Notes on NTP Daemon Setup¶
There are several NTP daemons available, including:
- The reference NTP daemon (
ntpd) from ntp.org; see their support website
- Maybe NTPsec, once it’s production-ready
- Maybe Ntimed, once it’s production-ready
We suggest you run your NTP daemon in a mode which will tell your OS kernel to handle leap seconds in a particular way: the default NTP way, so that system clock adjustments are localized and not spread out across the minutes, hours, or days surrounding leap seconds (e.g. “slewing” or “smearing”). There’s a nice Red Hat Developer Blog post about the various options.
Use the default mode with
chronyd. For another NTP daemon, consult its documentation.
It’s tricky to make an NTP daemon setup secure. Always install the latest version and read the documentation about how to configure and run it securely. See the notes on firewall setup.
Amazon Linux Instances¶
If your BigchainDB node is running on an Amazon Linux instance (i.e. a Linux instance packaged by Amazon, not Canonical, Red Hat, or someone else), then an NTP daemon should already be installed and configured. See the EC2 documentation on Setting the Time for Your Linux Instance.
That said, you should check which NTP daemon is installed. Is it recent? Is it configured securely?
The Ubuntu ntp Packages¶
ntp packages are based on the reference implementation of NTP.
The following commands will uninstall the
ntpdate packages, install the latest
ntp package (which might not be based on the latest ntpd code), and start the NTP daemon (a local NTP server). (
ntpdate is not reinstalled because it’s deprecated and you shouldn’t use it.)
sudo apt-get --purge remove ntp ntpdate sudo apt-get autoremove sudo apt-get update sudo apt-get install ntp # That should start the NTP daemon too, but just to be sure: sudo service ntp restart
You can check if
ntpd is running using
sudo ntpq -p.
You may want to use different NTP time servers. You can change them by editing the NTP config file
Note: A server running an NTP daemon can be used by others for DRDoS amplification attacks. The above installation procedure should install a default NTP configuration file
/etc/ntp.conf with the lines:
restrict -4 default kod notrap nomodify nopeer noquery restrict -6 default kod notrap nomodify nopeer noquery
Those lines should prevent the NTP daemon from being used in an attack. (The first line is for IPv4, the second for IPv6.)
There are additional things you can do to make NTP more secure. See the NTP Support Website for more details.