BestHub
Sign in
Operations 8 min read

How to Set Up and Secure NTP Server & Client on Linux

Learn step‑by‑step how to install, configure, and secure an NTP server on Linux, restrict client access, add a local clock fallback, set logging and drift parameters, then configure Linux clients to synchronize time, start services, and verify synchronization status.

Liangxu Linux
Liangxu Linux
Liangxu Linux
How to Set Up and Secure NTP Server & Client on Linux

Configure NTP Server

1. Install NTP package

Use the distribution’s package manager, e.g. on RedHat/CentOS:

yum install ntp

2. Set restriction lines in /etc/ntp.conf

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

The options mean: noquery prevents dumping of status data. notrap blocks control‑message traps. nomodify blocks ntpq queries that try to modify the server. nopeer blocks packets that try to establish peer associations. kod sends a “kiss‑of‑death” packet to reduce unwanted queries.

The -6 flag forces DNS resolution to IPv6 addresses.

3. Allow only specific clients

Add a restriction for the internal network, for example:

restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

Give the localhost full access if needed:

restrict 127.0.0.1

4. Add a local clock as fallback

server 127.127.1.0   # local clock
fudge  127.127.1.0 stratum 10

Stratum indicates distance from the primary time source; stratum‑0 is the reference clock, stratum‑1 is the primary server, and higher numbers are further downstream.

5. Configure drift and log files

driftfile /var/lib/ntp/ntp.drift
logfile   /var/log/ntp.log

The drift file records the clock’s frequency error so ntpd can correct it over time.

6. Start the NTP daemon

service ntpd start

Configure NTP Client

1. Edit /etc/ntp.conf on the client

Specify multiple upstream servers for redundancy, for example:

server 0.ntp.org iburst
server 1.ntp.org iburst
server 2.ntp.org iburst
server 3.ntp.org iburst
server 192.168.1.1 prefer

The iburst option sends eight packets on the first poll to speed up initial synchronization. The prefer flag gives higher priority to the specified server.

2. Start the client daemon

/etc/init.d/ntp start

3. Verify synchronization

Check peers with: ntpq -p Query detailed status with:

ntpdc -c sysinfo

4. Set the local date and time once

ntpdate -u 192.168.1.1

After this initial sync, the client will continuously adjust its clock based on the NTP server.

LinuxNTPtime synchronizationntpd
Liangxu Linux
Written by

Liangxu Linux

Liangxu, a self‑taught IT professional now working as a Linux development engineer at a Fortune 500 multinational, shares extensive Linux knowledge—fundamentals, applications, tools, plus Git, databases, Raspberry Pi, etc. (Reply “Linux” to receive essential resources.)

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment