LINUX.ORG.RU
ФорумAdmin

Вопрос по ntp


0

1

Настраиваю сервер времени для своей локалки 192.168.4.0

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift


# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
restrict 192.168.4.0 mask 255.255.255.0 notrust


# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Возникла пара вопросов 1)недоконца понял этот блок,подскажите как оно отрабатывает ?

# By default, exchange time with everybody, but don't allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

2)Не нашел как работает notrust

планировал сделать так 
restrict 192.168.4.0 mask 255.255.255.0 nomodify notrap nopeer
но в дефолтном конфиге вижу 
restrict 192.168.3.0 mask 255.255.255.0 notrust , как это отрабатывает ?

★★

гммм notrust вроде бы так работает - Deny service unless the packet is cryptographically authenticated ? cryptographically authenticated - это что за зверь такой ?

drac753 ★★
() автор топика
Ответ на: комментарий от kitar

ознакомился сделал следующее

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift
logfile /var/log/ntpstats/ntp.log

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

#statistics loopstats peerstats clockstats
#filegen loopstats file loopstats type day enable
#filegen peerstats file peerstats type day enable
#filegen clockstats file clockstats type day enable


# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>

server 0.debian.pool.ntp.org iburst
server 1.debian.pool.ntp.org iburst
server 2.debian.pool.ntp.org iburst
server 3.debian.pool.ntp.org iburst


# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that "restrict" applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don't allow configuration.

#Задаем разрешения для протоколов ip4 и ip6 по умолчанию запрещаем  менять что либо 

restrict -4 default kod notrap nomodify nopeer noquery
restrict -6 default kod notrap nomodify nopeer noquery

# Local users may interrogate the ntp server more closely.

#разрешаем подключение к серверу с самого себя 
restrict 127.0.0.1
restrict ::1

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#Разрешаем компам из сети получать время с сервера , но запрещаем модификацию времени на серваке и трапы
restrict 192.168.4.0 mask 255.255.255.0  nomodify notrap nopeer

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

Вроде бы все работает

root@debtest:/var/log/ntpstats# ntpq -p  
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
*tbgw.templebar. 62.117.76.141    2 u   77  256  377  323.210  -133.11 212.077
-218-32-169-193. 129.70.132.32    3 u  166  256  377  752.360   66.080 164.893
+cello.corbina.n 193.79.237.14    2 u   20  256  377  387.100  -116.84 223.047
+dl120g7.naviteh 194.149.67.32    2 u   35  256  357  359.297  -143.12 236.954


root@debtest:/var/log/ntpstats# ntpdate -q localhost
server 127.0.0.1, stratum 3, offset -0.000062, delay 0.02614
26 Feb 15:21:19 ntpdate[2851]: adjust time server 127.0.0.1 offset -0.000062 sec



Собственно вопрос в следующем в logfile /var/log/ntpstats/ntp.log нет ничего кроме

root@debtest:/var/log/ntpstats# cat ntp.log 
26 Feb 13:46:43 ntpd[2607]: ntpd exiting on signal 15
26 Feb 13:48:35 ntpd[2658]: ntpd exiting on signal 15

Где же логи ?

drac753 ★★
() автор топика
Ответ на: комментарий от kitar

Периодически наблюдаю за своим сервером времени

root@debtest:/var/log/ntpstats# ntpq -p  
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+tbgw.templebar. 194.190.168.1    2 u   83  512  377  722.827   29.613  73.090
+218-32-169-193. 194.149.67.129   3 u    -  512  377  727.095   40.561 186.356
*cello.corbina.n 193.79.237.14    2 u  156  512  377  231.188  -13.644 128.933
+dl120g7.naviteh 194.190.168.1    2 u 1001  512  322  315.182  -38.691  99.780
root@debtest:/var/log/ntpstats# date
Срд Фев 27 09:08:48 MSK 2013
root@debtest:/var/log/ntpstats# date
Срд Фев 27 09:36:11 MSK 2013
root@debtest:/var/log/ntpstats# ntpq -p  
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
+tbgw.templebar. 62.117.76.142    2 u  194  512  377  703.175  -109.83 130.751
+218-32-169-193. 194.149.67.129   3 u  121  512  377  703.213  -66.811 164.680
-cello.corbina.n 192.36.144.22    2 u  810  512  376  775.236  -428.91 452.337
*dl120g7.naviteh 194.190.168.1    2 u   59  512   53  335.362  -40.171 102.496
root@debtest:/var/log/ntpstats# ntpq -p  

Интервал между ntpq -p гдето в районе часа , нормально ли такое изменение параметра offset ? Поидее насколько я понял его значение должно приближаться к 0 ?

drac753 ★★
() автор топика
Последнее исправление: drac753 (всего исправлений: 1)
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.