From bfa59bdb012d7d4016b054ab5ebfdf38762a32c8 Mon Sep 17 00:00:00 2001 From: moltenbit Date: Thu, 5 Mar 2026 10:56:55 +0100 Subject: [PATCH 1/2] Add systemd-timesyncd setup instructions for Debian 13 Added instructions for using systemd-timesyncd on Debian 13 and later, including enabling NTP synchronization, configuring trusted NTP servers, and checking synchronization status. --- README.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/README.md b/README.md index effc4b1..749e359 100644 --- a/README.md +++ b/README.md @@ -1015,6 +1015,76 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien #### Steps +##### Debian 13 (Trixie) and later: systemd-timesyncd + +`systemd-timesyncd` is a lightweight SNTP client that is already included in Debian. Unlike the full `ntpd` daemon, it does not listen on any port, which makes it a smaller attack surface. For the purposes of this guide - keeping your server's clock in sync - it is all you need. + +1. Enable NTP synchronization: + + ``` bash + sudo timedatectl set-ntp true + ``` + +1. Verify it is working: + + ``` bash + timedatectl status + ``` + + You should see `NTP service: active` and `System clock synchronized: yes` in the output. + +1. Configure trusted NTP servers. Make a backup of the configuration file and then edit it: + + ``` bash + sudo cp --archive /etc/systemd/timesyncd.conf /etc/systemd/timesyncd.conf-COPY-$(date +"%Y%m%d%H%M%S") + ``` + + Edit `/etc/systemd/timesyncd.conf` and uncomment/set the `[Time]` section: + + ``` + [Time] + NTP=pool.ntp.org + FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org + ``` + + [For the lazy](#editing-configuration-files---for-the-lazy): + + ``` bash + sudo sed -i -r -e "s/^#?NTP=.*$/NTP=pool.ntp.org # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/systemd/timesyncd.conf + sudo sed -i -r -e "s/^#?FallbackNTP=.*$/FallbackNTP=0.debian.pool.ntp.org 1.debian.pool.ntp.org 2.debian.pool.ntp.org # added by $(whoami) on $(date +"%Y-%m-%d @ %H:%M:%S")/" /etc/systemd/timesyncd.conf + ``` + +1. Restart the service to apply the changes: + + ``` bash + sudo systemctl restart systemd-timesyncd + ``` + +1. Check the synchronization status: + + ``` bash + timedatectl timesync-status + ``` + + > ``` + > Server: 108.61.56.35 (pool.ntp.org) + > Poll interval: 32s (min: 32s; max: 34min 8s) + > Leap: normal + > Version: 4 + > Stratum: 2 + > Reference: C342F10A + > Precision: 1us (2^0) + > Root distance: 24.054ms (max: 5s) + > Offset: +2.156ms + > Delay: 48.567ms + > Jitter: 1.452ms + > Packet count: 3 + > ``` + +##### Debian 12 (Bookworm) and earlier: ntp package + +> **Note:** These steps apply to **Debian 12 and earlier** only. On Debian 13+, the `ntp` package is no longer available -- use the [systemd-timesyncd steps](#debian-13-trixie-and-later-systemd-timesyncd) above instead. + 1. Install ntp. On Debian based systems: From 522b606c4e2fef77cb431a94ad528c0b26bb5b67 Mon Sep 17 00:00:00 2001 From: moltenbit Date: Thu, 5 Mar 2026 11:02:09 +0100 Subject: [PATCH 2/2] Add note about ntp in Debian 13+ Update instructions for NTP client configuration on Debian 13+. --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 749e359..aa9f563 100644 --- a/README.md +++ b/README.md @@ -1000,6 +1000,7 @@ Many security protocols leverage the time. If your system time is incorrect, it #### How It Works NTP stands for Network Time Protocol. In the context of this guide, an NTP client on the server is used to update the server time with the official time pulled from official servers. Check https://www.pool.ntp.org/en/ for all of the public NTP servers. +> **Note:** Starting with **Debian 13 (Trixie)**, the classic `ntp` package has been removed. Running `sudo apt install ntp` will fail with *"Package ntp has no installation candidate"*. Since this guide only uses NTP as a **client** (to sync the server's clock), the recommended approach on Debian 13+ is to use `systemd-timesyncd`, which is already pre-installed and requires no additional packages. See the [Debian 13+ steps](#debian-13-trixie-and-later-systemd-timesyncd) below. #### Goals @@ -1096,7 +1097,7 @@ NTP stands for Network Time Protocol. In the context of this guide, an NTP clien 1. Make a backup of the NTP client's configuration file `/etc/ntp.conf`: ``` bash - sudo cp --archive /etc/ntpsec/ntp.conf /etc/ntpsec/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S") + sudo cp --archive /etc/ntp.conf /etc/ntp.conf-COPY-$(date +"%Y%m%d%H%M%S") ``` 1. The default configuration, at least on Debian, is already pretty secure. The only thing we'll want to make sure is we're the `pool` directive and not any `server` directives. The `pool` directive allows the NTP client to stop using a server if it is unresponsive or serving bad time. Do this by commenting out all `server` directives and adding the below to `/etc/ntp.conf`.