How to Set Up and Secure an NTP Server on Linux – Step‑by‑Step Guide

1. Configure NTP Server

1. Install NTP package

Use the package manager of your Linux distribution to install the NTP daemon.

yum install ntp

2. Set restriction lines in ntp.conf

Edit /etc/ntp.conf and add two restrict statements to control which hosts can query or modify the server.

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

The options mean:

noquery – prevents ntpd from dumping status data.

notrap – blocks control‑message traps.

nomodify – blocks any ntpq queries that try to change the server.

nopeer – blocks packets that attempt to form peer associations.

Kod – sends a “kiss‑of‑death” packet to reduce unwanted queries.

3. Allow only specific clients

Add a restriction line for the internal network you want to permit.

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Give the localhost full access if needed.

restrict 127.0.0.1

4. Add a local clock as backup

Configure a local reference clock so the server can still provide time when it loses Internet connectivity.

server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10

Stratum defines the distance from the primary time source: stratum‑1 is the reference, stratum‑2 syncs to stratum‑1, and so on; stratum‑0 devices are hardware clocks.

5. Set NTP log parameters

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntp.log

The drift file records the clock’s offset over time so the daemon can gradually correct it.

6. Start the NTP server

service ntpd start

2. Configure NTP Client

7. Edit client ntp.conf

On each client machine, edit /etc/ntp.conf to list one or more upstream servers. Using multiple servers provides redundancy.

server 0.ntp.org iburst
server 1.ntp.org iburst
server 2.ntp.org iburst
server 3.ntp.org iburst

The iburst option sends eight packets on the first poll to speed up initial synchronization. server 192.168.1.1 prefer The prefer flag gives this server higher priority; if its response differs significantly from others, it will be ignored.

8. Start the NTP daemon on the client

/etc/init.d/ntp start

9. Check NTP status

Use ntpq -p to view peers and synchronization statistics.

# ntpq -p
     remote            refid      st t when poll reach   delay   offset  jitter
==============================================================================
*elserver1  192.168.1.1       3 u  300 1024   377    1.225   -0.071   4.606

10. Set local date and time (one‑time sync)

ntpdate -u 192.168.1.1

After this initial sync, the client continuously adjusts its clock via the NTP daemon.

You can also query detailed daemon information with ntpdc -c sysinfo:

# ntpdc -c sysinfo
system peer:          hgst.com.cn
system peer mode:     client
leap indicator:       00
stratum:              4
precision:            -23
root distance:        0.00279 s
root dispersion:      0.06271 s
reference ID:         [192.168.1.1]
reference time:       d70bd07b.f4b5cf2b  Wed, Apr 30 2014 15:41:47.955
system flags:          auth monitor ntp kernel stats
jitter:               0.000000 s
stability:            0.000 ppm
broadcastdelay:       0.000000 s
authdelay:            0.000000 s