我的问题与下面的问题有点类似,但仍然有所不同。ntpdate成功同步时钟,但ntpd在将查询传输到同一时间服务器后未获取任何数据。我的时钟耗电量为每小时1.0-1.5秒!
$ ntpdate -qv 194.177.4.2
16 Sep 21:45:42 ntpdate[21836]: ntpdate [email protected] Thu Feb 11 18:30:41 UTC 2016 (1)
server 194.177.4.2, stratum 2, offset 17.656685, delay 0.06981
16 Sep 21:45:48 ntpdate[21836]: step time server 194.177.4.2 offset 17.656685 sec
以及更多细节
$ ntpdate -qd 212.33.77.42
16 Sep 21:48:32 ntpdate[21841]: ntpdate [email protected] Thu Feb 11 18:30:41 UTC 2016 (1)
Looking for host 212.33.77.42 and service ntp
host found : 212.33.77.42
transmit(212.33.77.42)
receive(212.33.77.42)
transmit(212.33.77.42)
receive(212.33.77.42)
transmit(212.33.77.42)
receive(212.33.77.42)
transmit(212.33.77.42)
receive(212.33.77.42)
server 212.33.77.42, port 123
stratum 2, precision -20, leap 00, trust 000
refid [212.33.77.42], delay 0.03363, dispersion 0.00159
transmitted 4, in filter 4
reference time: db86ca25.1cf0982a Fri, Sep 16 2016 21:44:37.113
originate timestamp: db86cb28.8dda4c1d Fri, Sep 16 2016 21:48:56.554
transmit timestamp: db86cb16.da7f48f5 Fri, Sep 16 2016 21:48:38.853
filter delay: 0.03363 0.03381 0.03365 0.03368
0.00000 0.00000 0.00000 0.00000
filter offset: 17.69400 17.69494 17.69572 17.69653
0.000000 0.000000 0.000000 0.000000
delay 0.03363, dispersion 0.00159
offset 17.694009
16 Sep 21:48:38 ntpdate[21841]: step time server 212.33.77.42 offset 17.694009 sec
$ sudo ntpd -d4L
ntpd [email protected] Thu Feb 11 18:30:40 UTC 2016 (1)
16 Sep 21:16:47 ntpd[21468]: proto: precision = 2.793 usec
event at 0 0.0.0.0 c01d 0d kern kernel time sync enabled
Finished Parsing!!
16 Sep 21:16:47 ntpd[21468]: ntp_io: estimated max descriptors: 1024, initial socket boundary: 16
16 Sep 21:16:47 ntpd[21468]: Listen and drop on 0 v4wildcard 0.0.0.0 UDP 123
16 Sep 21:16:47 ntpd[21468]: Listen normally on 1 lo 127.0.0.1 UDP 123
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: Listen normally on 2 eth0 xxx.116.4.142 UDP 123
restrict: op 1 addr xxx.116.4.142 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: Listen normally on 3 as0t0 172.27.224.1 UDP 123
restrict: op 1 addr 172.27.224.1 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: Listen normally on 4 as0t1 172.27.228.1 UDP 123
restrict: op 1 addr 172.27.228.1 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: Listen normally on 5 as0t2 172.27.232.1 UDP 123
restrict: op 1 addr 172.27.232.1 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: Listen normally on 6 as0t3 172.27.236.1 UDP 123
restrict: op 1 addr 172.27.236.1 mask 255.255.255.255 mflags 00003000 flags 00000001
16 Sep 21:16:47 ntpd[21468]: peers refreshed
16 Sep 21:16:47 ntpd[21468]: Listening on routing socket on fd #23 for interface updates
restrict: op 1 addr 0.0.0.0 mask 0.0.0.0 mflags 00000000 flags 000005d0
16 Sep 21:16:47 ntpd[21468]: restrict: error in address '::' on line 45. Ignoring...
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00000000 flags 00000000
16 Sep 21:16:47 ntpd[21468]: restrict: error in address '::1' on line 49. Ignoring...
key_expire: at 0 associd 45622
peer_clear: at 0 next 1 associd 45622 refid INIT
event at 0 194.177.4.2 8011 81 mobilize assoc 45622
newpeer: xxx.116.4.142->194.177.4.2 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 45623
peer_clear: at 0 next 2 associd 45623 refid INIT
event at 0 212.33.77.42 8011 81 mobilize assoc 45623
newpeer: xxx.116.4.142->212.33.77.42 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 45624
peer_clear: at 0 next 3 associd 45624 refid INIT
event at 0 193.25.222.240 8011 81 mobilize assoc 45624
newpeer: xxx.116.4.142->193.25.222.240 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 45625
peer_clear: at 0 next 4 associd 45625 refid INIT
event at 0 192.86.14.67 8011 81 mobilize assoc 45625
newpeer: xxx.116.4.142->192.86.14.67 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
key_expire: at 0 associd 45626
peer_clear: at 0 next 5 associd 45626 refid INIT
event at 0 91.189.94.4 8011 81 mobilize assoc 45626
newpeer: xxx.116.4.142->91.189.94.4 mode 3 vers 4 poll 6 10 flags 0x1 0x1 ttl 0 key 00000000
event at 0 0.0.0.0 c016 06 restart
event at 0 0.0.0.0 c012 02 freq_set kernel 0.000 PPM
event at 0 0.0.0.0 c011 01 freq_not_set
transmit: at 1 xxx.116.4.142->194.177.4.2 mode 3 len 48
auth_agekeys: at 1 keys 1 expired 0
transmit: at 2 xxx.116.4.142->212.33.77.42 mode 3 len 48
transmit: at 3 xxx.116.4.142->193.25.222.240 mode 3 len 48
transmit: at 4 xxx.116.4.142->192.86.14.67 mode 3 len 48
transmit: at 5 xxx.116.4.142->91.189.94.4 mode 3 len 48
[...]
^C16 Sep 21:17:37 ntpd[21468]: ntpd exiting on signal 2
我用停止了它Ctr+C。观察到的错误似乎不是问题,可以忽略。
restrict: op 1 addr 0.0.0.0 mask 0.0.0.0 mflags 00000000 flags 000005d0
16 Sep 21:16:47 ntpd[21468]: restrict: error in address '::' on line 45. Ignoring...
restrict: op 1 addr 127.0.0.1 mask 255.255.255.255 mflags 00000000 flags 00000000
16 Sep 21:16:47 ntpd[21468]: restrict: error in address '::1' on line 49. Ignoring...
它们源自/etc/ntp.conf的这些行
# Local users may interrogate the ntp server more closely.
restrict 127.0.0.1
restrict ::1
在将它们注释掉之后,错误消失了,但是服务器仍然没有收到任何软件包。并且在服务器运行时,ntpq -np显示其处于INIT状态(此处具有不同的服务器池)。
remote refid st t when poll reach delay offset jitter
==============================================================================
94.154.96.7 .INIT. 16 u - 64 0 0.000 0.000 0.000
158.75.5.245 .INIT. 16 u - 64 0 0.000 0.000 0.000
193.219.28.147 .INIT. 16 u - 64 0 0.000 0.000 0.000
193.219.28.2 .INIT. 16 u - 64 0 0.000 0.000 0.000
91.189.89.198 .INIT. 16 u - 64 0 0.000 0.000 0.000
我猜这个证明我没有与防火墙相关的问题。我也问过我的ISP。它们不阻止任何内容,也不提供本地时间服务器。
我当前正在使用的明显解决方法是按小时计划ntpdate。但是,正如Tim Bielawa 在此所解释的那样,它的ntpd 工作原理是稍微调整系统上的一秒长度,以使您慢慢获得正确的时间,同时又ntpdate可能向后调整时钟,这可能会使某些程序失灵。
# m h dom mon dow command
@hourly /usr/sbin/ntpdate -u ntp.tp.pl
在服务器上执行
$sudo nmap -p 123 -sU xxx.yyy.zzz.142
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 14:30 CEST
Nmap scan report for example.com (xxx.yyy.zzz.142)
Host is up (0.00021s latency).
PORT STATE SERVICE
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
$ sudo nmap -p 123 -sU example.com
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 14:27 CEST
Nmap scan report for example.com (127.0.1.1)
Host is up.
PORT STATE SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 2.09 seconds
$ sudo nmap -p 123 -sU localhost
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 14:26 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00018s latency).
Other addresses for localhost (not scanned): 127.0.0.1
rDNS record for 127.0.0.1: localhost.localdomain
PORT STATE SERVICE
123/udp open ntp
Nmap done: 1 IP address (1 host up) scanned in 1.08 seconds
在不同国家的主机上执行
$ sudo nmap -p 123 -sU xxx.yyy.zzz.142
Starting Nmap 6.40 ( http://nmap.org ) at 2016-09-19 14:51 CEST
Nmap scan report for example.com (xxx.yyy.zzz.142)
Host is up (0.046s latency).
PORT STATE SERVICE
123/udp open|filtered ntp
Nmap done: 1 IP address (1 host up) scanned in 0.78 seconds
尽管nmap报告说“状态已过滤”,但我仍iptables对该运动进行了清理。
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
在下面运行时执行。
$ sudo ntpd -d
transmit: at 2 xxx.yyy.zzz.142->94.154.96.7 mode 3 len 48
transmit: at 3 xxx.yyy.zzz.142->194.177.4.2 mode 3 len 48
transmit: at 67 xxx.yyy.zzz.142->94.154.96.7 mode 3 len 48
transmit: at 70 xxx.yyy.zzz.142->194.177.4.2 mode 3 len 48
给出了这个结果
$ sudo tcpdump udp port 123
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
15:16:29.733037 IP example.com.ntp > 96-7.cpe.smnt.pl.ntp: NTPv4, Client, length 48
15:16:30.733095 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:17:34.733013 IP example.com.ntp > 96-7.cpe.smnt.pl.ntp: NTPv4, Client, length 48
15:17:37.733139 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
这是的转储ntpdate -q 194.177.4.2,成功。
15:31:16.790206 IP example.com.48658 > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:31:16.834517 IP pscolka.of.pl.ntp > example.com.48658: NTPv4, Server, length 48
15:31:18.790268 IP example.com.48658 > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:31:18.834546 IP pscolka.of.pl.ntp > example.com.48658: NTPv4, Server, length 48
15:31:20.790210 IP example.com.48658 > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:31:20.834336 IP pscolka.of.pl.ntp > example.com.48658: NTPv4, Server, length 48
15:31:22.790253 IP example.com.48658 > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:31:22.834572 IP pscolka.of.pl.ntp > example.com.48658: NTPv4, Server, length 48
当我执行这个
sudo ntpdate 194.177.4.2
19 Sep 15:36:19 ntpdate[8123]: no server suitable for synchronization found
转储是
15:36:11.856663 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:36:13.856654 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:36:15.856640 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
15:36:17.856765 IP example.com.ntp > pscolka.of.pl.ntp: NTPv4, Client, length 48
虽然是众多测试之一,但$ sudo ntpd -d我可以观察到以下内容。
receive: at 1618 xxx.yyy.zzz.142<-178.39.91.211 mode 3 len 48
transmit: at 1618 xxx.yyy.zzz.142->178.39.91.211 mode 4 len 48
receive: at 1618 xxx.yyy.zzz.142<-178.39.91.211 mode 3 len 48
服务器178.39.91.211不在我的配置中。我猜还有其他主机问我的服务器“几点了?” 这意味着可以在端口123上进行传入通信吗?我tcpdump上面没有日志,但是ntpd仅在port上侦听123。我有类似事件的转储,很遗憾,没有答案:
15:27:29.313748 IP 209.126.136.2.42440 > example.com.ntp: NTPv2, Reserved, length 12
我的印象是,无法从服务器在port上发送数据包123。ISP再次询问仍然否认他们将阻止任何内容。
最后,我的ISP确认先前的ISP阻止了我IP地址上的源端口123。我遵循了比尔·托尔(Bill Thor)的以下建议,并向我添加了NAT规则,iptables如果目标端口也是123,则它将源端口123更改为另一个。
$ sudo iptables -t nat -A POSTROUTING -p udp -s xxx.yyy.zzz.142 --sport 123 --dport 123 -j SNAT --to-source xxx.yyy.zzz.142:12345
现在,我的ntp服务器收到其他时间服务器的答复。
$ sudo tcpdump udp port 123
14:31:29.875903 IP example.com.12345 > pscolka.of.pl.ntp: NTPv4, Client, length 48
14:31:29.921176 IP pscolka.of.pl.ntp > example.com.12345: NTPv4, Server, length 48
14:32:30.875809 IP example.com.12345 > ntp.task.gda.pl.ntp: NTPv4, Client, length 48
14:32:30.882699 IP ntp.task.gda.pl.ntp > example.com.12345: NTPv4, Server, length 48
14:32:33.875963 IP example.com.12345 > pscolka.of.pl.ntp: NTPv4, Client, length 48
14:32:33.920863 IP pscolka.of.pl.ntp > example.com.12345: NTPv4, Server, length 48
和我的ntp报告如下。
$ ntpq -np
remote refid st t when poll reach delay offset jitter
==============================================================================
2001:67c:1560:8 .STEP. 16 - - 1024 0 0.000 0.000 0.000
*153.19.250.123 212.244.36.227 2 u 20 64 377 6.785 -0.791 9.129
194.177.4.2 80.50.231.226 2 u 64 64 0 0.000 0.000 0.000
所有服务器都卡有.INIT.refid的事实表明您无法与该服务器建立连接。连接到服务器后,该值将更改为该服务器的首选来源。
看来您无法访问池服务器。尝试将server带有IP地址的A添加194.177.4.2到您的ntp.conf文件中。
自从放大攻击成为一个问题以来,我发现我在通过IPv4连接到ntp服务器时遇到了问题。我有一个IPv6隧道,该隧道使我可以通过IPv6连接到池服务器。
此配置可能适合您。我省略了我的密钥和统计信息配置。
flyingfile /var/lib/ntp/ntp.drift# 使用NTP池项目中的服务器。由Ubuntu技术委员会 池2.ubuntu.pool.ntp.org iburst 服务器194.177.4.2批准。maxpoll 17 iburst #默认情况下,与每个人交换时间,但不允许进行配置。 限制-4默认kod notrap nomodify nopeer noquery限制 限制-6默认kod notrap nomodify nopeer noquery限制 #本地用户可以更紧密地查询ntp服务器。 限制127.0.0.1 限制:: 1 限制10.0.0.0掩码255.0.0.0 kod nomodify notrap notrust保留限制 限制限制172.16.0.0遮罩255.31.0.0 kod nomodify notrap notrust 限制192.168.0.0掩码255.255.0.0 kod nomodify notrap notrust 限制2001:470:c3c :: 0 mask ffff:ffff:ffff :: kod nomodify notrap notrust #需要添加池条目 限制源notrap nomodify noquery
某些选项将导致ntpdate使用非特权端口,这可能会导致行为不同于您从端口123连接的行为。ntp将始终使用端口123。您tcpdump指示服务器在源自端口123时未在答复您的请求。这将中断放大攻击。
我已经有一段时间在IPv4上遇到您的问题了。我通过命令验证了两个端口均为123时,流量是否未被阻止traceroute --sport=123 -p 123 94.154.96.7。我发现了两种行为:
在任何一种情况下,如果源端口之一不是123,则将提供时间。
我发现一种变通方法是使用在主机上伪装的第二个IP。我shorewall用来构建防火墙,所以添加了伪装规则:
#接口源地址原型端口 eth0 192.0.2.4 192.0.2.5:200-300:persistent udp 123
这似乎导致了以下规则。
-A POSTROUTING -o eth0 -j eth0_masq
-A eth0_masq -s 192.0.2.4 -p 17 --dport 123 -j SNAT --to-source 192.0.2.5:200-300 --persistent
我尚未对此进行全面测试,但是它可以缩短超时时间。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句