Ntp
ntpq -p 不列印預期結果
我在 debian 系統上設置 ntp 客戶端功能時遇到了麻煩。
鍵入 ntpq -p 時,輸出始終相同(輸出中全為零且沒有統計資訊),如下所示:
sudo ntpq -p4 remote refid st t when poll reach delay offset jitter ============================================================================== ntp2.mojsite.co .INIT. 16 - - 1024 0 0.000 0.000 0.000 panel1.web2.clu .INIT. 16 - - 1024 0 0.000 0.000 0.000 85.93.216.115 .INIT. 16 - - 1024 0 0.000 0.000 0.000
正如您所看到的,範圍、延遲、偏移和抖動都為零,而且這幾天已經完全沒有變化了。
我認為配置可能配置錯誤,這是我的 ntp.conf 文件:
# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help #complete guide at: #http://doc.ntp.org/4.1.0/ntpd.htm ####################### # Monitoring Options # ####################### #Enable this if you want statistics to be logged. statsdir /var/log/ntpstats/ #what to log (keyword "statistics") #clockstats: for reference clock #peerstats: for peers (remote ntp servers) #loopstats: Record clock discipline loop statistics #raw stats: for raw output statistics loopstats peerstats clockstats rawstats #type: generate files per day(day), per NTP process (pid), single file (none) #per month (month) ... (year), or 24 hours of server operation (age) #enable/disable output and #link/nolink convenient to be able to access the current element of a file #generation set by a fixed name #recording of loop filter statistics information. filegen loopstats file loopstats.log type day nolink enable #recording of peer statistics information. filegen peerstats file peerstats.log type day nolink enable #recording of clock driver statistics information. filegen clockstats file clockstats.log type day nolink enable #recording of raw-timestamp statistics information. filegen rawstats file rawstats.log type day nolink disable ########################### # Reference Clock Options # ########################### #server 127.127.t.u [prefer] [mode int] [minpoll int] [maxpoll int] #fudge 127.127.t.u [time1 sec] [stratum int] [refid string] [mode int] [flag1 0|1] [flag2 0|1] [flag3 0|1] [flag4 0|1] ########## # SERVER # ########## #interface and ip setup, wildcard equals to 0.0.0.0 #This command controls which network addresses ntpd opens, #and whether input is dropped without processing. #ignore: don't listen on this address #drop: listen but drop #listen: listen and accept interface ignore ipv6 interface listen 127.0.0.1 interface ignore 192.168.1.100 interface ignore wildcard ########## # CLIENT # ########## #The various operating modes are determined by the command keyword #and the type of the required IP address. # You do need to talk to an NTP server or two (or three). #server ntp.your-provider.example # pool.ntp.org maps to about 1000 low-stratum NTP servers. Your server will # pick a different set every time it starts up. Please consider joining the # pool: <http://www.pool.ntp.org/join.html> #The iburst option is recommended, and sends a burst of packets only if #it cannot obtain a connection with the first attempt. #The burst option always does this, even on the first attempt, #and should never be used without explicit permission #and may result in blacklisting. #this command mobilizes a persistent client mode association with the specified #remote server or local radio clock. #In this mode the local clock can synchronized to the remote server, #but the remote server can never be synchronized to the local clock. #The various operating modes are determined by the command keyword: #server, peer, broadcast, manycastclient and the type of the required IP address. server 1.hr.pool.ntp.org server 0.europe.pool.ntp.org server 3.europe.pool.ntp.org ################## # Access Control # ################## # Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for # details. The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions> # might also be helpful. # # Note that "restrict" applies to both servers and clients, so a configuration # that might be intended to block requests from certain clients could also end # up blocking replies from your own upstream servers. # By default, exchange time with everybody, but don't allow configuration. # restrict address mask / -4 -6 / default # default: (everybody) equal to 0.0.0.0 255.255.255.255 # kod: If access is denied, send a kiss-of-death packet. # let client know more about why is it blocked to fix the problem # notrap: subsystem intended for remote event logging programs. restrict -4 default kod notrap nomodify nopeer noquery noserve restrict -6 default kod notrap nomodify nopeer noquery noserve # Local users may interrogate the ntp server more closely. # If ignoring interface on ipv6 run "ntpq -p -4" instead of just "-p" restrict 192.168.1.100 kod notrap nomodify nopeer noquery restrict 127.0.0.1 restrict ::1 # Clients from this (example!) subnet have unlimited access, but only if # cryptographically authenticated. #restrict 172.16.1.1 mask 255.255.255.0 notrust ######################### # Miscellaneous Options # ######################### #Provides a way to enable or disable various server options. disable bclient #if not specified default is: disable disable calibrate #disable enable kernel #enable enable monitor #enable enable stats #enable enable ntp #enable #This command controls the amount and type of output written to the system #syslog facility or the alternate logfile. logconfig=syncall +clockall +sysall +peerall logfile /var/log/ntp.log #This command specifies the name of the file used to record #the frequency offset of the local clock oscillator. driftfile /var/lib/ntp/ntp.drift # If you want to provide time to your local subnet, change the next line. # (Again, the address is an example only.) # broadcast 172.16.1.255 # If you want to listen to time broadcasts on your local subnet, de-comment the # next lines. Please do this only if you trust everybody on the network! #disable auth #broadcastclient
設置了 NTP 防火牆規則,並記錄了被阻止的連接,到目前為止沒有任何內容被阻止。如果需要,我也會提供防火牆資訊。
我發現了這個問題:
interface ignore 192.168.1.100
應該
interface listen 192.168.1.100
和
restrict -4 default kod notrap nomodify nopeer noquery noserve
應該
restrict -4 default kod notrap nomodify nopeer noquery
基本上我們需要監聽來自 ntp 伺服器的傳入數據包,即使這是僅客戶端設置。
您的 NTP 未連接到伺服器。如果您有 IPv6,請嘗試在 IPv6 地址上使用伺服器。自從 NTP 被用於 DDOS 攻擊以來,我遇到了類似的問題。似乎許多伺服器正在限製到達埠 123 的連接。請參閱:https ://askubuntu.com/questions/825869/ntpd-does-not-sync-clock-while-ntpdate-does/825969#825969