How to Configure a Local NTP Server on Fedora: A Step-by-Step Guide
In any modern IT infrastructure, accurate timekeeping isn’t a luxury—it’s a necessity. From accurate log correlation for troubleshooting to the proper functioning of authentication mechanisms like Kerberos, synchronized time across all your devices is critical. While public time servers are widely available, setting up your own local Network Time Protocol (NTP) server offers greater control, reduced external network traffic, and improved accuracy for your internal network.
This guide will walk you through the process of setting up a robust NTP server using the traditional ntpd service on a Fedora system. By the end, you’ll have a reliable time source for all the clients on your network.
Step 1: Installing the NTP Package
The first step is to install the necessary software. Fedora systems use ntpd, the classic NTP daemon, which is available in the standard repositories.
Open your terminal and install the package using the dnf package manager with root privileges:
sudo dnf install ntp
This command will download and install the ntpd service and its related utilities, including the ntpq tool for querying the service’s status.
Step 2: Configuring the NTP Server
With the software installed, the next step is to configure it. The main configuration file for ntpd is located at /etc/ntp.conf. This file dictates which upstream servers your NTP server will sync with and which clients are allowed to connect to it.
Open the file in your preferred text editor, such as nano or vim:
sudo nano /etc/ntp.conf
Selecting Upstream Time Sources
Inside the file, you’ll find lines beginning with server or pool. These define the public NTP servers your server will use as its time source. The default Fedora configuration uses a pool of servers from the NTP Pool Project, a massive global cluster of time servers.
A typical default configuration looks like this:
pool 2.fedora.pool.ntp.org iburst
For improved reliability and accuracy, it’s a best practice to use a regional pool of servers. For example, if your server is in North America, you could use north-america.pool.ntp.org. This reduces network latency to the time source. You can add multiple pool entries for redundancy.
# Example for a server in Europe
pool 0.europe.pool.ntp.org iburst
pool 1.europe.pool.ntp.org iburst
pool 2.europe.pool.ntp.org iburst
Securing Your NTP Server and Allowing Clients
By default, an NTP server can be open to queries from anywhere on the internet, which can be exploited for DDoS reflection attacks. It is crucial to restrict access to your server.
The restrict directive controls who can access your NTP service and what they can do.
First, set a secure default policy to deny all access unless explicitly permitted. Add this line to your ntp.conf file:
# Deny all NTP access by default
restrict default nomodify notrap nopeer noquery
- nomodify: Prevents clients from reconfiguring the server.
- notrap: Prevents the trapping of control messages.
- nopeer: Prevents a host from forming a peer association.
- noquery: Prevents
ntpqandntpdcqueries from being answered.
Next, you must explicitly allow your local network to query the server for time. Add a restrict line for your local subnet. For example, if your local network is 192.168.1.0/24, you would add:
# Allow clients from the local network to sync time
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
This rule grants machines on your internal network the ability to get the time from your server but denies them permission to modify its configuration.
Step 3: Configuring the Firewall
The NTP service communicates over UDP port 123. You must configure your system’s firewall to allow incoming traffic on this port from your local network.
Use the firewall-cmd utility to add a permanent rule for the NTP service and then reload the firewall to apply the changes:
sudo firewall-cmd --add-service=ntp --permanent
sudo firewall-cmd --reload
This ensures the firewall rule will persist even after a system reboot.
Step 4: Starting and Enabling the NTP Service
Now that ntpd is configured and the firewall is open, you can start the service. It’s also important to enable it so that it starts automatically every time the server boots.
Use the following systemctl commands:
# Start the ntpd service now
sudo systemctl start ntpd
# Enable the ntpd service to start on boot
sudo systemctl enable ntpd
Step 5: Verifying the NTP Server Status
After starting the service, it will take a few minutes to synchronize with its upstream time sources. You can check the status of the synchronization using the ntpq utility with the -p (peers) flag.
ntpq -p
The output will look something like this:
remote refid st t when poll reach delay offset jitter
==============================================================================
+time.cloudflare .LOCL. 1 u 60 64 377 8.498 -0.230 0.149
*ntp1.ams1.nl.le 10.8.0.1 2 u 55 64 377 15.334 0.589 0.298
+lithium.constan 192.168.1.1 2 u 58 64 377 22.765 -1.103 0.456
Here’s what the key symbols mean:
*(Asterisk): Indicates the primary peer your server is currently synchronized with.+(Plus sign): Indicates other good-quality candidate peers that can be used for backup.reach: A value of 377 indicates that the server has successfully reached the upstream source in each of the last eight attempts, signifying a stable connection.
If you see an asterisk and a non-zero reach value, your NTP server is successfully synchronized and ready to serve time to your clients.
Final Step: Configuring Your Network Clients
To use your new NTP server, you simply need to configure the other machines on your network to point to its IP address. On other Linux clients, you would edit their /etc/ntp.conf or /etc/chrony.conf file to replace the public pool addresses with your server’s local IP.
For example:
server 192.168.1.10 prefer iburst
Replace 192.168.1.10 with the actual IP address of your new Fedora NTP server. By following these steps, you have successfully deployed a secure, reliable, and centralized time source for your entire network.
Source: https://kifarunix.com/configure-ntp-server-using-ntpd-on-fedora-30/
