لینوکس و شبکه

لینوکس و شبکه
طبقه بندی موضوعی
آخرین مطالب
  • ۹۹/۱۱/۱۳
    java

ntp-server

پنجشنبه, ۲۴ خرداد ۱۳۹۷، ۰۱:۳۶ ب.ظ

sudo vim /etc/ntp.conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift
# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable
# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example
# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst
# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.
# By default, exchange time with everybody, but don't allow configuration.
##restrict -4 default kod notrap nomodify nopeer noquery
##restrict -6 default kod notrap nomodify nopeer noquery
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
#restrict 192.168.0.0 mask 255.255.252.0
# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust
# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255
# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient


کانفیگ‌های موحود همانند server که در فایل ntp.conf اعمال میشوند
server address [key key | autokey] [burst] [iburst] [version version] [prefer] [minpoll minpoll] [maxpoll maxpoll]
peer address [key key | autokey] [version version] [prefer] [minpoll minpoll] [maxpoll maxpoll]
broadcast address [key key | autokey] [version version] [minpoll minpoll] [ttl ttl]
manycastclient address [key key | autokey] [version version] [minpoll minpoll [maxpoll maxpoll] [ttl ttl]

server:
For type s and r addresses, this command mobilizes a persistent client mode association with the specified remote server or local radio clock. In this mode the local clock can synchronized to the remote server, but the remote server can never be synchronized to the local clock. This command should NOT be used for type b or m addresses.

peer:

For type s addresses (only), this command mobilizes a persistent symmetric-active mode association with the specified remote peer. In this mode the local clock can be synchronized to the remote peer or the remote peer can be synchronized to the local clock. This is useful in a network of servers where, depending on various failure scenarios, either the local or remote peer may be the better source of time. This command should NOT be used for type b, m or r addresses.

broadcast:
For type b and m addresses (only), this command mobilizes a persistent broadcast mode association. Multiple commands can be used to specify multiple local broadcast interfaces (subnets) and/or multiple multicast groups. Note that local broadcast messages go only to the interface associated with the subnet specified, but multicast messages go to all interfaces.In broadcast mode the local server sends periodic broadcast messages to a client population at the address specified, which is usually the broadcast address on (one of) the local network(s) or a multicast address assigned to NTP. The IANA has assigned the multicast group address 224.0.1.1 exclusively to NTP, but other nonconflicting addresses can be used to contain the messages within administrative boundaries. Ordinarily, this specification applies only to the local server operating as a sender; for operation as a broadcast client, see the broadcastclient or multicastclient commands below.
    
manycastclient:
For type m addresses (only), this command mobilizes a manycast client mode association for the multicast address specified. In this case a specific address must be supplied which matches the address used on the manycastserver command for the designated manycast servers. The NTP multicast address 224.0.1.1 assigned by the IANA should NOT be used, unless specific means are taken to avoid spraying large areas of the Internet with these messages and causing a possibly massive implosion of replies at the sender.The manycast command specifies that the local server is to operate in client mode with the remote servers that are discovered as the result of broadcast/multicast messages. The client broadcasts a request message to the group address associated with the specified address and specifically enabled servers respond to these messages. The client selects the servers providing the best time and continues as with the server command. The remaining servers are discarded as if never heard.

Options

autokey
All packets sent to and received from the server or peer are to include authentication fields encrypted using the autokey scheme described in the Authentication Options page.

burst
when the server is reachable and at each poll interval, send a burst of eight packets instead of the usual one packet. The spacing between the first and the second packets is about 16s to allow a modem call to complete, while the spacing between the remaining packets is about 2s. This is designed to improve timekeeping quality with the server command and s addresses.

iburst
When the server is unreachable and at each poll interval, send a burst of eight packets instead of the usual one. As long as the server is unreachable, the spacing between packets is about 16s to allow a modem call to complete. Once the server is reachable, the spacing between packets is about 2s. This is designed to speed the initial synchronization acquisition with the server command and s addresses and when ntpd is started with the -q option.

key key
All packets sent to and received from the server or peer are to include authentication fields encrypted using the specified key identifier with values from 1 to 65534, inclusive. The default is to include no encryption field.

minpoll minpoll
These options specify the minimum and maximum poll intervals for NTP messages, in seconds to the power of two. The maximum poll interval defaults to 10 (1,024 s), but can be increased by the maxpoll option to an upper limit of 17 (36.4 h). The minimum   poll interval defaults to 6 (64 s), but can be decreased by the minpoll option to a lower limit of 4 (16 s).

prefer
Marks the server as preferred. All other things being equal, this host will be chosen for synchronization among a set of correctly operating hosts. See the Mitigation Rules and the prefer Keyword page for further information.

ttl ttl
This option is used only with broadcast server and manycast client modes. It specifies the time-to-live ttl to use on broadcast server and multicast server and the maximum ttl for the expanding ring search with manycast client packets. Selection of the proper value, which defaults to 127, is something of a black art and should be coordinated with the network administrator.

version version
Specifies the version number to be used for outgoing NTP packets. Versions 1-4 are the choices, with version 4 the default.

 

اعمال محدودیت

تنظبمات موجود در سرور NTP را بصورت پیش فرض تغییر ندهید تا این که به هر سرور در هرکجا بتواند سرویس بدهد. اما اگر گاهی لازم شد تا به یک دامنه ای نخواهید سرویس بدهید از عبارت restricted برای محدود شدن آن آی پی استفاده نمایید.

# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

    ignore — All packets will be ignored, including ntpq and ntpdc queries.
    kod — a “Kiss-o'-death” packet is to be sent to reduce unwanted queries.
    limited — do not respond to time service requests if the packet violates the rate limit default values or those specified by the discard command. ntpq and ntpdc queries are not affected. For more information on the discard command and the default values, see Section 22.16.2, “Configure Rate Limiting Access to an NTP Service”.
    lowpriotrap — traps set by matching hosts to be low priority.
    nomodify — prevents any changes to the configuration.
    noquery — prevents ntpq and ntpdc queries, but not time queries, from being answered.
    nopeer — prevents a peer association being formed.
    noserve — deny all packets except ntpq and ntpdc queries.
    notrap — prevents ntpdc control message protocol traps.
    notrust — deny packets that are not cryptographically authenticated.
    ntpport — modify the match algorithm to only apply the restriction if the source port is the standard NTP UDP port 123.
    version — deny packets that do not match the current NTP version.


  • ۹۷/۰۳/۲۴
  • behrooz mohamadi nsasab

NTP

NTP-client

NTP-server

burst

iburst

notrap

ntp

ntp service

ntp-client

ntp-server