NTP installation on Debian Wheezy

Fob Watch

This is a very quick guide, intention is to help entry-level Linux users to build an NTP server. Note: This article assumes you are working in a VMware environment.

You also need to have NTP available to an internal network and secured from the Monlist attack.

Before you begin

Check VMware version compatibility. Note that NTP reflection attacks need to be mitigated on NTP servers prior to version 4.2.7.

To disable "monlist" functionality on a public-facing NTP server that cannot be updated to version 4.2.7, add the noquery directive to the restrict default line in the system’s /etc/ntp.conf as shown below:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

Server build

I've installed the base OS from a netinstall CD ISO. The ISO is small and the Base/Core OS can be installed without needing Internet access.

During the installation, I created the system with a local user ntpmgr, you can call it what you want just substitute the name where required below.

Building behind a proxy, no worries, edit the apt.conf file with the proxy connection string:

vi /etc/apt/apt.conf

Acquire::http::Proxy "";

You can add proxy credentials in this file too!

I'm going to amend /etc/apt/sources.list to use the redirector:

vi /etc/apt/sources.list

deb wheezy main
deb-src wheezy main

deb wheezy/updates main
deb-src wheezy/updates main

# wheezy-updates, previously known as 'volatile'
deb wheezy-updates main
deb-src wheezy-updates main


Now let's configure the server so we can manage it from the comfort of your desk using a ssh client:

vi /etc/ssh/sshd_config

AllowUsers ntpmgr


hostname -f


Install the VMware tools and the ntp, vim, apticron and logwatch packages:

aptitude update

aptitude install less open-vm-tools ntp vim apticron logwatch

Edit the NTP configuration (I'm using the pool zone for Australia):

vi /etc/ntp.conf

server iburst
server iburst
server iburst
server iburst

Restrict access to your local subnet:

restrict mask nomodify notrap

Restart NTP:

service ntp restart

See if it is working (assuming you have got any enterprise firewall rules configured):

ntpq -p


Now for some email alerting:

aptitude install postfix

You will be met with:

The following actions will resolve these dependencies:

Remove the following packages:
1) exim4
2) exim4-base
3) exim4-config
4) exim4-daemon-light

Accept this solution? [Y/n/q/?] Y

Now to configure SMTP relay in Postfix:

vi /etc/postfix/

Look for the section masquerade_domains:

masquerade_domains =

Now to add the email address to receive email alerts from this server:

vi /etc/aliases



We need to compile the "aliases" file to "aliases.db" with this command:


Now it is time to let the mail flow:

service postfix restart


Change passwords, log in and sudo -i:

passwd ntpmgr

passwd root

About the author

Paul Angus's picture

Paul Angus

Paul is a security and infrastructure professional with over 13 years of experience in the Information Technology sector.

Before transitioning to the IT sector, the knowledge gained working along side senior management, civil engineers, surveyors, town planners and graphic designers helped to shape his unique perspective.
Last updated: 
2015-07-05 20:31

Add new comment