升级ntp主要是为了解决系统安全问题:
因为centos7系统中默认安装的是 ntp 4.2.6p5版本,但是此版本漏洞很多,很容易被攻击导致无法提供服务等等问题。
一、 系统与软件版本
系统版本:CentOS7.6(这里用的是7.6-1810版本。)
ntpd软件版本:ntp-4.2.8p12
Linux 下载地址:wget http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p12.tar.gz
二、安装准备
安装依赖包
yum -y install gcc gcc-c++ openssl-devel libstdc++* libcap*备份旧版本的配置文件:(不需要备份的话请跳过)
建议备份因为源码安装不会生成配置文件如果不备份的话我会在下面贴出配置文件的内容
cp -ar /etc/ntp /etc/ntp.bak
cp /etc/ntp.conf /etc/ntp.conf.bak
cp /etc/init.d/ntpd /etc/init.d/ntpd.bak
cp /etc/sysconfig/ntpd /etc/sysconfig/ntpd.bak
cp /etc/sysconfig/ntpdate /etc/sysconfig/ntpdate.bak卸载yum安装的ntpd服务:
yum remove ntp ntpdate三、编译安装ntp-4.2.8p9
解压源码压缩文件:
tar -zxvf ntp-4.2.8p12.tar.gz进入解压生成的ntp-4.2.8p9文件夹: cd ntp-4.2.8p12/
编译安装ntpd
./configure --prefix=/usr --bindir=/usr/sbin --enable-all-clocks --enable-parse-clocks --docdir=/usr/share/doc/ntp-4.2.8p12
命令详解:
--prefix=安装的目录
--bindir=会将主程序放置到这个文件夹
--docdir=doc文档的存放目录
------------------------------------------------------------------------------
查看运行是否有错误
执行:echo $?
返回:0表示没有错误
------------------------------------------------------------------------------
编译并安装:make && make install
创建软链接:ln -s /root/ntp-4.2.8p12 /usr/local/ntp
查看 ntp 版本:ntpd --version安装完成后将上文中备份的/etc/ntp.conf.bak文件恢复为/etc/ntp.conf。(无备份则进行ntp配置操作。)
配置 ntp
执行 vi /etc/ntp.conf
这个配置文件是将此节点配置成本地服务 server 端:
本地其他机器可以使用命令:ntpdate mongodb04 来和此节点同步时间
添加以下配置:
# For more information about this file, see the man pages
# ntp.conf(5), ntp_acc(5), ntp_auth(5), ntp_clock(5), ntp_misc(5), ntp_mon(5).
driftfile /var/lib/ntp/drift
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict 192.168.0.0 mask 255.255.0.0 nomodify notrap
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
# restrict 127.0.0.1
# restrict ::1
# Hosts on local network are less restricted.
# restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server ntp1.aliyun.com iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
# broadcast 192.168.1.255 autokey # broadcast server
# broadcastclient # broadcast client
# broadcast 224.0.1.1 autokey # multicast server
# multicastclient 224.0.1.1 # multicast client
# manycastserver 239.255.254.254 # manycast server
# manycastclient 239.255.254.254 autokey # manycast client
# Enable public key cryptography.
# crypto
includefile /etc/ntp/crypto/pw
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
# trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
# requestkey 8
# Specify the key identifier to use with the ntpq utility.
# controlkey 8
# Enable writing of statistics records.
# statistics clockstats cryptostats loopstats peerstats
# Disable the monitoring facility to prevent amplification attacks using ntpdc
# monlist command when default restrict does not include the noquery flag. See
# CVE-2013-5211 for more details.
# Note: Monitoring will not be disabled with the limited restriction flag.
disable monitor然后就是启动 ntp 服务了:/usr/sbin/ntpd -c /etc/ntp.conf
查看 ntp 服务是否启动:ps -ef | grep ntpd
已经成功启动了
查看 ntp 服务端口:netstat -tunlp | grep 123
然后重启服务器:执行systemctl status ntp查看ntp状态是否为运行。
如果没有该服务,则执行:cp /usr/sbin/ntpd /etc/init.d/ntpd
加入防火墙:
firewall-cmd --permanent --zone=public --add-port=123/udp
firewall-cmd --reload
systemctl enable ntpd本地测试:w32tm /stripchart /computer:ntp服务器地址。
评论0
暂时没有评论