Chapter 8. Class #8 - NTP, Remote Access, & System Reporting

Table of Contents

Intro to NTP
Installing NTP
NTP Configuration
NTP as a Service
Commands to Manipulate NTP
Securing NTP
Additional Notes & Considerations for NTP
Intro to Remote Access with VNC
Installing VNC
VNC Configuration
VNC as a Service
Commands to Manipulate VNC
Securing VNC
Additional Notes & Considerations for VNC
Intro to System Reporting
Installing System Reporting
System Reporting Commands & Services
Additional Notes & Considerations for System Reporting
Reference Material for this Chapter

NTP (Network Time Protocol), GUI access to the system from a remote location, and System Reporting.

Intro to NTP

NTP (Network Time Protocol) provides a standardized way for systems to provide and obtain correct time over the network. This service is increasingly critical for today's networking environments. Synchronized time information is required for accurate handling of email, for clustering, for cloud computing, and for virtualization (just to name a few).

Installing NTP

ntp is typically installed by default. If it isn't, the command `yum -y install ntp` can be run to install it. The following packages will provide a comprehensive set of utilities to work with ntp.

  • ntp - Provides the daemon and utilities.
  • system-config-date - Provides a graphical interface for changing the time and configuring an ntp client.
  • ntpdate - Provides a command line utility for setting the date and time with ntp.

NTP Configuration

The main ntp configuration file is /etc/ntp.conf. The table below defines several major terms regarding ntp and ntp.conf.

Table 8.1. NTP Configuration Terms Defined

Term Description
Stratum0 A clock device such as an atomic, radio, or GPS clock device. Not usually attached to the network but connected to a server.
Stratum1 A server attached to a high accuracy time device that also allows queries for its time information.
Stratum{2..16} Servers that acquire time information from servers above them in the hierarchy and share that information with peers or clients.
Server (in ntp.conf) A time server that is a more authoritative time-source (higher stratum) than the system being configured, and from which this system obtains time information.
Peer (in ntp.conf) A time server that is considered equally authoritative (same stratum) with the system being configured, and with which this system shares time information.

The following table lists several directives within ntp.conf and what they mean.

Table 8.2. ntp.conf Configuration Directives

Term Description
'restrict' lines Define the access to be allowed or restricted for other hosts that communicate with this service. Each server or peer configured must be included in a restrict line.
'server' lines Define a host to be queried as a more authoritative time source.
'peer' lines Define a host to be queried as an equally authoritative time source.
'broadcast' or 'multicast' lines Define ways to obtain or provide time information apart from unicast queries.
'restrict' options restrict <address> [mask <subnet mask> ] [flag] [flag] ...
'address' and optional 'mask' The address, in dotted-quad notation, of the host or network to be restricted. Alternatively, the address can be a valid DNS name.
'ignore' (flag) Disallows all packets.
'kod' (flag) Sends a "kiss of death" packet to misbehaving (usually fire-walled) clients.
'nomodify' (flag) Allows queries for information, but denies attempts to modify the time.
'noquery' (flag) Deny `ntpq` and `ntpdc` queries. The time service is unaffected.
'nopeer' (flag) Deny packets related to peering
'notrap' (flag) Deny "trap" messages (used in logging).

Configure an ntp Client

The steps listed below will configure a machine as an ntp client.

  1. Configure at least one server (three are preferred) in '/etc/ntp.conf'.
  2. With the ntp service stopped, synchronize time with ntpdate.
  3. Start the ntp service.
  4. Verify that the service sees the configured servers (this may take a few minutes) with the command `ntpq -p`.

Configure an ntp Server

The steps below will configure a machine to be a time source for other machines.

  1. Follow the steps for Client Configuration.
  2. Add one or more restrict lines to allow appropriate access from those systems that will be clients (or peers).
  3. Restart the service after making changes.
  4. Open the firewall appropriately.

Configure an ntp Peer

The steps below will configure the machine to be a peer member among a group of machines.

  1. Follow the steps for Client Configuration.
  2. Add one or more restrict lines to allow appropriate access from those systems that will be clients (or peers).
  3. Add one or more peer lines: peer <peer IP or hostname> [options].
  4. Restart the service after making changes.
  5. Verify that the service sees the configured servers (this may take a few minutes) with the command `ntpq -p`.
  6. Open the firewall appropriately.

NTP as a Service

The (typical) commands below are used to manipulate the ntp service.

  • `service ntpd {start|stop|restart|etc}`
  • `chkconfig ntpd on`

Commands to Manipulate NTP

The most common commands to manipulate NTP are `ntpdate` and `ntpq`. There is also a graphical interface called `system-config-date` to configure ntp.

Securing NTP

The following SELinux commands can be run to find out what aspects of SELinux apply to ntp:

  • `semanage fcontext -l | grep "ntp"`
  • `semanage port -l | grep "ntp"`
  • `semanage boolean -l | grep ntp`

ntp typically runs on port 123. Both tcp and udp protocols will need to be allowed to pass through IP Tables if the server is allowing ntp synchronization from other machines.

Additional Notes & Considerations for NTP

Listed below is a typical ntp.conf file. Note that the configuration is set to get time synchronization with only one server.

    # For more information about this file, see the man pages
    # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

    driftfile /var/lib/ntp/drift

    # Permit time synchronization with our time source, but do not
    # permit the source to query or modify the service on this system.
    restrict default kod nomodify notrap nopeer noquery
    restrict -6 default kod nomodify notrap nopeer noquery

    # Permit all access over the loopback interface.  This could
    # be tightened as well, but to do so would effect some of
    # the administrative functions.
    restrict 127.0.0.1 
    restrict -6 ::1

    # Hosts on local network are less restricted.
    #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

    # Use public servers from the pool.ntp.org project.
    # Please consider joining the pool (http://www.pool.ntp.org/join.html).
    # server 0.rhel.pool.ntp.org iburst
    # server 1.rhel.pool.ntp.org iburst
    # server 2.rhel.pool.ntp.org iburst
    # server 3.rhel.pool.ntp.org iburst
    server 192.168.1.8 iburst

    #broadcast 192.168.1.255 autokey    # broadcast server
    #broadcastclient                    # broadcast client
    #broadcast 224.0.1.1 autokey                # multicast server
    #multicastclient 224.0.1.1          # multicast client
    #manycastserver 239.255.254.254             # manycast server
    #manycastclient 239.255.254.254 autokey # manycast client

    # Undisciplined Local Clock. This is a fake driver intended for backup
    # and when no outside source of synchronized time is available. 
    #server     127.127.1.0     # local clock
    #fudge      127.127.1.0 stratum 10  

    # Enable public key cryptography.
    #crypto

    includefile /etc/ntp/crypto/pw

    # Key file containing the keys and key identifiers used when operating
    # with symmetric key cryptography. 
    keys /etc/ntp/keys

    # Specify the key identifiers which are trusted.
    #trustedkey 4 8 42

    # Specify the key identifier to use with the ntpdc utility.
    #requestkey 8

    # Specify the key identifier to use with the ntpq utility.
    #controlkey 8

    # Enable writing of statistics records.
    #statistics clockstats cryptostats loopstats peerstats

For more information about ntp and its supporting entities, try the following:

  • `ntp.conf`
  • `man ntp_acc`
  • `man ntp_misc`
  • `man ntp_auth`
  • `man ntp_clock`
  • `man ntp_mon`
  • `man ntpd`