Linux NTP configuration

Time is performed by a quartz crystal oscillator circuit in the computer; Networktimeprotocol (NTP); Typically, time synchronization is performed as follows:; (1): NTP client sends a time to the NTP server, (2): When the server receives the package ; (3): When the client receives the response packet and then fills in the package when it returns, (4): The client uses the clock offset to adjust the local clock to make it; 1, when the network

I. NTP (Network Time Protocol)

The system time of the computer is produced by the quartz crystal Oscillation circuit in the computer with fixed oscillation frequency, because there will be a little error in the production process, resulting in the system time and the global time (UTC) deviation, a long time, the deviation will be more and more large, serious when the network application will bring disastrous consequences, Therefore, the system time of the computer in the network needs to be corrected (also known as time synchronization).

Network time Protocol (NTP) is a protocol used to synchronize a computer's timing, a protocol that synchronizes a computer system with an NTP server or clock source (such as a quartz clock, GPS, and so on). It provides high-accuracy time correction (less than 1 milliseconds on LAN versus standard, dozens of MS on WAN)

Typically, time synchronization occurs as follows:

(1): The NTP client issues a Time request packet (UDP packet) to the NTP server that contains the timestamp when the package leaves the client.

(2): When the server receives the package. Fill in the time stamp when the packet arrives, the timestamp when the packet leaves, and then immediately return the package to the client

(3): When the client receives the response packet, it fills in the timestamp of the package return, and then calculates two off parameters using these time parameters, that is, the delay of the packet round trip, the clock offset between the client and the server

(4): The client uses a clock offset to adjust the local clock so that its time is consistent with the server time

1. Installation and configuration of network time server

(1) Check whether the NTP server package is installed: #rpm-Q NTP is installed by default and is installed via the rpm command or Yum if not installed

(2) Editing the configuration file/etc/ntp.conf

The primary configuration file for the NTP service is/etc/ntp.conf. Some of the default settings are already available. As shown in the following:

Restrict default Kod nomodify notrap nopeer noquery restricts other computers from querying and modifying NTP services on this computer, where default means all IP

restrict-6 default Kod nomodify notrap nopeer noquery for hosts that apply to IPV6 addresses

Restrict 127.0.0.1 open native internal interface for feedback, to facilitate monitoring and configuration of NTP services locally

Restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap Open this segment, can not be modified, that is, allow the 192.168.1.0/24 network segment of the NTP client can use the local NTP server for network school, But they are not allowed to modify the native NTP service configuration

Server 0.rhel.pool.ntp.org

Server 1.rhel.pool.ntp.org

Server 2.rhel.pool.ntp.org

These are the real servers in the network, where the server parameter is used to specify the upper-level NTP server, which specifies the time server in the time server pool on the Internet as the upper NTP server by default

Configure the use of network time, mainly by modifying the configuration file/etc/ntp.conf to achieve

NTP server listens to UTP 123 port by default

Open Firewall 123 Port # iptables-i input-p UDP--dport 123-j ACCEPT

For example, in a local area network, setting up a native NTP server (ip:192.168.0.1) and synchronizing it with an external time server, its time becomes the standard time for the entire internal network. The local NTP server does not provide an open NTP service to the Internet, provides NTP services only to the internal subnet 192.168.0.0/24, and does not require an authentication mechanism for the network of the internal network. To achieve the above functions, the/etc/ntp.conf file needs to be modified. First determine your time zone:

The date command can view the current system time, and China's time zone is CST. Configuring with the Tzselect command (time zone selection, switching configuration mode

or select Shanghai and then create a soft connection, as follows:

Ln-sf/usr/share/zoneinfo/posix/asia/shanghai/etc/localtime #localtime为系统时区

The statement format for modifying permission settings is:

1. Restrict IP address or domain name [mask subnet mask] [option]

This name is used to set the access rights of other computers to the native NTP service, where the IP address or domain name parameter can be default, indicating that all computers

Common options:

Ignore: Indicates that all NTP request packets are forbidden to enter

Nomodify: Represents a setting that prevents other computers from changing the native NTP service, but can be done via this NTP server

At the school

Notrust: Disables all non-certified NTP packets from entering

Noquery: Indicates that other computers are prevented from querying the state of the native NTP service

Notrap: Trap remote Login Not available

Nopeer: Provide time service, but not as peer

Kod: Sending Kiss-of-death messages to unsafe visitors

If you do not set any options, it means that the computer (or network segment) has no restrictions.

If you want to provide NTP services for internal subnet 192.168.0.0/24, you can add the following configuration in the ntp.conf file: Restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

2. Configure Option Server

Role: Specify the upper NTP server, and some connection options

server [host] [key n] [version n] [Prefex] [mode n] [minpoll n] [maxpoll n] [iburst] such as:

Server 0.rhel.poll.ntp.org

Server 1.rhel.poll.ntp.org

Start NTP service: Service ntpd start

Boot service: Chkconfig ntpd on

3. Configure the time synchronization client:

Method 1: From "System"? " Management "? menu, open the" date and time "management tool

Method 2: Manually perform ntpdate <ntp server> to synchronize or use Crontab to perform

Crontab-e

0 * * */usr/sbin/ntpdate 192.168.0.1; /sbin/hwclock-w

Sync every night 9 o'clock

Where the hwclock–w or Hwclock SYSTOHC command corrects the system hardware time so that the correct time is displayed after the system restarts

Report:

The NTP client runs Ntpdate ServerIP, and no server suitable for synchronization found error occurs.

The NTP client was viewed with ntpdate-d ServerIP and found "Server Dropped:strata too High" error, and "Stratum 16" is displayed. And under normal circumstances stratum this worthwhile range is "0~15".

This is because NTP server is not synchronized with itself or its server.

The following definition is to keep the NTP server in sync with itself, and if the server defined in/ntp.conf is not available, the local time will be used as the NTP service for the NTP client.

Server 127.127.1.0

Fudge 127.127.1.0 Stratum 10

After the NTP service is restarted on the NTP server, the NTP server itself or the synchronization with its server needs a period of time, which may be 5 minutes, which will result in no server suitable when the client runs the ntpdate command at that time. For synchronization found error.

So how do you know when NTP server has completed the process of synchronizing itself?

To use the command on an NTP server:

# Watch Ntpq-p

The screen appears:

Note that this is the NTP server that synchronizes itself with the local.

Note that the REACH value, after starting the NTP Server service, this value is increasing from 0, when increased to 17, from 0 to 17 is 5 times the change, each time is the value of poll seconds, is 64 seconds *5=320 seconds. Use commands on NTP client: View time synchronization Status

Several NTP commands:

#/usr/sbin/ntpdate-u 192.168.0.1 Proofreading Time

#/usr/sbin/ntpdate-q 192.168.0.1 Query not updated

#hwclock--SYSTOHC to synchronize the machine hardware clock to the system clock

Second, Web services

Common Configuration Parameters

ServerRoot: Service Catalog

ServerAdmin: Admin Mailbox

User: Running the service's identity

Group: Run the identity of the service

ServerName: Domain name of the Web server

DocumentRoot: root directory of Web document

Listen: IP address, port number of the listener

Pidfile: Save the HTTPD process PID number file

DirectoryIndex: Default index page file

Errorlog: Location of error log files

Customlog: Location of access log files

LogLevel: The level of logging logging, by default

Warn

Timeout: Network connection timed out, default is 300 seconds

KeepAlive: Whether to remain connected, optional on or

Off

Maxkeepaliverequests: Maximum number of requested files per connection

KeepAliveTimeout: Time-out when maintaining connection status

Include: Additional configuration files that need to be included

1. Using SSL to harden Apache

SSL Overview:

Using a Web server with SSL functionality can improve the security performance of your Web site. The SSL protocol works between the Linux TCP/IP protocol and the HTTP protocol.

SSL uses an encryption method to protect the flow of information between the Web server and the browser. SSL is used not only to encrypt traffic that passes over the Internet, but also to provide both authentication. This makes it safe to shop online without worrying about people stealing credit card information. This feature makes SSL suitable for those where important information is exchanged, such as e-commerce and web-based mail.

① users to use the browser, access to the Web server site, issued an SSL handshake signal;

The ②web server responds and presents the server certificate (public key), displays the system Web server site identity, ③ the browser validates the server certificate and generates a random session key, the key length reaches 128 bits, and the ④ browser encrypts the session key with the public key of the Web server;

Linux NTP configuration