통신법률





==사업 상담 & 서비스가입==

■서울 : 070-7752-2000

■부산,광주,수원1,수원2,안산등

■뉴욕 : 1-718-841-6105

■ L A : 1-213-221-4488

■북경 : 86-10-5732-9469

■연길,대련,위해,청도,연운항,광주

■토론토 : 1-647-849-1533

■밴쿠버 : 1-778-802-1899

■런던 :

■토쿄 :

■태국 :

■베트남 :

■아르헨티나 :

■괌 :

■필립핀 :

■인도 :


오늘:
0
어제:
0
전체:
2,448,696

■ 무료 : 유선 집전화 휴대폰 ( 한국 미국 중국 카나다) ↔ (국내 해외 여행자 상사 주재원 유학생) / 가입무 무제한무료■

http://time.ewha.or.kr/ntp_ddos.html


http://articles.slicehost.com/2010/11/8/using-ntp-to-sync-time-on-debian



Using NTP to sync time on Debian

Keeping your Debian system's date and time accurate is easy to do using NTP.


Synchronize watches

Having an accurate clock on your VPS is usually a good thing. It ensures the time stamps in emails sent from the machine are correct, and it's especially helpful when you need to look at the logs from a particular time of day.

If you are running a kernel from our repository that is older than 2.6.32.12 you shouldn't need to do anything to keep your server at an accurate time. The VPS will sync with the hardware clock, which is syncing from an NTP server itself.

Newer kernels, on the other hand, use a scheme that actually prevents the VPS from talking to the hardware clock (the "pvops" kernels, for the curious and technical-minded). This means that if you aren't occasionally setting the system clock yourself the time will slowly drift away from a perfectly accurate setting.

Network time protocol

That's where the network time protocol (NTP) comes in. NTP lets you automatically sync your system time with a remote server.

Setting up an NTP server to regularly adjust your machine's clock is pretty easy by default. It's also possible to make it a bit more complicated if you need your clock accurate down to the millisecond instead of just to the second.

Install

The first thing to do is install the NTP server. Grab the package by running:

sudo aptitude update
sudo aptitude install ntp

Start the service

To make sure the NTP service starts after installing it, run:

sudo /etc/init.d/ntp start

As is usual for Linux services, you can stop or restart the NTP service by running the above command with "stop" or "restart" sent as the argument instead of "start".

Quickstart

Most people just want to get NTP running and don't need to sync their clock to pinpoint, millisecond-level accuracy.

For those people: You're done. You can actually stop now. When you installed NTP it set you up with some default servers to sync with. From now on NTP will sync your clock automatically.

Congratulations on a job well done!

If you want to use NTP to sync several of your own machines with each other, or want to choose NTP servers other than the defaults, read on.

The ntp.conf file

The NTP configuration file can be found at:

/etc/ntp.conf

There are a few settings that can be changed in there, but for most people the only settings of interest would be any "server" entries. The default for Debian looks like:

# pool.ntp.org maps to about 1000 low-stratum NTP servers.  Your server will
# pick a different set every time it starts up.  Please consider joining the
# pool: 
server 0.debian.pool.ntp.org iburst dynamic
server 1.debian.pool.ntp.org iburst dynamic
server 2.debian.pool.ntp.org iburst dynamic
server 3.debian.pool.ntp.org iburst dynamic

With more than one "server" entry your NTP server will query all servers and only select a time that a majority of the polled servers will agree on. This basically means that with three or more servers your clock will be more accurate than if it just uses one.

If you add the "iburst" option after the server address it can speed up the NTP time sync by a bit. It's usually a good idea to use it, but not essential.

The "dynamic" option tells NTP that it can try a configured server again later if it's unavailable at some point. The option is useful when NTP is running on a machine that doesn't always have access to the Internet, but is not necessary on a machine with a dedicated connection.

Syncing multiple servers

If you have more than one machine to sync it works best if you designate one to be your "master" NTP server. Let that one server connect to an outside NTP server, then have the other machines sync to the master.

The advantages of this setup are a reduced number of outgoing connections and a guarantee that all of your machines will have their time set to the exact same value. Configuring this kind of setup just requires changes to the "server" settings in the ntp.conf files on each machine.

On the master machine you would set up any external servers you want to use. For example, if you wanted to use the NTP pool servers (more on that later) you could set the "server" values in the master's ntp.conf file to:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

Then on every other machine for which you want to sync the time point the ntp.conf to your master server. If your master server were going to be "main.example.com", you would alter the ntp.conf files on the secondary machines so the server entries would all be:

server main.example.com iburst

After setting the server parameters and making sure iptables won't block connections to your main NTP server, just restart the NTP services on each machine to get them syncing.

Adjusting iptables

NTP uses UDP port 123 to conduct its business, either connecting out to another NTP server or accepting incoming connections. If you have iptables filtering incoming traffic on the main NTP server in your cluster you'll need to open port 123 to UDP traffic to allow the other servers to connect to it.

You can open port 123 for UDP traffic with the following arguments for iptables:

-I INPUT -p udp --dport 123 -j ACCEPT
-I OUTPUT -p udp --sport 123 -j ACCEPT

Choosing an NTP server

When syncing one or more machines via NTP you'll want at least one of them to set their time from a reliable external server. There are many public servers out there that are either synced directly from an atomic clock (guaranteeing an absolutely accurate time), or are synced from another server that syncs to an atomic clock.

Public NTP server lists

The best source for lists of public NTP servers is the NTP Servers WebHome at the main NTP site. When you visit that site you'll see a description of the servers available, and in the sidebar should be links to three "levels" of NTP servers: Primary, secondary, and pool. How accurate you need your servers to be will determine what type of server you'll want to sync from.

NTP pool servers

For most users the "pool" servers are the best choice. Pool servers are machines that have volunteered to make their NTP server available to the public. They typically sync from a secondary NTP server so their time is accurate, but not necessarily accurate to the nearest millisecond.

Most users don't need to be accurate to the nearest millisecond, they just want to know what time it is. So unless you absolutely know you need pinpoint accuracy, use the pool servers.

Using the NTP pool servers is as easy as setting the servers entries in your ntp.conf file to:

server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

If you want to make sure you only connect to pool servers in your own country or region visit the pool servers page for more specific addresses. For most people the above entries will be more than sufficient. Those addresses rotate among a huge list of volunteer NTP servers worldwide so the load on any one machine never gets too great.

For that matter, once you've set up your NTP server, if you want to contribute to the NTP pool you can get details on how to do so from the pool web site.

Primary and secondary servers

The other two tiers of NTP servers are primary and secondary servers.

A primary server is one that gets its time directly from an atomic clock (or from GPS satellites, which use atomic clocks). Atomic clocks are expensive so there aren't a lot of primary servers. You won't want to use a primary server unless you're looking for extreme scientific accuracy.

A secondary server usually gets its time from a primary server. If you want accuracy down to the millisecond level, having three secondary servers in your ntp.conf will usually do nicely.

Selecting either list from the NTP Servers WebHome will let you see what public servers are available in either tier. Before selecting and using a server check the details for that server as follows:

ISO

The "ISO" column lists the country of origin of that particular server.

AccessPolicy

The AccessPolicy field tells you what the access policy is for that server. "Open Access" means the server can be used by the public, subject to any notification requirements the server has.

Notify

The "Notify?" field for secondary servers lists the preferences of that server's administrator regarding whether or not they be notified before you sync with their NTP server. Admins who want to be notified are usually trying to manage the traffic to their server, so be sure and respect their wishes regarding notification.

Note that primary servers are always considered as requesting notification before use.

Service Area

If you've selected a primary or secondary server you want to use, click its hostname in the list to look at further details for that server.

Among the details listed is the "ServiceArea" field. That describes the geographic or demographic group they intend to serve. If that field is "Public" then you do not have to be in a particular region to use the server. If they list a more specific service area be sure to respect the server administrator's wishes in that regard.

Testing with ntpdate

Before using an external NTP server to sync your time you should make sure you can actually connect to the server from your machine. Fortunately there's a tool for that named "ntpdate".

To use it you might first need to install ntpdate:

sudo aptitude install ntpdate

The ntpdate command will sync your clock with an NTP server. It's similar to what the NTP server does on a regular basis.

You usually shouldn't use ntpdate for anything other than testing purposes unless you want to make sure your clock only syncs at particular times of day (by using cron to run ntpdate just at those times). Otherwise you're better off running the NTP server because it will use less bandwidth and keep your time more accurate (by tracking your clock's drift over time and adjusting accordingly).

The ntpdate command will not run when the NTP server is running. If you run ntpdate and get a response like "the NTP socket is in use", that means your NTP server is running. Stop it with the command:

sudo /etc/init.d/ntp stop

You can now run ntpdate with the server you want to sync against as an argument. For example, to tell ntpdate to try and sync with "pool.ntp.org", run:

sudo ntpdate pool.ntp.org

When you're finished testing remember to start NTP back up again:

sudo /etc/init.d/ntp start

Summary

Fortunately NTP time syncing is pretty easy to do. Once you've set the time servers and started the NTP service up it will do its work quietly in the background.

If NTP has any problems it will log them to the system log, which you should be checking regularly anyway.

For more details on setting up an NTP server and what options are available visit the NTP documentation site. If you want to know more of the nitty-gritty about how NTP works, go to the main NTP web site and all will be revealed.

  • -- Jered
조회 수 :
3571
등록일 :
2014.02.26
16:18:38 (*.251.139.148)
엮인글 :
http://webs.co.kr/index.php?document_srl=38858&act=trackback&key=d6b
게시글 주소 :
http://webs.co.kr/index.php?document_srl=38858
List of Articles
번호 제목 글쓴이 날짜 조회 수
19 DOS ,DDOS 공격 네트워크공격 정리 admin 2015-08-09 430
18 VOIP FRAUD LIST admin 2015-01-09 1072
17 NTP DoS refelction attack admin 2014-02-26 1876
» NTP 증폭 분산 서비스 거부 취약점 경고 차단 방법 데비안 ntp update install admin 2014-02-26 3571
15 400Gbps NTP-based DDOS attack hits CloudFlare - largest DDOS attack in History admin 2014-02-26 2370
14 How to Get Keytool Command Working admin 2014-02-23 1816
13 해커·테러리스트의 타깃은 데이터' 기업의 방어법은? admin 2014-02-23 1902
12 NSA가 깨부순 암호화, 여전히 데이터 보호에 대한 최선의 방법이다 admin 2014-02-23 1837
11 스마트폰 보안방패 ‘SSL인증’마저 해킹에 속수무책 admin 2014-02-23 3567
10 WHOIS Lookup and Domain Lookup Research site on the Internet IP admin 2014-02-07 1842
9 VoIP Security [인터넷 전화 해킹] 누군가 당신의 인터넷전화를 몰래 사용 하고 있다 admin 2014-02-06 2048
8 How To Bypass VoIP Blocking admin 2013-11-19 2406
7 070 인터넷전화 해킹 대비 가장 흔한 경우 단말기 접속 아이디 비번 변경 요망 admin 2013-05-12 4117
6 모바일_인터넷전화(mVoIP)_정보보호_안내서 file admin 2013-03-28 2769
5 VoIP Hacker Blocklist/Blacklist admin 2012-04-15 4691
4 VoIP Fraud List – VoIP Hackers List admin 2012-02-12 3411
3 인터넷전화(VOIP) 사업자 정보보호 연구 file admin 2012-01-14 3584
2 ● DoS (Denial of Service) 공격이란? admin 2011-12-19 11209
1 VoIP Hacker Blocklist/Blacklist voip 핵커아이피 리스트 admin 2011-12-19 4520