Configuring NTP on CentOS for use in NTP pool

Time keeping is an important part of keeping an efficient software. Any service using event based system where the time has to be traced, includes functionalities like authentication, or systems running on distributed platforms, all functionalities like these requires the main system to be upto date with the time stamp of every event that occurred, it works like a time logger.
The service used for this is the Network Time Protocol (NTP), to use the system clock to our advantage with the outside workings of a system. Now this system clock can be an atomic clock, a GPS clock, or any other trusted clock that can work with NTP.
The practical implementation of NTP is NTP Pool Project. The pool consists of time servers that provides access to “their time” for a huge number of clients around the globe. NTP time is the default of many Linux based Operatiing Systems and many of its Applications.
In this article you will learn how to setup NTP on your own server and how to configure it to your use, so the users connected to your server will have the accurate time with them. It is needed because it can help you use the complete bandwidth by knowing about the spare CPU cycles.
Before joining the NTP Pool Project you must fulfil the basic three requirement, and they are:
⦁ Static IP:
Your server must have a static IP address.
⦁ Stable Internet Connection:
Your server must have a permanent and stable internet connection.
⦁ Consistent IP address:
Your IP address most not change, or only changes infrequently (once a year or less).
Step 1 — Installing NTP
Just like always lets just firstly, update your packages:
⦁ sudo yum update
⦁
Then install NTP:
⦁ sudo yum install ntp
⦁
Once the installation completes, start the service and configure it so it starts automatically each time the server boots:
⦁ sudo systemctl start ntpd
⦁
⦁ sudo systemctl enable ntpd
⦁
If you’ve configured the firewall as specified in the prerequisites, you must allow UDP traffic for the NTP service in order to communicate with the NTP pool:
⦁ sudo firewall-cmd –permanent –add-service=ntp
⦁
⦁ sudo firewall-cmd –reload
⦁
For more on FirewallD, refer to How To Set Up a Firewall Using FirewallD on CentOS 7.
NTP is now installed, but it’s configured to use the default NTP pool time servers. Lets pick some specific time servers instead.
Step 2 — Choosing an Upstream Server
Basically NTP Pool Project has a list of time servers they are Stratum 1 and Stratum 2. Down is the list of servers available for public access under stated restrictions:

⦁ OpenAccess: This time server is open to any client complying with the NTP Pool ⦁ usage recommendations.
⦁ RestrictedAccess: This time server has some access restrictions in addition to the NTP Pool usage recommendations.
⦁ ClosedAccess: This time server is closed or requires prior arrangement.
Visit the Stratum 1 Time Servers list. You’ll see a list like the following:

The list above should be sorted by ISO code and find one or two servers that are close to you geographically. When the server’s Access Policy column states OpenAccess, you can use it without issue. If it says “RestrictedAccess”, click to open the entry and read the instructions noted in the AccessDetails field. Often, you’ll find that NotificationMessage is set to Yes, which means you have to craft an informal email directed to the address provided in ServerContact, informing the server operator about your desire to use this time server as a time source for your NTP Pool Project member.
Once you’ve identified the servers you’d like to use, click the link for each server in the ISO column and copy its host name or IP address. You’ll use these addresses in Step 3.
Next, select three or four servers from the Stratum 2 list, following the same process.
Once you have selected your time servers, it’s time to configure your NTP client to use them.
Step 3 — Configuring NTP to Join the Pool
To use your server with the NTP pool, and configure your new time servers, you’ll need to make some modifications to your NTP daemon’s configuration. To do so, edit the /etc/ntp.conf file:
⦁ sudo vi /etc/ntp.conf
⦁
First, make sure a driftfile is configured. A driftfile stores the frequency offset between the system clock running at its nominal frequency, and the frequency required to remain in synchronization with correct time. It helps to achieve a stable and accurate time. You should find this at the top of your configuration file on a default installation:
/etc/ntp.conf
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift

…
Next, remove the default time source entries from the configuration. You’re looking for all lines which are of the pattern server 0.centos.pool.ntp.org iburst. If you’re using a default configuration, remove the highlighted lines as shown in the following example:
/etc/ntp.conf
…
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
Replace the lines you removed with the hand-picked servers you selected in the previous step.
/etc/ntp.conf
…
server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst
…
We use the iburst option for each servers, per the NTP Pool recommendations. That way, if the server is unreachable, this will send a burst of eight packets instead of the usual one packet. Using the burstoption in the NTP Pool Project is considered abuse as it will send those eight packets every poll interval, whereas iburst sends the eight packets only the first time.
Next, make sure the default configuration does not allow management queries. If you don’t, your server could be used in NTP reflection attacks, or could be vulnerable to ntpq and ntpdc queries that attempt to modify the state of the server. Check that the noquery option is added to the default restrict lines. Also make sure you add the options kod and limited as they restrict too eagerly asking clients and enforce rate limiting.
/etc/ntp.conf
…
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap nopeer noquery kod limited

# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict ::1
You can find more information about the other options in the official documentation.
Your NTP daemon configuration file now should look like the following, although your file may have additional comments, which you can safely disregard:
/etc/ntp.conf

driftfile /var/lib/ntp/ntp.drift

restrict default nomodify notrap nopeer noquery kod limited

restrict 127.0.0.1
restrict ::1

server ntp_server_hostname_1 iburst
server ntp_server_hostname_2 iburst
server ntp_server_hostname_3 iburst
server ntp_server_hostname_4 iburst
server ntp_server_hostname_5 iburst
Save the file and exit the editor.
Now restart the NTP service and let your time server synchronize its clock to the upstream servers.
⦁ sudo systemctl restart ntpd
⦁
After a few minutes, check the health of your time server with the ntpq command:
⦁ ntpq -p
⦁
The output should look similar to this:
Output
remote refid st t when poll reach delay offset jitter
==============================================================================
mizbeaver.udel. .INIT. 16 u – 64 0 0.000 0.000 0.000
montpelier.ilan .GPS. 1 u 25 64 7 55.190 2.121 130.492
+nist1-lnk.binar .ACTS. 1 u 28 64 7 52.728 23.860 3.247
*ntp.okstate.edu .GPS. 1 u 31 64 7 19.708 -8.344 6.853
+ntp.colby.edu .GPS. 1 u 34 64 7 51.518 -5.914 6.669
The remote column tells you the hostname of the servers the NTP daemon is using, and the refid column tells you the source the servers are using. So for Stratum 1 servers, the refid field should show GPS, PPS, ACTS, or PTB, and Stratum 2 and higher servers will show the IP address of the upstream server. The st column shows the stratum, and delay, offset and jitter tell you about the quality of the time source. Lower values are better for these three fields.
Your time server is now able to serve time to the public. You can verify this by calling ntpdate from another host:
⦁ ntpdate -q your_server_ip
⦁
The output should look similar to this and it tells you it adjusted the time server and the offset:
Output
server your_server_ip, stratum 2, offset 0.001172, delay 0.16428
2 Mar 23:06:44 ntpdate[18427]: adjust time server your_server_ip offset 0.001172 sec
Step 4 — Adding the Server to the NTP Pool
To add your server so others can use it, visit manage.ntppool.org and sign up for an account. You will receive an email from NTP Pool help@ntppool.org requesting that you verify your account. Confirm your account by following the instructions in the email, and then log in to manage.ntppool.org.
Once logged in, you’ll see the simple interface for adding servers:

Enter your server’s IP address and click Submit.
The next screen asks you to verify that it identified the region of your server. If it shows your server in a different region than you expect, use the Comment box to let them know.

If you are happy, confirm the entry by clicking Yes, this is my server, add it!
Your server is now part of the NTP Pool Project. Visit http://www.pool.ntp.org/scores/your_server_ip to see information the NTP Pool’s monitoring system has collected about your server. It checks your server a few times per hour and displays offset data, alog with the score of your system. As long as your server is keeping good time and is reachable, the score will rise untill it reaches 20 points. Only servers with a score higher than 10 are used in the pool.