centos7 NTP配置

tag-icon tag-icon centos centos7 ntp ntpd
centos7 NTP配置

我正在尝试使用 1 层服务器和同一网络上的对等 VM 配置 ntp.conf。配置文件附在下面。问题是 IP 地址为 10.6.11.171 的服务器似乎无法到达:10.6.11.170。所有防火墙规则都已到位。它们可以与 10.250.156.254 通信。有什么想法吗?

配置文件如下:

# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
#restrict default nomodify notrap  noquery
restrict 10.0.0.0 mask 255.0.0.0 nomodify notrap

# Permit all access over the loopback interface.  This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1 
restrict ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 10.250.156.254 iburst prefer
peer 10.6.11.170 iburst
#broadcast 192.168.1.255 autokey    # broadcast server
#broadcastclient            # broadcast client
#broadcast 224.0.1.1 autokey        # multicast server
#multicastclient 224.0.1.1      # multicast client
#manycastserver 239.255.254.254     # manycast server
#manycastclient 239.255.254.254 autokey # manycast client

# Enable public key cryptography.
#crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography. 
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42

# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
# Enable writing of statistics records.
#statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor

答案1

您有 3 个时间来源:

  • 10.250.156.254 是可访问的 1 层源,但您的系统与它的偏移量较大(-7.5331 秒)
  • 10.7.11.170 和 10.6.11.170 是从 10.250.156.254 同步的第 2 层源,均无法访问。

检查您的防火墙和对 10.250.156.25 的访问限制。如果ntpdate -d 10.250.156.25显示有响应进来,则您的防火墙可能允许来自高端口的 NTP 数据包,但不允许来自端口 123 的 NTP 数据包。

相关内容