Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Configuration mode of NTP protocol under Linux system

2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Share

Shulou(Shulou.com)06/01 Report--

This article mainly explains "the configuration of NTP protocol under Linux system". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn how to configure the NTP protocol under the Linux system.

In Linux system, in order to avoid the time deviation caused by the host time running for a long time, it is very necessary to carry out time synchronization (synchronize). Under Linux system, ntp service is generally used to synchronize the time of different machines. NTP is short for Network time Protocol (Network Time Protocol). What is it used for? Is to synchronize the time between computers through network protocols.

Install the NTP package

Check to see if ntp related packages are installed. If you do not install ntp-related packages, use rpm or yum to install, the installation is also very simple and convenient.

The code is as follows:

[root@localhost ~] # rpm-qa | grep

Ntpntpdate-4.2.6p5-1.el6.x86_64

Fontpackages-filesystem-1.41-1.1.el6.noarch

Ntp-4.2.6p5-1.el6.x86_64

Configuration of NTP

A: configuration / etc/ntp.conf

The main configuration file of NTP Server is / etc/ntp.conf. The contents of the unmodified ntp.conf file are shown below. The configuration options have relevant annotated information (Linux version is Red Hat Enterprise Linux Server release 6.6)

The code is as follows:

[root@localhost ~] # more / etc/ntp.conf

# For more information about this file, see the man pages

# ntp.conf (5), ntp_acc (5), ntp_auth (5), ntp_clock (5), ntp_misc (5), ntp_mon (5).

Driftfile / var/lib/ntp/drift

# Permit time synchronization with our time source, but do not

# permit the source to query or modify the service on this system.

Restrict default kod nomodify notrap nopeer noquery

Restrict-6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could

# be tightened as well, but to do so would effect some of

# the administrative functions.

Restrict 127.0.0.1

Restrict-6:: 1

# Hosts on local network are less restricted.

# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

Server 0.rhel.pool.ntp.org iburst

Server 1.rhel.pool.ntp.org iburst

Server 2.rhel.pool.ntp.org iburst

Server 3.rhel.pool.ntp.org iburst

# broadcast 192.168.1.255 autokey # broadcast server

# broadcastclient # broadcastclient

# broadcast 224.0.1.1 autokey # multicast server

# multicastclient 224.0.1.1 # multicastclient

# manycastserver 239.255.254.254 # manycastserver

# manycastclient 239.255.254.254 autokey # manycastclient

# Enable public key cryptography.

# crypto

Includefile / etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography.

Keys / etc/ntp/keys

# Specify the key identifiers which are trusted.

# trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

# requestkey 8

# Specify the key identifier to use with the ntpq utility.

# controlkey 8

# Enable writing of statistics records.

# statistics clockstats cryptostats loopstats peerstats

[root@localhost ~] # more / etc/ntp.conf

# For more information about this file, see the man pages

# ntp.conf (5), ntp_acc (5), ntp_auth (5), ntp_clock (5), ntp_misc (5), ntp_mon (5).

Driftfile / var/lib/ntp/drift

# Permit time synchronization with our time source, but do not

# permit the source to query or modify the service on this system.

Restrict default kod nomodify notrap nopeer noquery

Restrict-6 default kod nomodify notrap nopeer noquery

# Permit all access over the loopback interface. This could

# be tightened as well, but to do so would effect some of

# the administrative functions.

Restrict 127.0.0.1

Restrict-6:: 1

# Hosts on local network are less restricted.

# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap

# Use public servers from the pool.ntp.org project.

# Please consider joining the pool (http://www.pool.ntp.org/join.html).

Server 0.rhel.pool.ntp.org iburst

Server 1.rhel.pool.ntp.org iburst

Server 2.rhel.pool.ntp.org iburst

Server 3.rhel.pool.ntp.org iburst

# broadcast 192.168.1.255 autokey # broadcast server

# broadcastclient # broadcastclient

# broadcast 224.0.1.1 autokey # multicast server

# multicastclient 224.0.1.1 # multicastclient

# manycastserver 239.255.254.254 # manycastserver

# manycastclient 239.255.254.254 autokey # manycastclient

# Enable public key cryptography.

# crypto

Includefile / etc/ntp/crypto/pw

# Key file containing the keys and key identifiers used when operating

# with symmetric key cryptography.

Keys / etc/ntp/keys

# Specify the key identifiers which are trusted.

# trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.

# requestkey 8

# Specify the key identifier to use with the ntpq utility.

# controlkey 8

# Enable writing of statistics records.

# statistics clockstats cryptostats loopstats peerstats

Individual option information:

# record the deviation between system time and BIOS events

Driftfile / etc/ntp/drift

Restrict controls the relevant permissions.

Syntax is: restrict IP address mask subnet mask parameter

The IP address can also be default, and default refers to all IP.

The parameters are as follows:

Ignore: turn off all NTP online services

Nomodify: the client cannot change the time parameter of the server, but the client can calibrate the time on the network through the server.

Notrust: unless the client is authenticated, the client source will be considered an untrusted subnet

Noquery: no client time query: the client cannot use commands such as ntpq,ntpc to query the ntp server

Notrap: does not provide trap remote login: refuses to provide mode 6 control message trap service for matching hosts. Trap service is a subsystem of ntpdq control message protocol and is used for remote event loggers.

Nopeer: used to prevent hosts from trying to peer with the server and to allow fraudulent servers to control the clock

Kod: sends KoD packets when access violations occur.

Restrict-6 represents the permission setting for the IPV6 address.

1: set the source of the NTP host (where prefer represents the priority host). 192.168.7.49 is the local NTP server, so the synchronization time from this host is given priority.

The code is as follows:

Server 192.168.7.49 prefer

Server 0.rhel.pool.ntp.org iburst

Server 1.rhel.pool.ntp.org iburst

Server 2.rhel.pool.ntp.org iburst

Server 3.rhel.pool.ntp.org iburst

2: limit the types of access you allow to these servers. In this case, the server is not allowed to modify the runtime configuration or query your Linux NTP server.

The code is as follows:

Restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap

In the above example, the mask address is extended to 255, so servers from 192.168.0.1 to 192.168.0.254 can use our NTP server to synchronize time

The code is as follows:

# at this point, it means to restrict the provision of NTP services to servers with IP segments from 192.168.0.1 to 192.168.0.254.

Restrict 192.168.0.0 mask 255.255.255.0 notrust nomodify notrap noquery

# set the default policy to allow any host to synchronize time

Restrict default ignore

3: make sure that localhost (this commonly used IP address refers to the Linux server itself) has sufficient permissions. Use syntax that does not have any restrictions on keywords:

The code is as follows:

Restrict 127.0.0.1

Restrict-6:: 1

B: configuration / etc/ntp/stpe-tickers file

Modify the / etc/ntp/stpe-tickers file as follows (when the ntpd service starts, it will automatically check the time with the upper NTP service recorded in the file)

The code is as follows:

[root@localhost ntp] # more / etc/ntp/step-tickers

# List of servers used for initial synchronization.

[root@localhost ntp] # vi / etc/ntp/step-tickers

# List of servers used for initial synchronization.

Server 192.168.7.49 prefer

Server 0.rhel.pool.ntp.org

Server 1.rhel.pool.ntp.org

Server 2.rhel.pool.ntp.org

Server 3.rhel.pool.ntp.org

C: configuration / etc/sysconfig/ntpd file

Ntp service, which only synchronizes system time by default. If you want ntp to synchronize the hardware time at the same time, you can set the / etc/sysconfig/ntpd file and add SYNC_HWCLOCK=yes to the / etc/sysconfig/ntpd file so that the hardware time can be synchronized with the system time.

The code is as follows:

# allow BIOS to synchronize with system time, or through the hwclock-w command

SYNC_HWCLOCK=yes

IPTABLES configuration

Because the NTP service needs to use UDP port number 123, when the system's firewall (Iptables) starts, the UDP port number 123 must be opened.

The code is as follows:

[root@localhost ~] # / etc/init.d/iptables status

Table: filter

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 ACCEPT all-- 0.0.0. 0. 0. 0. 0. 0. 0

2 ACCEPT icmp-0. 0. 0. 0. 0. 0. 0

3 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0

4 ACCEPT tcp-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 state NEW tcp dpt:22

5 REJECT all-- 0.0.0.0Universe 0 0.0.0.0Sterling 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

1 REJECT all-- 0.0.0. 0. 0. 0. 0. 0. 0

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

[root@localhost] # / sbin/iptables-I INPUT-p udp-- dport 123-j ACCEPT

[root@localhost ~] # / etc/init.d/iptables status

Table: filter

Chain INPUT (policy ACCEPT)

Num target prot opt source destination

1 ACCEPT udp-- 0.0.0. 0. 0. 0. 0. 0. 0

2 ACCEPT all-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 state RELATED,ESTABLISHED

3 ACCEPT icmp-0. 0. 0. 0. 0. 0. 0. 0

4 ACCEPT all-0. 0. 0. 0. 0. 0. 0. 0

5 ACCEPT tcp-- 0.0.0.0Universe 0 0.0.0.0Sterling 0 state NEW tcp dpt:22

6 REJECT all-- 0.0.0.0Universe 0 0.0.0.0Uniplex 0 reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)

Num target prot opt source destination

1 REJECT all-- 0.0.0. 0. 0. 0. 0. 0. 0

Chain OUTPUT (policy ACCEPT)

Num target prot opt source destination

[root@localhost ~] #

If the firewall does not open UDP port number 123, the following may occur.

The code is as follows:

[root@localhost ~] # / usr/sbin/ntpq-c rv | grep stratum

Stratum=16, precision=-24, rootdelay=0.000, rootdisp=3.525, refid=INIT

[root@localhost~] #

A stratum level of 16 indicates that NTP is not synchronizing correctly.If a stratum level of 16 is detected, wait 15 minutes and issue the command again. It may take this long for the NTP server to stabilize.If NTP continues to detect a stratum level of 16, verify that the NTP port (UDP Port 123) is open on all firewalls between the cluster and the remote machine you are attempting to synchronize to.

Start the NTP service

The code is as follows:

[root@localhost ~] # service ntpd status

Ntpd is stopped

[root@localhost ~] # service ntpd start

Starting ntpd: [OK]

[root@localhost ~] #

Service ntpd status # View ntpd service status

Service ntpd start # start the ntpd service

Service ntpd stop # stop the ntpd service

Service ntpd restart # restart the ntpd service

Check to see if the ntp service is powered on and set it to boot.

[root@localhost] # chkconfig-- list ntpd

Ntpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off

[root@localhost ~] # runlevel

N 3

[root@localhost ~] # chkconfig ntpd on # is set to run automatically on runlevels 2, 3, 4, 5

[root@localhost] # chkconfig-- list ntpd

Ntpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[root@localhost ~] #

If you want to set to run automatically at the run level, you can use the following command

The code is as follows:

Chkconfig-level 345 ntpd on

You can detect whether the NTP service is running with the following command

The code is as follows:

[root@localhost ~] # pgrep ntpd

2639

2641

[root@localhost ~] # netstat-tlunp | grep ntp # if you see port 123, the ntp service starts successfully.

Udp 0 0 192.168.7.224 123 0.0.0.0 * 2639/ntpd

Udp 0 0127.0.0.1purl 123 0.0.0.0purl * 2639/ntpd

Udp 0 0 0.0.0. 0. 0. 0. 0. 0. 0. 0. 0. 12. 0. 0. 0. 0. 0

Udp 0 0 fe80::250:56ff:feb3:b5:123: * 2639/ntpd

Udp 0 0:: 1 123: * 2639/ntpd

Udp 0 0: 123: * 2639/ntpd

[root@localhost ~] #

Check to see if the ntp server is connected to the upper ntp

The code is as follows:

[root@localhost ~] # ntpstat

Synchronised to NTP server (192.168.7.49) at stratum 6

Time correct to within 440 ms

Polling server every 128 s

[root@localhost ~] #

Check the status of the ntp server and the upper ntp

Remote-ip or hostname of the native and upper ntp. "+" indicates priority, and "*" indicates secondary priority.

Refid-refer to the upper layer ntp host address

St-stratum class

When-how many seconds ago have you synchronized the time

Poll-how many seconds after the next update

Reach-the number of updates that have been requested from the upper ntp server

Delay-Network delay

Offset-time compensation

Jitter-time difference between system time and bios

To view the status of the ntpd process, run the following command and press Ctrl+C to stop viewing the process.

Remote-ip or hostname of the native and upper ntp. "+" indicates priority, and "*" indicates secondary priority.

Refid-refer to the upper layer ntp host address

St-stratum class

When-how many seconds ago have you synchronized the time

Poll-how many seconds after the next update

Reach-the number of updates that have been requested from the upper ntp server

Delay-Network delay

Offset-time compensation

Jitter-time difference between system time and bios

To view the status of the ntpd process, run the following command and press Ctrl+C to stop viewing the process.

At this point, I believe you have a deeper understanding of "NTP protocol configuration under the Linux system". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Servers

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report