時間伺服器的服務很簡單主要校正電腦時間，來達到主機同步一致。詳細簡介請看NTP

1. 安裝NTP

   #yum install ntp

2. 設定NTP主態檔

   #vim /etc/ntp.conf

   內容:
   # For more information about this file, see the man pages
   # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
    
   driftfile /var/lib/ntp/drift  #紀錄時間差異；主要是本機BIOS震盪週期頻率與上層時間伺服器的差異
    
   # Permit time synchronization with our time source, but do not
   # permit the source to query or modify the service on this system.
   #restrict default kod nomodify notrap nopeer noquery
   #restrict -6 default kod nomodify notrap nopeer noquery
   restrict 192.168.0.0 mask 255.255.255.0 nomodify #不允許192.168.0.0/24 修改本機時間
   restrict 192.168.1.0 mask 255.255.255.0 nomodify
   restrict 192.168.53.0 mask 255.255.255.0 nomodify
   restrict 127.0.0.1
   restrict tock.stdtime.gov.tw #允許 tock.stdtime.gov.tw修改本機時間
   restrict time.stdtime.gov.tw
   restrict clock.stdtime.gov.tw
   restrict freg_f.stdtime.gov.tw
   restrict tick.stdtime.gov.tw
    
   # Permit all access over the loopback interface.  This could
   # be tightened as well, but to do so would effect some of
   # the administrative functions.
   #restrict 127.0.0.1
   #restrict -6 ::1
    
   # Hosts on local network are less restricted.
   #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
    
   # Use public servers from the pool.ntp.org project.
   # Please consider joining the pool (http://www.pool.ntp.org/join.html).
   #server 0.rhel.pool.ntp.org
   #server 1.rhel.pool.ntp.org
   #server 2.rhel.pool.ntp.org
    
   server tock.stdtime.gov.tw prefer #優先使用 tock.stdtime.gov.tw作為本機的上一層時間伺服器。
   server time.stdtime.gov.tw
   server clock.stdtime.gov.tw
   server freg_f.stdtime.gov.tw
   server tick.stdtime.gov.tw
   #broadcast 192.168.1.255 autokey        # broadcast server
   #broadcastclient                        # broadcast client
   #broadcast 224.0.1.1 autokey            # multicast server
   #multicastclient 224.0.1.1              # multicast client
   #manycastserver 239.255.254.254         # manycast server
   #manycastclient 239.255.254.254 autokey # manycast client
    
   # Undisciplined Local Clock. This is a fake driver intended for backup
   # and when no outside source of synchronized time is available.
   #server 127.127.1.0     # local clock
   #fudge  127.127.1.0 stratum 10
    
   # Enable public key cryptography.
   #crypto
    
   includefile /etc/ntp/crypto/pw
    
   # Key file containing the keys and key identifiers used when operating
   # with symmetric key cryptography.
   keys /etc/ntp/keys #透過金鑰來對用戶端提供認證
    
   # Specify the key identifiers which are trusted.
   #trustedkey 4 8 42
    
   # Specify the key identifier to use with the ntpdc utility.
   #requestkey 8
    
   # Specify the key identifier to use with the ntpq utility.
   #controlkey 8
    
   # Enable writing of statistics records.
   #statistics clockstats cryptostats loopstats peerstats

   若上述無 /etc/sysconfig/iptables 檔案，可用下列指令

   # iptables -I INPUT -i eth0 -p udp --dport 123 -j ACCEPT

3. 啟動及修改iptables

   #/etc/init.d/ntpd start
   #vim /etc/sysconfig/iptables

   *filter
   :INPUT ACCEPT [0:0]
   :FORWARD ACCEPT [0:0]
   :OUTPUT ACCEPT [0:0]
   ~略~
   -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #使udp 123 port 通過
   -A INPUT -j REJECT --reject-with icmp-host-prohibited
   -A FORWARD -j REJECT --reject-with icmp-host-prohibited
   COMMIT

4. 觀察是否啟動及NTP狀態

   #netstat -tulnp |grep ':123'

   #ntpq -p

• restrict 處理控管權限

  restrict ip [mask] [netmask] [parameter]
  若不加parameter,則允許所有ntpd的功能
  parameter如下

  1. ignore

     拒絕所有的ntp。類似iptable的drop

  2. kod
  3. nomodify

     不允許更新ntp server時間

  4. noquery

     不允許使用ntpq,ntpdc的指令來對ntpd server作查詢

  5. nopeer

     此ntpd server不允許被對等

  6. notrap

     不提供 trap 這個遠端事件登錄 (remote event logging) 的功能

• server 指定上層ntp server

  server 上層ntpd server ip

• peer 指定對等ntp server ip

  peer 對等的ntp server ip

其實此方式，與上節NTP Server設定及原理一樣，只是設定檔稍微修改一下

#vim /etc/ntp.conf

內容:
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

#restrict default nomodify notrap noquery
restrict default ignore

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


# --- OUR TIMESERVERS -----
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org
#server 1.rhel.pool.ntp.org
#server 2.rhel.pool.ntp.org
server  192.168.0.62 prefer  #主要是以下這兩行
restrict 192.168.0.62


# --- NTP MULTICASTCLIENT ---
#multicastclient                        # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0     # local clock
#fudge  127.127.1.0 stratum 10

server  192.168.0.62 prefer
restrict 192.168.0.62
#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay  0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys

修改後，和Server一樣 啟動及修改iptables

1. 安裝ntpdate

   #yum install ntpdate

2. 執行網路校時

   #ntpdate 192.168.0.62

另外，ntpdate 與 ntpd 不能同時啟用的。 所以你不要在 NTP server 上頭執行這個指令。

1. 鳥哥 伺服器篇