======NTPD======
時間伺服器的服務很簡單主要校正電腦時間，來達到主機同步一致。詳細簡介請看[[wp>NTP|NTP]]
======NTP Server 建置======
  - 安裝NTP<code 1>#yum install ntp
</code>
  - 設定NTP主態檔<code 1>#vim /etc/ntp.conf
</code><code 1>內容:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).

driftfile /var/lib/ntp/drift  #紀錄時間差異；主要是本機BIOS震盪週期頻率與上層時間伺服器的差異

# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default kod nomodify notrap nopeer noquery
#restrict -6 default kod nomodify notrap nopeer noquery
restrict 192.168.0.0 mask 255.255.255.0 nomodify #不允許192.168.0.0/24 修改本機時間
restrict 192.168.1.0 mask 255.255.255.0 nomodify
restrict 192.168.53.0 mask 255.255.255.0 nomodify
restrict 127.0.0.1
restrict tock.stdtime.gov.tw #允許 tock.stdtime.gov.tw修改本機時間
restrict time.stdtime.gov.tw
restrict clock.stdtime.gov.tw
restrict freg_f.stdtime.gov.tw
restrict tick.stdtime.gov.tw

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
#restrict 127.0.0.1
#restrict -6 ::1

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org
#server 1.rhel.pool.ntp.org
#server 2.rhel.pool.ntp.org

server tock.stdtime.gov.tw prefer #優先使用 tock.stdtime.gov.tw作為本機的上一層時間伺服器。
server time.stdtime.gov.tw
server clock.stdtime.gov.tw
server freg_f.stdtime.gov.tw
server tick.stdtime.gov.tw
#broadcast 192.168.1.255 autokey        # broadcast server
#broadcastclient                        # broadcast client
#broadcast 224.0.1.1 autokey            # multicast server
#multicastclient 224.0.1.1              # multicast client
#manycastserver 239.255.254.254         # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
#server 127.127.1.0     # local clock
#fudge  127.127.1.0 stratum 10

# Enable public key cryptography.
#crypto

includefile /etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys #透過金鑰來對用戶端提供認證

# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8

# Specify the key identifier to use with the ntpq utility.
#controlkey 8

# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
</code>若上述無 /etc/sysconfig/iptables 檔案，可用下列指令<code># iptables -I INPUT -i eth0 -p udp --dport 123 -j ACCEPT</code>
  - 啟動及修改iptables<code>#/etc/init.d/ntpd start
#vim /etc/sysconfig/iptables
</code><code>
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
~略~
-A INPUT -m state --state NEW -m udp -p udp --dport 123 -j ACCEPT #使udp 123 port 通過
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
</code>
  - 觀察是否啟動及NTP狀態<code>#netstat -tulnp |grep ':123'
</code><code 1>#ntpq -p</code>
======補充說明ntpd設定檔相關參數======
  * restrict 處理控管權限<code>restrict ip [mask] [netmask] [parameter]
若不加parameter,則允許所有ntpd的功能
parameter如下
</code>
      - ignore<code>拒絕所有的ntp。類似iptable的drop</code>
      - kod
      - nomodify<code>不允許更新ntp server時間</code>
      - noquery<code>不允許使用ntpq,ntpdc的指令來對ntpd server作查詢</code>
      - nopeer<code>此ntpd server不允許被對等</code>
      - notrap<code>不提供 trap 這個遠端事件登錄 (remote event logging) 的功能</code>
  * server 指定上層ntp server<code>server 上層ntpd server ip</code>
  * peer 指定對等ntp server ip<code>peer 對等的ntp server ip</code>
======NTP Client 更新方式======
=====NTP服務方式更新=====
其實此方式，與上節NTP Server設定及原理一樣，只是設定檔稍微修改一下<code>
#vim /etc/ntp.conf
</code><code>
內容:
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.

#restrict default nomodify notrap noquery
restrict default ignore

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1


# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service.  Do not permit those systems to modify the
# configuration of this service.  Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap


# --- OUR TIMESERVERS -----
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
#server 0.rhel.pool.ntp.org
#server 1.rhel.pool.ntp.org
#server 2.rhel.pool.ntp.org
server  192.168.0.62 prefer  #主要是以下這兩行
restrict 192.168.0.62


# --- NTP MULTICASTCLIENT ---
#multicastclient                        # listen on default 224.0.1.1
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap



# --- GENERAL CONFIGURATION ---
#
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0     # local clock
#fudge  127.127.1.0 stratum 10

server  192.168.0.62 prefer
restrict 192.168.0.62
#
# Drift file.  Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay  0.008

#
# Keys file.  If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys            /etc/ntp/keys
</code>
修改後，和Server一樣 啟動及修改iptables
=====直接手動更新=====
  - 安裝ntpdate<code>#yum install ntpdate</code>
  - 執行網路校時<code>#ntpdate 192.168.0.62</code>
另外，ntpdate 與 ntpd 不能同時啟用的。 所以你不要在 NTP server 上頭執行這個指令。
======參考資料======
  - [[http://linux.vbird.org/linux_server/0440ntp.php|鳥哥 伺服器篇]]