your firewall to permit incoming and outgoing UDP traffic on port 123:

sudo ufw allow 123/udp

Your NTP service is now installed and ready for further configuration.


Step 2 — Choosing a Suitable Upstream Server 

To maintain the reliability, speed, and health of the NTP Pool Project, operators joining the pool are encouraged to select high-quality network-local time servers rather than relying on the default pool.ntp.org servers. Selecting a suitable upstream server involves ensuring a stable network connection with minimal packet loss and the fewest possible hops between servers. 

The hierarchical structure of the NTP protocol organizes participants into primary servers, secondary servers, and clients. 

  • Stratum 1 servers are directly connected to a time source, known as Stratum 0. This source might be an atomic clock, GPS receiver, or radio navigation system. 
  • Stratum 2, Stratum 3, and subsequent servers act as secondary layers. Each tier is a client of the upstream server and provides time to downstream servers or clients. 

For proper functionality, NTP Pool Project members must configure the NTP daemon with at least three time servers. Ideally, you should configure between four and seven servers for optimal performance. 

Types of Time Servers 

The NTP Pool Project provides a list of public Stratum 1 and Stratum 2 servers, which are categorized based on access policies: 

  1. OpenAccess: Fully open to any client adhering to the NTP Pool usage recommendations. 
  2. RestrictedAccess: Subject to additional restrictions beyond the NTP Pool usage guidelines. 
  3. ClosedAccess: Requires prior approval or arrangement for use. 

Warning: Do not use servers categorized as "ClosedAccess" or "RestrictedAccess" without obtaining the required permissions. 

Selecting Stratum 1 Servers 

To choose appropriate Stratum 1 servers: 

  1. Visit the Stratum 1 Time Servers list. https://support.ntp.org/bin/view/Servers/StratumOneTimeServers 
  2. Sort the list by the ISO Code column to find servers geographically close to your server’s data center. 
  3. Look for servers with an Access Policy of "OpenAccess." These can be used without issue. 
  4. For servers labeled "RestrictedAccess," click the entry to review the details in the AccessDetails field. If the NotificationMessage is set to "Yes," you’ll need to email the server operator (using the contact information in the ServerContact field) to request permission. 
  5. Once approved, copy the hostnames or IP addresses of your selected servers. 

Selecting Stratum 2 Servers 

Repeat the process for selecting three or four Stratum 2 servers. These servers act as secondary time sources and should also be chosen based on proximity and access policy. 

With your chosen time servers identified, proceed to configure your NTP client to utilize them as described in Step 3. 


Step 3 — Configuring NTP to Join the Pool

To integrate your server into the NTP Pool Project and configure your selected time servers, you need to modify the NTP daemon’s configuration file. Follow these steps:

1. Edit the NTP Configuration File

Open the /etc/ntp.conf file in your preferred text editor:

sudo nano /etc/ntp.conf

2. Verify Driftfile Configuration

Ensure that a driftfile is specified in the configuration. The driftfile stores the frequency offset between the system clock and the correct time source, helping maintain stable and accurate synchronization. This is usually found at the top of the configuration file:

/etc/ntp.conf

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

3. Remove Default Time Sources

Locate and remove default time source entries, typically formatted as:

server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst

4. Add Your Selected Time Servers

Replace the default entries with the servers you selected in Step 2. Use the iburst option for each server as recommended by the NTP Pool Project:

/etc/ntp.conf

server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst

The iburst option ensures that if the server is unreachable, a burst of packets will be sent only the first time to establish synchronization quickly. Avoid using the burst option as it repeatedly sends bursts at each poll interval, which can overload time servers.

5. Restrict Management Queries

To prevent misuse of your server in NTP reflection attacks or unauthorized queries, ensure the following restrictions are configured:

/etc/ntp.conf

# Restrict default access
restrict default nomodify notrap nopeer noquery kod limited

# Allow unrestricted access on the loopback interface
restrict 127.0.0.1
restrict ::1

The nomodify, notrap, nopeer, and noquery options secure the server from unwanted modifications and queries. The kod and limited options enforce rate limiting and prevent excessive requests.

6. Save and Restart the NTP Service

Save the file and exit the editor. Restart the NTP service to apply the changes:

sudo systemctl restart ntpd

7. Verify Server Health

After a few minutes, check the status of your NTP server using the ntpq command:

ntpq -p

The output will display the servers your NTP daemon is using, along with metrics like delay, offset, and jitter. Lower values indicate better synchronization quality.

8. Test Public Accessibility

To verify that your server is serving time publicly, use the ntpdate command from another host:

ntpdate -q your_server_ip

The output will confirm that the server is reachable and provide details about the offset:

server your_server_ip, stratum 2, offset 0.001172, delay 0.16428
2 Mar 23:06:44 ntpdate[18427]: adjust time server your_server_ip offset 0.001172 sec

9. Register Your Server with the NTP Pool Project

Sign up for an account at manage.ntppool.org to register your server. Verify your account via the email sent by NTP Pool Project, then log in and add your server:

  1. Enter your server’s IP address.
  2. Confirm its region.
  3. Finalize by clicking "Yes, this is my server, add it!"
Add a server
The verification screen
  1. Verify your server by following the instructions on the unverified page of your server.

10. Monitor Your Server

Visit http://www.pool.ntp.org/scores/your_server_ip to view monitoring data collected by the NTP Pool Project. It evaluates your server’s offset and reliability. A score above 10 is required for inclusion in the pool, with the score increasing as your server maintains good time and consistent availability.

Your server is now contributing to the NTP Pool Project and helping provide accurate time to users worldwide.


Troubleshooting

If your server is not syncing as expected, follow these steps to identify and resolve potential issues:

Check for Outgoing Traffic Blockage:

A packet firewall might be blocking outgoing packets on port 123, which is required for NTP synchronization. Ensure that port 123 is open for outgoing traffic.

Verify Incoming Traffic Accessibility:

If the NTP Pool Project’s monitoring station cannot reach your server, or if your server’s score is decreasing, incoming traffic on port 123 might be blocked. Similarly, if your server cannot sync another clock, check that your firewall allows incoming traffic on port 123.

Inspect Your Firewall Configuration:

Confirm that your firewall is configured to permit both incoming and outgoing traffic on port 123. Use firewall management tools or commands to verify and adjust settings as needed.

Investigate Provider or Transit Blockages:

If you’ve confirmed that your firewall is not the issue and port 123 is open for both directions, your server provider or a transit provider might be dropping packets. Contact your provider to confirm whether they have any restrictions or policies affecting NTP traffic.

Seek Community Support:

If you cannot resolve the issue on your own, reach out to the NTP Pool Project’s community forums for assistance. Be sure to document and share all troubleshooting steps you’ve already taken. This will help the community provide targeted advice and solutions.

The NTP Pool Project’s forums are a great starting point for collaboration and support. Engaging with the community ensures that you receive expert advice while contributing to shared knowledge.