時間伺服器的服務很簡單主要校正電腦時間,來達到主機同步一致。詳細簡介請看NTP
#yum install ntp
#vim /etc/ntp.conf
內容: # For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift #紀錄時間差異;主要是本機BIOS震盪週期頻率與上層時間伺服器的差異 # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. #restrict default kod nomodify notrap nopeer noquery #restrict -6 default kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify #不允許192.168.0.0/24 修改本機時間 restrict 192.168.1.0 mask 255.255.255.0 nomodify restrict 192.168.53.0 mask 255.255.255.0 nomodify restrict 127.0.0.1 restrict tock.stdtime.gov.tw #允許 tock.stdtime.gov.tw修改本機時間 restrict time.stdtime.gov.tw restrict clock.stdtime.gov.tw restrict freg_f.stdtime.gov.tw restrict tick.stdtime.gov.tw # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. #restrict 127.0.0.1 #restrict -6 ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.rhel.pool.ntp.org #server 1.rhel.pool.ntp.org #server 2.rhel.pool.ntp.org server tock.stdtime.gov.tw prefer #優先使用 tock.stdtime.gov.tw作為本機的上一層時間伺服器。 server time.stdtime.gov.tw server clock.stdtime.gov.tw server freg_f.stdtime.gov.tw server tick.stdtime.gov.tw #broadcast 192.168.1.255 autokey # broadcast server #broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10 # Enable public key cryptography. #crypto includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys #透過金鑰來對用戶端提供認證 # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 # Enable writing of statistics records. #statistics clockstats cryptostats loopstats peerstats
若上述無 /etc/sysconfig/iptables 檔案,可用下列指令
# iptables -I INPUT -i eth0 -p udp --dport 123 -j ACCEPT
#/etc/init.d/ntpd start #vim /etc/sysconfig/iptables
*filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ~略~ -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #使udp 123 port 通過 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
#netstat -tulnp |grep ':123'
#ntpq -p
restrict ip [mask] [netmask] [parameter] 若不加parameter,則允許所有ntpd的功能 parameter如下
拒絕所有的ntp。類似iptable的drop
不允許更新ntp server時間
不允許使用ntpq,ntpdc的指令來對ntpd server作查詢
此ntpd server不允許被對等
不提供 trap 這個遠端事件登錄 (remote event logging) 的功能
server 上層ntpd server ip
peer 對等的ntp server ip
其實此方式,與上節NTP Server設定及原理一樣,只是設定檔稍微修改一下
#vim /etc/ntp.conf
內容: # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. #restrict default nomodify notrap noquery restrict default ignore # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 # -- CLIENT NETWORK ------- # Permit systems on this network to synchronize with this # time service. Do not permit those systems to modify the # configuration of this service. Also, do not use those # systems as peers for synchronization. # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- OUR TIMESERVERS ----- # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.rhel.pool.ntp.org #server 1.rhel.pool.ntp.org #server 2.rhel.pool.ntp.org server 192.168.0.62 prefer #主要是以下這兩行 restrict 192.168.0.62 # --- NTP MULTICASTCLIENT --- #multicastclient # listen on default 224.0.1.1 # restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. The # default stratum is usually 3, but in this case we elect to use stratum # 0. Since the server line does not have the prefer keyword, this driver # is never used for synchronization, unless no other other # synchronization source is available. In case the local host is # controlled by some external source, such as an external oscillator or # another protocol, the prefer keyword would cause the local host to # disregard all other synchronization sources, unless the kernel # modifications are in use and declare an unsynchronized condition. # #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10 server 192.168.0.62 prefer restrict 192.168.0.62 # # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. # driftfile /var/lib/ntp/drift broadcastdelay 0.008 # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # keys /etc/ntp/keys
修改後,和Server一樣 啟動及修改iptables
#yum install ntpdate
#ntpdate 192.168.0.62
另外,ntpdate 與 ntpd 不能同時啟用的。 所以你不要在 NTP server 上頭執行這個指令。