第1章 内网NTP服务搭建

1.1 NTP简介

NTP(网络时间协议)是用来使网络中的各个计算机时间同步的一种协议。它的用途是把计算机的时钟同步到世界协调时UTC,其精度在局域网内可达0.1ms,在互联网上绝大多数的地方其精度可以达到1-50ms
NTP服务器就是利用NTP协议提供时间同步服务的
NTP服务器通信采用UDP协议,端口是123

1.2 NTP服务安装

  1. #系统自带ntp
  2. [root@oldboyedu ~]# rpm -qa ntp
  3. ntp-4.2.6p5-5.el6.centos.x86_64
  5. #如果没有就安装
  6. yum -y install ntp
  8. #启动ntp,并设置开机自启动
  9. /etc/init.d/ntpd start
  10. chkconfig ntpd on
  12. 192.168.89.11是服务端
  13. 192.168.89.10是客户端

1.3 NTP服务端主配置

  1. [root@mysql ~]# cat /etc/ntp.conf
  2. # For more information about this file, see the man pages
  3. # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
  5. driftfile /var/lib/ntp/drift
  7. # Permit time synchronization with our time source, but do not
  8. # permit the source to query or modify the service on this system.
  9. #restrict default nomodify notrap nopeer noquery
  10. restrict default nomodify
  12. # Permit all access over the loopback interface.  This could
  13. # be tightened as well, but to do so would effect some of
  14. # the administrative functions.
  15. restrict 127.0.0.1
  16. restrict ::1
  18. # Hosts on local network are less restricted.
  19. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
  21. # Use public servers from the pool.ntp.org project.
  22. # Please consider joining the pool (http://www.pool.ntp.org/join.html).
  23. server 0.centos.pool.ntp.org iburst
  24. server 1.centos.pool.ntp.org iburst
  25. server 2.centos.pool.ntp.org iburst
  26. server 3.centos.pool.ntp.org iburst
  27. server 127.127.1.0
  28. fudge 127.127.1.0 stratum 10
  31. #broadcast 192.168.1.255 autokey # broadcast server
  32. #broadcastclient # broadcast client
  33. #broadcast 224.0.1.1 autokey # multicast server
  34. #multicastclient 224.0.1.1 # multicast client
  35. #manycastserver 239.255.254.254 # manycast server
  36. #manycastclient 239.255.254.254 autokey # manycast client
  38. # Enable public key cryptography.
  39. #crypto
  41. includefile /etc/ntp/crypto/pw
  43. # Key file containing the keys and key identifiers used when operating
  44. # with symmetric key cryptography.
  45. keys /etc/ntp/keys
  47. # Specify the key identifiers which are trusted.
  48. #trustedkey 4 8 42
  50. # Specify the key identifier to use with the ntpdc utility.
  51. #requestkey 8
  53. # Specify the key identifier to use with the ntpq utility.
  54. #controlkey 8
  56. # Enable writing of statistics records.
  57. #statistics clockstats cryptostats loopstats peerstats
  59. # Disable the monitoring facility to prevent amplification attacks using ntpdc
  60. # monlist command when default restrict does not include the noquery flag. See
  61. # CVE-2013-5211 for more details.
  62. # Note: Monitoring will not be disabled with the limited restriction flag.
  63. disable monitor
  66. ############################################################
  67. #配置文件详解
  68. [root@mysql ~]# cat /etc/ntp.conf
  69. # For more information about this file, see the man pages
  70. # ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
  72. driftfile /var/lib/ntp/drift
  74. # Permit time synchronization with our time source, but do not
  75. # permit the source to query or modify the service on this system.
  76. #restrict default nomodify notrap nopeer noquery
  77. #restrict 控制相关权限:
  78. #ignore:关闭所有的NTP联机服务
  79. #nomodify:客户端不能更改服务端的时间参数,但是客户端可以通过服务端进行网络校时
  80. #notrust:客户端除非通过认证,否则该客户端来源将被视为不信任子网
  81. #noquery :不提供客户端的时间查询:用户端不能使用ntpq,ntpc等命令来查询ntp服务器
  82. #notrap :不提供trap远端登陆:拒绝为匹配的主机提供模式 6 控制消息陷阱服务。陷阱服务是 ntpdq 控制消息协议的子系统,用于远程事件日志记录程序。
  83. #nopeer :用于阻止主机尝试与服务器对等,并允许欺诈性服务器控制时钟
  84. restrict default nomodify
  86. # Permit all access over the loopback interface.  This could
  87. # be tightened as well, but to do so would effect some of
  88. # the administrative functions.
  89. #确保localhost(这个常用的IP地址用来指linux服务器本身)有足够权限,使用没有任何限制关键词的语法
  90. restrict 127.0.0.1
  91. restrict ::1
  93. # Hosts on local network are less restricted.
  94. #限制你允许的这些服务器的访问类型,在这个列子中的服务器是不容许修改运行时配置或查询您的linux NTP服务器,但是可以时间同步,详情请查看前面的(restrict 控制相关权限)
  95. #restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
  97. # Use public servers from the pool.ntp.org project.
  98. # Please consider joining the pool (http://www.pool.ntp.org/join.html).
  99. #设定NTP主机来源,127.127.1.0 是指已本地的服务器为NTP服务器
  100. server 0.centos.pool.ntp.org iburst
  101. server 1.centos.pool.ntp.org iburst
  102. server 2.centos.pool.ntp.org iburst
  103. server 3.centos.pool.ntp.org iburst
  104. server 127.127.1.0          
  105. fudge 127.127.1.0 stratum 10
  108. #broadcast 192.168.1.255 autokey # broadcast server
  109. #broadcastclient # broadcast client
  110. #broadcast 224.0.1.1 autokey # multicast server
  111. #multicastclient 224.0.1.1 # multicast client
  112. #manycastserver 239.255.254.254 # manycast server
  113. #manycastclient 239.255.254.254 autokey # manycast client
  115. # Enable public key cryptography.
  116. #crypto
  118. includefile /etc/ntp/crypto/pw
  120. # Key file containing the keys and key identifiers used when operating
  121. # with symmetric key cryptography.
  122. keys /etc/ntp/keys
  124. # Specify the key identifiers which are trusted.
  125. #trustedkey 4 8 42
  127. # Specify the key identifier to use with the ntpdc utility.
  128. #requestkey 8
  130. # Specify the key identifier to use with the ntpq utility.
  131. #controlkey 8
  133. # Enable writing of statistics records.
  134. #statistics clockstats cryptostats loopstats peerstats
  136. # Disable the monitoring facility to prevent amplification attacks using ntpdc
  137. # monlist command when default restrict does not include the noquery flag. See
  138. # CVE-2013-5211 for more details.
  139. # Note: Monitoring will not be disabled with the limited restriction flag.
  140. disable monitor

1.4 重启NTP服务

  1. /etc/init.d/ntpd restart

1.5 检查时间服务器是否正确同步

  1. [root@mysql ~]# ntpq -p
  2.      remote           refid      st t when poll reach   delay   offset  jitter
  3. ==============================================================================
  4. +makaki.miuku.ne 218.186.3.36     2 u   47   64    1   79.040  4651437  18.347
  5. +ntp8.flashdance 192.36.143.151   2 u   46   64    1  321.483  4651438   1.101
  6. -119.79-161-57.c 129.242.4.241    2 u   44   64    1  342.352  4651439   1.897
  7. *static-5-103-13 .GPS.            1 u   44   64    1  280.109  4651438   1.134
  8.  LOCAL(0)        .LOCL.          10 l   53   64    1    0.000    0.000   0.000

1.6 客户端设置时间同步

  1. #安装ntp
  2. yum install ntp -y
  4. #定时任务,同步时间服务器
  5. crontab -l
  6. #ntpdate
  7. */5 * * * * /usr/sbin/ntpdate 192.168.89.11

第2章 公网搭建NTP服务器

2.1 NTP服务安装

  1. #系统自带ntp
  2. [root@oldboyedu ~]# rpm -qa ntp
  3. ntp-4.2.6p5-5.el6.centos.x86_64
  5. #如果没有就安装
  6. yum -y install ntp
  8. #启动ntp,并设置开机自启动
  9. /etc/init.d/ntpd start
  10. chkconfig ntpd on
  12. 192.168.89.11是服务端
  13. 192.168.89.10是客户端

2.2 配置NTP服务

  1. [root@oldboyedu ~]# vim /etc/ntp.conf
  2. # restrict default kod nomodify notrap nopeer noquery
  3. restrict default nomodify
  4. # nomodify客户端可以同步
  5. # 将默认时间同步源注释改用可用源
  6. # server 0.centos.pool.ntp.org iburst
  7. # server 1.centos.pool.ntp.org iburst
  8. # server 2.centos.pool.ntp.org iburst
  9. # server 3.centos.pool.ntp.org iburst
  10. server ntp1.aliyun.com
  11. server time.nist.gov

2.3 启动NTP服务器

  1. # 如果计划任务有时间同步,先注释,两种用法会冲突。
  2. [root@oldboyedu ~]# crontab -e
  3. # time sync by oldboy at 2010-2-1
  4. #*/5 * * * * /usr/sbin/ntpdate time.nist.gov >/dev/null 2>&1
  5. [root@oldboyedu ~]# /etc/init.d/ntpd start
  6. Starting ntpd: [ OK ]
  7. [root@oldboyedu ~]# ntpq -p
  8. remote refid st t when poll reach delay offset jitter
  9. ==============================================================================
  10. *ntp1.aliyun.com 10.137.38.86 2 u 22 64 1 525.885 -42.367 0.000
  11. [root@oldboyedu ~]# ntpstat
  12. synchronised to NTP server (110.75.186.247) at stratum 3
  13. time correct to within 4257 ms
  14. polling server every 64 s
  15. [root@oldboyedu ~]# ntpdate 10.0.0.9
  16. 7 Dec 18:43:07 ntpdate[26950]: the NTP socket is in use, exiting

2.4 客户端同步

  1. #安装ntp
  2. yum install ntp -y
  4. #定时任务,同步时间服务器
  5. [root@oldboyedu ~]# crontab -l
  6. #ntpdate
  7. * * * * * /usr/sbin/ntpdate 192.168.89.11