How to Set Up and Secure an NTP Server & Client on Linux

Configure the NTP Server

1. Install the NTP package

Use the package manager of your Linux distribution. For RedHat or CentOS run:

yum install ntp

2. Set restriction lines in /etc/ntp.conf

Add the following two lines to limit how other hosts can interact with the server:

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

The options mean:

noquery : prevents dumping of status data.

notrap : blocks control‑message trap services.

nomodify : stops any ntpq queries that try to modify the server.

nopeer : blocks packets that attempt to establish peer associations.

kod : sends a “kiss‑of‑death” packet to reduce unwanted queries.

3. Allow only specific clients

To restrict synchronization to machines in your own network, add:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

For full access from the localhost, add:

restrict 127.0.0.1

4. Add a local clock as backup

When the server loses Internet connectivity, the local clock can provide time:

server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

Stratum levels indicate distance from the primary time source; lower numbers are more accurate.

5. Configure drift and log files

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

The drift file records the clock’s deviation over time, allowing ntpd to correct it gradually.

6. Start the NTP service

service ntpd start

Configure the NTP Client

7. Edit the client’s /etc/ntp.conf

Specify multiple upstream servers so the client can fall back if one fails:

server 0.ntp.org iburst
server 1.ntp.org iburst
server 2.ntp.org iburst
server 3.ntp.org iburst

The iburst option sends eight packets on the first poll to speed up initial synchronization.

You can also add your internal server as preferred:

server 192.168.1.1 prefer

8. Start the NTP daemon on the client

/etc/init.d/ntp start

9. Verify NTP status

Use ntpq -p to view peers and synchronization statistics:

# ntpq -p
remote            refid      st t when poll reach   delay   offset  jitter
*elserver1  192.168.1.1       3 u  300 1024  377    1.225   -0.071   4.606

10. Perform an initial manual sync (optional)

Run ntpdate -u 192.168.1.1 once to set the clock immediately; thereafter the daemon will keep the time accurate. ntpdate -u 192.168.1.1 After the initial sync, the client continuously communicates with the NTP server to maintain precise system time.