Hetzner - DokuWiki

Uhrzeit synchronisieren mit NTP/en

Inhaltsverzeichnis

NTP (Network Time Protocol)

NTP is a protocol for synchronising the clock/time on a server with a central time server. In the Hetzner standard images the service has already been pre-configured to work with the Hetzner NTP servers.

Install the NTP daemon

In order to configure NTP on a custom installation you will first need to install the NTP daemon. NTP is already present in each linux distribution as a package and can be easily installed.

  • Debian
debian root # apt-get install ntp
  • Gentoo
emerge ntp
  • OpenSuSE
Please install via YaSt

Configuring the NTP daemon

Since January 2010 Hetzner runs three time servers using the NTP protocol. These are housed in three different locations and have the following addresses:

  • ntp1.hetzner.de
  • ntp2.hetzner.com
  • ntp3.hetzner.net

To use these time servers under Linux, the ntpd must be configured accordingly. In Debian for example, the following three lines can be inserted (or they can replace the existing lines) in the /etc/ntp.conf file:

server  ntp1.hetzner.de  iburst
server  ntp2.hetzner.com iburst
server  ntp3.hetzner.net iburst

Note that some older versions of ntpd may require the additional parameter dynamic to be appended on each line above. This parameter, obsolete (in 4.x ntpd) allows a server to be configured even if the server is not reachable during configuration time.

Optionally a few public servers can be added as well:

server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org

Here your server selects any German NTP server from a pool. This ensures that the request load is distributed across multiple servers while also increasing the reliability.

After changing the NTP settings the NTP daemon has to be restarted, to let the changes take effect.

Security

As ntp is primarily a UDP-based protocol, it is vulnerable to being misused as part of distributed amplification / reflection denial-of-service attacks known as DRDoS.

If possible you should upgrade to 4.2.7p26 or later. As an alternative all status requests can be blocked using the noquery statement.

A possible configuration which uses only Hetzner NTP servers follows:

restrict    default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

restrict    127.0.0.1
restrict -6 ::1

server ntp1.hetzner.de iburst
server ntp2.hetzner.de iburst
server ntp3.hetzner.de iburst

In this setup status and configuration requests are limited to localhost, while time information can be and is exchanged with any server.

Another option is to ignore all request except time information from explicitly configured servers. Configuration and status requests remain localhost only.

restrict    default ignore
restrict -6 default ignore

restrict    127.0.0.1
restrict -6 ::1

server ntp1.hetzner.de iburst
restrict    213.239.239.164 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a0a1::2:1 nomodify notrap nopeer noquery

server ntp2.hetzner.de iburst
restrict    213.239.239.165 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a101::2:3 nomodify notrap nopeer noquery

server ntp3.hetzner.de iburst
restrict    213.239.239.166 nomodify notrap nopeer noquery
restrict -6 2a01:4f8:0:a112::2:2 nomodify notrap nopeer noquery

Manual time synchronization with NTP

It might be necessary to synchronize the time manually after you have installed the NTP daemon for the first time. You can do this with either ntpd or ntpdate (may need to be additionally installed):

ntpd -q -g

The option "-g" means that ntpd will also synchronize if the time difference is more than 1000 seconds. The option "-q" means that ntpd will only run once.

ntpdate NTP-Server
ntpdate ptbtime1.ptb.de

Save the new time in the hardware clock

Last but not least you should save the current time into the hardware clock of the server:

hwclock --systohc

Otherwise a completely wrong time can show up after a reboot.



© 2019. Hetzner Online GmbH. Alle Rechte vorbehalten.