跳至內容
阿里BaBa電腦筆記
使用者工具
登入
網站工具
工具
顯示頁面
舊版
反向連結
最近更新
多媒體管理器
網站地圖
登入
最近更新
多媒體管理器
網站地圖
足跡:
linux:ntpd
本頁是唯讀的,您可以看到原始碼,但不能更動它。您如果覺得它不應被鎖上,請詢問管理員。
======NTPD====== 時間伺服器的服務很簡單主要校正電腦時間,來達到主機同步一致。詳細簡介請看[[wp>NTP|NTP]] ======NTP Server 建置====== - 安裝NTP<code 1>#yum install ntp </code> - 設定NTP主態檔<code 1>#vim /etc/ntp.conf </code><code 1>內容: # For more information about this file, see the man pages # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5). driftfile /var/lib/ntp/drift #紀錄時間差異;主要是本機BIOS震盪週期頻率與上層時間伺服器的差異 # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. #restrict default kod nomodify notrap nopeer noquery #restrict -6 default kod nomodify notrap nopeer noquery restrict 192.168.0.0 mask 255.255.255.0 nomodify #不允許192.168.0.0/24 修改本機時間 restrict 192.168.1.0 mask 255.255.255.0 nomodify restrict 192.168.53.0 mask 255.255.255.0 nomodify restrict 127.0.0.1 restrict tock.stdtime.gov.tw #允許 tock.stdtime.gov.tw修改本機時間 restrict time.stdtime.gov.tw restrict clock.stdtime.gov.tw restrict freg_f.stdtime.gov.tw restrict tick.stdtime.gov.tw # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. #restrict 127.0.0.1 #restrict -6 ::1 # Hosts on local network are less restricted. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.rhel.pool.ntp.org #server 1.rhel.pool.ntp.org #server 2.rhel.pool.ntp.org server tock.stdtime.gov.tw prefer #優先使用 tock.stdtime.gov.tw作為本機的上一層時間伺服器。 server time.stdtime.gov.tw server clock.stdtime.gov.tw server freg_f.stdtime.gov.tw server tick.stdtime.gov.tw #broadcast 192.168.1.255 autokey # broadcast server #broadcastclient # broadcast client #broadcast 224.0.1.1 autokey # multicast server #multicastclient 224.0.1.1 # multicast client #manycastserver 239.255.254.254 # manycast server #manycastclient 239.255.254.254 autokey # manycast client # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10 # Enable public key cryptography. #crypto includefile /etc/ntp/crypto/pw # Key file containing the keys and key identifiers used when operating # with symmetric key cryptography. keys /etc/ntp/keys #透過金鑰來對用戶端提供認證 # Specify the key identifiers which are trusted. #trustedkey 4 8 42 # Specify the key identifier to use with the ntpdc utility. #requestkey 8 # Specify the key identifier to use with the ntpq utility. #controlkey 8 # Enable writing of statistics records. #statistics clockstats cryptostats loopstats peerstats </code>若上述無 /etc/sysconfig/iptables 檔案,可用下列指令<code># iptables -I INPUT -i eth0 -p udp --dport 123 -j ACCEPT</code> - 啟動及修改iptables<code>#/etc/init.d/ntpd start #vim /etc/sysconfig/iptables </code><code> *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] ~略~ -A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #使udp 123 port 通過 -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT </code> - 觀察是否啟動及NTP狀態<code>#netstat -tulnp |grep ':123' </code><code 1>#ntpq -p</code> ======補充說明ntpd設定檔相關參數====== * restrict 處理控管權限<code>restrict ip [mask] [netmask] [parameter] 若不加parameter,則允許所有ntpd的功能 parameter如下 </code> - ignore<code>拒絕所有的ntp。類似iptable的drop</code> - kod - nomodify<code>不允許更新ntp server時間</code> - noquery<code>不允許使用ntpq,ntpdc的指令來對ntpd server作查詢</code> - nopeer<code>此ntpd server不允許被對等</code> - notrap<code>不提供 trap 這個遠端事件登錄 (remote event logging) 的功能</code> * server 指定上層ntp server<code>server 上層ntpd server ip</code> * peer 指定對等ntp server ip<code>peer 對等的ntp server ip</code> ======NTP Client 更新方式====== =====NTP服務方式更新===== 其實此方式,與上節NTP Server設定及原理一樣,只是設定檔稍微修改一下<code> #vim /etc/ntp.conf </code><code> 內容: # Permit time synchronization with our time source, but do not # permit the source to query or modify the service on this system. #restrict default nomodify notrap noquery restrict default ignore # Permit all access over the loopback interface. This could # be tightened as well, but to do so would effect some of # the administrative functions. restrict 127.0.0.1 # -- CLIENT NETWORK ------- # Permit systems on this network to synchronize with this # time service. Do not permit those systems to modify the # configuration of this service. Also, do not use those # systems as peers for synchronization. # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- OUR TIMESERVERS ----- # Use public servers from the pool.ntp.org project. # Please consider joining the pool (http://www.pool.ntp.org/join.html). #server 0.rhel.pool.ntp.org #server 1.rhel.pool.ntp.org #server 2.rhel.pool.ntp.org server 192.168.0.62 prefer #主要是以下這兩行 restrict 192.168.0.62 # --- NTP MULTICASTCLIENT --- #multicastclient # listen on default 224.0.1.1 # restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap # restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap # --- GENERAL CONFIGURATION --- # # Undisciplined Local Clock. This is a fake driver intended for backup # and when no outside source of synchronized time is available. The # default stratum is usually 3, but in this case we elect to use stratum # 0. Since the server line does not have the prefer keyword, this driver # is never used for synchronization, unless no other other # synchronization source is available. In case the local host is # controlled by some external source, such as an external oscillator or # another protocol, the prefer keyword would cause the local host to # disregard all other synchronization sources, unless the kernel # modifications are in use and declare an unsynchronized condition. # #server 127.127.1.0 # local clock #fudge 127.127.1.0 stratum 10 server 192.168.0.62 prefer restrict 192.168.0.62 # # Drift file. Put this in a directory which the daemon can write to. # No symbolic links allowed, either, since the daemon updates the file # by creating a temporary in the same directory and then rename()'ing # it to the file. # driftfile /var/lib/ntp/drift broadcastdelay 0.008 # # Keys file. If you want to diddle your server at run time, make a # keys file (mode 600 for sure) and define the key number to be # used for making requests. # # PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote # systems might be able to reset your clock at will. Note also that # ntpd is started with a -A flag, disabling authentication, that # will have to be removed as well. # keys /etc/ntp/keys </code> 修改後,和Server一樣 啟動及修改iptables =====直接手動更新===== - 安裝ntpdate<code>#yum install ntpdate</code> - 執行網路校時<code>#ntpdate 192.168.0.62</code> 另外,ntpdate 與 ntpd 不能同時啟用的。 所以你不要在 NTP server 上頭執行這個指令。 ======參考資料====== - [[http://linux.vbird.org/linux_server/0440ntp.php|鳥哥 伺服器篇]]
linux/ntpd.txt
· 上一次變更: 2013/07/06 01:28 (外部編輯)
頁面工具
顯示頁面
舊版
反向連結
回到頁頂
