ぶやかー

このページをシェア

ntpd - ぶやかー

目次 Outline

Install

サーバとして使う場合は、ntpd入れる。systemd-timesyncdが入ってる場合は止めておく。

sudo systemctl stop systemd-timesyncd
sudo systemctl disable systemd-timesyncd
sudo systemctl daemon-reload
sudo apt install -y ntp

ntp.conf

基本的に/etc/ntp.confで設定する。 raspberry pi osのデフォルトのntpd.conf

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help

driftfile /var/lib/ntp/ntp.drift

# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list

# Enable this if you want statistics to be logged.
#statsdir /var/log/ntpstats/

statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# You do need to talk to an NTP server or two (or three).
#server ntp.your-provider.example

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: <http://www.pool.ntp.org/join.html>
pool 0.debian.pool.ntp.org iburst
pool 1.debian.pool.ntp.org iburst
pool 2.debian.pool.ntp.org iburst
pool 3.debian.pool.ntp.org iburst

# Access control configuration; see /usr/share/doc/ntp-doc/html/accopt.html for
# details.  The web page <http://support.ntp.org/bin/view/Support/AccessRestrictions>
# might also be helpful.
#
# Note that restrict applies to both servers and clients, so a configuration
# that might be intended to block requests from certain clients could also end
# up blocking replies from your own upstream servers.

# By default, exchange time with everybody, but don&#039;t allow configuration.
restrict -4 default kod notrap nomodify nopeer noquery limited
restrict -6 default kod notrap nomodify nopeer noquery limited

# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1

# Needed for adding pool entries
restrict source notrap nomodify noquery

# Clients from this (example!) subnet have unlimited access, but only if
# cryptographically authenticated.
#restrict 192.168.123.0 mask 255.255.255.0 notrust

# If you want to provide time to your local subnet, change the next line.
# (Again, the address is an example only.)
#broadcast 192.168.123.255

# If you want to listen to time broadcasts on your local subnet, de-comment the
# next lines.  Please do this only if you trust everybody on the network!
#disable auth
#broadcastclient

動作確認

Windows端末から確認

w32tm /monitor /computers:172.16.200.63 /nowarn

Linux系

ntpdate -d -q 172.16.200.63

設定

Ristrict Default

初期状態はクライアントからのリクエストには応答できる。

restrict default kod notrap nomodify nopeer noquery limited

ignoreにするとすべてのパケット無視して返さなくなる。

restrict default ignore

負荷、セキュリティ要件などで特定のアドレスのみ許可したい場合などは、 restrict default ignoreを設定して、個別に許可を追加していく。

restrict default ignore
restrict 172.16.200.0 mask 255.255.255.0 kod notrap nomodify nopeer noquery limited notrust

認証設定

クライアントからのリクエストを認証必要にする。ちなみにtrustedkyなどのIDは後ろにスペースひとつ入れておかないと認証できないっぽい。(IDがひとつだけの場合かもしれない。ドキュメントで関連記述見つけられなかった。)

  • keyファイルの暗号化は未確認
  • 上位サーバとの認証設定は未確認
sudo mkdir /etc/ntp
sudo tee /etc/ntp/keys <<EOF> /dev/null
 1 MD5 P@ssw0rd # For Test
EOF
sudo chmod 640 /etc/ntp/keys

sudo tee -a /etc/ntp.conf <<EOF> /dev/null

# Authentication Keys
keys /etc/ntp/keys
trustedkey 1 
controlkey 1 
requestkey 1 
EOF

再起動して反映

sudo systemctl restart ntp

確認

Linux系

tee ./test-keys <<EOF> /dev/null
 1 MD5 P@ssw0rd # For Test
EOF
ntpdate -a 1 -k ./test-keys -d 172.16.200.63

root@DESKTOP-BQGP071:~# ntpdate -a 1 -k ./test-keys -d 172.16.200.63
 7 Nov 13:34:27 ntpdate[296]: ntpdate 4.2.8p10@1.3728-o (1)
Looking for host 172.16.200.63 and service ntp
host found : 172.16.200.63
authreadkeys: full access list &lt;NULL&gt;
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
server 172.16.200.63, port 123
stratum 2, precision -22, leap 00, trust 000
refid [172.16.200.63], delay 0.02812, dispersion 0.00009
transmitted 4, in filter 4
reference time:    e531d5d3.b2f035f7  Sun, Nov  7 2021 13:34:27.698
originate timestamp: e531d5d9.4e64bd04  Sun, Nov  7 2021 13:34:33.306
transmit timestamp:  e531d5d9.387b4e55  Sun, Nov  7 2021 13:34:33.220
filter delay:  0.02841  0.02812  0.02829  0.02824
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.084238 0.084165 0.084002 0.084025
         0.000000 0.000000 0.000000 0.000000
delay 0.02812, dispersion 0.00009
offset 0.084165

 7 Nov 13:34:33 ntpdate[296]: adjust time server 172.16.200.63 offset 0.084165 sec

ちなみにこのままだと、別に認証なしでも通る

root@DESKTOP-BQGP071:~# ntpdate -q 172.16.200.63
server 172.16.200.63, stratum 3, offset 0.084303, delay 0.02791
 7 Nov 13:36:52 ntpdate[300]: adjust time server 172.16.200.63 offset 0.084303 sec

認証必要なアドレスを指定

ntp.confのrestrictにnotrustつけるとそのアドレスは認証が必要なる(多分)。 デフォルトまたはIPアドレスにnotrustつけることができる。

restrict default kod notrap nomodify nopeer noquery limited notrust

検証で使うケースなどでは対象のみ認証必要とかするほうが多いので こんな感じになる。

# restrict default
restrict default kod notrap nomodify nopeer noquery limited

# Authentication Test Network
restrict 172.16.200.0 mask 255.255.255.0 kod notrap nomodify nopeer noquery limited notrust

確認

linux系

ntpdate -a 1 -k ./test-keys -d 172.16.200.63


root@DESKTOP-BQGP071:~# ntpdate -a 1 -k ./test-keys -d 172.16.200.63
 7 Nov 13:53:40 ntpdate[477]: ntpdate 4.2.8p10@1.3728-o (1)
Looking for host 172.16.200.63 and service ntp
host found : 172.16.200.63
authreadkeys: full access list &lt;NULL&gt;
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
transmit(172.16.200.63)
receive(172.16.200.63)
receive: authentication passed
172.16.200.63: Server dropped: strata too high
server 172.16.200.63, port 123
stratum 16, precision -22, leap 11, trust 000
refid [172.16.200.63], delay 0.02820, dispersion 0.00005
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036 15:28:16.000
originate timestamp: e531da5a.bffe8578  Sun, Nov  7 2021 13:53:46.749
transmit timestamp:  e531da5a.a72b5442  Sun, Nov  7 2021 13:53:46.653
filter delay:  0.02850  0.02820  0.02835  0.02832
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.095576 0.095280 0.095286 0.095313
         0.000000 0.000000 0.000000 0.000000
delay 0.02820, dispersion 0.00005
offset 0.095280

 7 Nov 13:53:46 ntpdate[477]: no server suitable for synchronization found

これで認証なしではNTP応答しなくなる。

root@DESKTOP-BQGP071:~# ntpdate -d 172.16.200.63
 7 Nov 13:58:55 ntpdate[488]: ntpdate 4.2.8p10@1.3728-o (1)
Looking for host 172.16.200.63 and service ntp
host found : 172.16.200.63
transmit(172.16.200.63)
transmit(172.16.200.63)
transmit(172.16.200.63)
transmit(172.16.200.63)
transmit(172.16.200.63)
172.16.200.63: Server dropped: no data
server 172.16.200.63, port 123
stratum 0, precision 0, leap 00, trust 000
refid [172.16.200.63], delay 0.00000, dispersion 64.00000
transmitted 4, in filter 4
reference time:    00000000.00000000  Thu, Feb  7 2036 15:28:16.000
originate timestamp: 00000000.00000000  Thu, Feb  7 2036 15:28:16.000
transmit timestamp:  e531db95.93845dc8  Sun, Nov  7 2021 13:59:01.576
filter delay:  0.00000  0.00000  0.00000  0.00000
         0.00000  0.00000  0.00000  0.00000
filter offset: 0.000000 0.000000 0.000000 0.000000
         0.000000 0.000000 0.000000 0.000000
delay 0.00000, dispersion 64.00000
offset 0.000000

 7 Nov 13:59:03 ntpdate[488]: no server suitable for synchronization found

ログ取得

sudo tee -a /etc/ntp.conf &lt;&lt;EOF&gt; /dev/null

# Logging
logfile /var/log/ntpstats/ntpd.log
logconfig =all
EOF

再起動して反映

sudo systemctl restart ntp

検証用ntp.confサンプル

# /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
driftfile /var/lib/ntp/ntp.drift

# Leap seconds definition provided by tzdata
leapfile /usr/share/zoneinfo/leap-seconds.list

# Enable this if you want statistics to be logged.
statsdir /var/log/ntpstats/
statistics loopstats peerstats clockstats
filegen loopstats file loopstats type day enable
filegen peerstats file peerstats type day enable
filegen clockstats file clockstats type day enable

# NTP Source Pool
pool ntp.nict.jp iburst

# Access Control
## restrict Default
restrict default kod notrap nomodify nopeer noquery limited notrust

## Machine Local
restrict 127.0.0.1
restrict ::1

## Needed for adding pool entries
restrict source notrap nomodify noquery

## Authentication Test Network
restrict 172.16.200.0 mask 255.255.255.0 kod notrap nomodify nopeer noquery limited notrust

# Authentication Keys
keys /etc/ntp/keys
trustedkey 1 
controlkey 1 
requestkey 1 

# Logging
logfile /var/log/ntpstats/ntpd.log
logconfig =all
text

この記事を書いた人 Wrote this article

kmatsunuma

著者記事一覧

関連記事 Related articles

TOP