允許與我們的時間源同步時間,但是不允許源查詢或修改這個系統上的服務。
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default nomodify notrap noquery
restrict -6 default kod nomodify notrap nopeer noquery
環回網卡允許所有訪問。這可能收緊,但這樣做會有些影響管理功能。
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
允許系統在這個網絡同步時間服務。不允許修改這些系統配置的服務。此外,不能使用那些系統作為對等體。
# -- CLIENT NETWORK -------
# Permit systems on this network to synchronize with this
# time service. Do not permit those systems to modify the
# configuration of this service. Also, do not use those
# systems as peers for synchronization.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap禁止ntpdc修改服務器狀態,允許內網其他機器同步時間
從pool.ntp.org項目使用公共時間服務器。
# --- OUR TIMESERVERS -----
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org
利用server 設定上層NTP服務器,格式如下:
server [IP or hostname] [prefer]
perfer:表示優先級最高
burst :當一個運程NTP服務器可用時,向它發送一系列的並發包進行檢測。
iburst :當一個運程NTP服務器不可用時,向它發送一系列的並發包進行檢測。
注:默認情況小15分鍾后才會與上層NTP服務器進行時間校對。.
# --- NTP MULTICASTCLIENT ---多播
#multicastclient
# listen on default 224.0.1.1 # multicast server 其中IP為NTP固定組播地址
# restrict 224.0.1.1 mask 255.255.255.255 nomodify notrap
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
#broadcast 192.168.1.255 autokey # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 autokey # multicast server 其中IP為NTP固定組播地址
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 autokey # manycast client
沒有馴服的本地時鍾。這是一個假的驅動程序用於備份,在沒有外部來源的同步時間是可用的。默認層通常是3,但在這種情況下,我們選擇使用層0。由於服務器沒有選擇關鍵字,這個驅動程序從未用於同步時間,除非沒有其他同步源。如果本地主機控制的一些外部來源,如外部振盪器或另一個協議,選擇關鍵字會導致本地主機無視所有其他同步源,除非內核修改正在使用和聲明一個同步的條件。
# --- GENERAL CONFIGURATION ---
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available. The
# default stratum is usually 3, but in this case we elect to use stratum
# 0. Since the server line does not have the prefer keyword, this driver
# is never used for synchronization, unless no other other
# synchronization source is available. In case the local host is
# controlled by some external source, such as an external oscillator or
# another protocol, the prefer keyword would cause the local host to
# disregard all other synchronization sources, unless the kernel
# modifications are in use and declare an unsynchronized condition.
#
#server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
#skate add
server 192.168.2.29 prefer
#skate add
漂移文件。把這個守護進程可以寫在目錄中。
不允許符號鏈接,因為守護進程更新文件,在相同的目錄中,然后通過創建一個臨時的重命名()的rename()'ing文件。
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
#
driftfile /var/lib/ntp/drift
broadcastdelay 0.008
#
以driftfile記錄BIOS與上層Time Server時間差異,關於文件名必須要知道以下幾點:driftfile后面接的文件需要使用完整路徑的文件名;該文件不能是鏈接文件;該文件需要設置成ntpd這個守護進程可以寫入的權限;該文件所記錄的數值單位為百萬分之一秒(ppm)
密鑰文件。如果你想騙取您在運行時的服務器,使用一個鍵文件(600模式)和定義的關鍵數字
用於發出請求。
# Keys file. If you want to diddle your server at run time, make a
# keys file (mode 600 for sure) and define the key number to be
# used for making requests.
#
在這里請不要使用默認值。選擇你自己的,還是遠程的
系統可以調整時鍾。還請注意, ntpd啟動a標志,禁用認證,將會被刪除。
# PLEASE DO NOT USE THE DEFAULT VALUES HERE. Pick your own, or remote
# systems might be able to reset your clock at will. Note also that
# ntpd is started with a -A flag, disabling authentication, that
# will have to be removed as well.
#
keys /etc/ntp/keys